Transformative Role of LLMs in Digital Forensic Investigation: Exploring Tools, Challenges, and Emerging Opportunities
DOI:
https://doi.org/10.21015/vtcs.v13i1.2127Abstract
In the evolving realm of digital forensics, the admissible nature of trustworthy digital evidence in a court of law necessitates the application of scientifically validated digital forensic investigative techniques to substantiate a suspected security event. The incorporation of LLMs represents a transformative technology, set to enhance the efficiency and accuracy of digital forensics investigations. A thorough literature analysis is conducted, including current digital forensic models, tools, large language models (LLMs), deep learning methodologies, and the application of LLMs in investigative processes. The review delineates the issues in current digital forensic methodologies and examines the barriers and potential of integrating LLMs. This study emphasizes the need of integrating LLMs into digital forensics, providing insights into their advantages, disadvantages, and wider implications for addressing contemporary cyber threats.
References
E. Ullah, A. Parwani, M. M. Baig, and R. Singh, “Challenges and barriers of using large language models (LLM) such as ChatGPT for diagnostic medicine with a focus on digital pathology–a recent scoping review,” Diagn. Pathol., vol. 19, no. 1, p. 43, 2024.
G. Michelet and F. Breitinger, “ChatGPT, Llama, can you write my report? An experiment on assisted digital forensics reports written using (local) large language models,” Forensic Sci. Int.: Digit. Invest., vol. 48, p. 301683, 2024.
F. Casino et al., “Research trends, challenges, and emerging topics in digital forensics: A review of reviews,” IEEE Access, vol. 10, pp. 25464–25493, 2022.
M. Al Fahdi, N. L. Clarke, and S. M. Furnell, “Challenges to digital forensics: A survey of researchers & practitioners attitudes and opinions,” in Proc. Inf. Secur. South Africa (ISSA), 2013, pp. 1–8.
A. R. Tuor et al., “Recurrent neural network language models for open vocabulary event-level cyber anomaly detection,” in Workshops at the AAAI Conf. Artif. Intell., 2018.
S. Dutta, G. Joyce, and J. Brewer, “Utilizing chatbots to increase the efficacy of information security practitioners,” in Adv. Hum. Factors Cybersecurity, 2018, pp. 237–243.
P. Ranade, A. Piplai, A. Joshi, and T. Finin, “Cybert: Contextualized embeddings for the cybersecurity domain,” in Proc. IEEE Int. Conf. Big Data, 2021, pp. 3334–3342.
K. Ameri, M. Hempel, H. Sharif, J. Lopez Jr., and K. Perumalla, “Cybert: Cybersecurity claim classification by fine-tuning the BERT language model,” J. Cybersecurity Privacy, vol. 1, no. 4, pp. 615–637, 2021.
B. Kereopa-Yorke, “Building resilient SMEs: Harnessing large language models for cyber security in Australia,” J. AI, Robot. Workplace Autom., vol. 3, no. 1, pp. 15–27, 2024.
E. Cambiaso and L. Caviglione, “Scamming the scammers: Using ChatGPT to reply mails for wasting time and resources,” arXiv preprint arXiv:2303.13521, 2023.
C. Chen et al., “When ChatGPT meets smart contract vulnerability detection: How far are we?,” ACM Trans. Softw. Eng. Methodol., 2023.
G. Deng et al., “PentestGPT: An LLM-empowered automatic penetration testing tool,” arXiv preprint arXiv:2308.06782, 2023.
F. Yu and M. V. Martin, “Honey, I chunked the passwords: Generating semantic honeywords resistant to targeted attacks using pre-trained language models,” in Int. Conf. Detect. Intrusions Malware, Vulnerability Assess., 2023, pp. 89–108.
M. Gao, “The Advance of GPTs and Language Model in Cyber Security,” Highl. Sci. Eng. Technol., vol. 57, pp. 195–202, 2023.
F. McKee and D. Noever, “Chatbots in a honeypot world,” arXiv preprint arXiv:2301.03771, 2023.
M. Sladić, V. Valeros, C. Catania, and S. Garcia, “LLM in the shell: Generative honeypots,” arXiv preprint arXiv:2309.00155, 2023.
A. Wickramasekara, F. Breitinger, and M. Scanlon, “Exploring the Potential of Large Language Models for Improving Digital Forensic Investigation Efficiency,” arXiv preprint arXiv:2402.19366, 2024.
M. Scanlon, F. Breitinger, C. Hargreaves, J. N. Hilgert, and J. Sheppard, “ChatGPT for Digital Forensic Investigation: The Good. The Bad, and The Unknown,” Preprints.org, 2023.
A. Bhandarkar, R. Wilson, A. Swarup, M. Zhu, and D. Woodard, “Is the Digital Forensics and Incident Response Pipeline Ready for Text-Based Threats in LLM Era?,” arXiv preprint arXiv:2407.17870, 2024.
F. N. Motlagh et al., “Large language models in cybersecurity: State-of-the-art,” arXiv preprint arXiv:2402.00891, 2024.
D. Xuan-Quy, L. Ngoc-Bich, N. Bac-Bien, and P. Xuan-Dung, "LLMs' capabilities at the high school level in chemistry: Cases of ChatGPT and Microsoft Bing Chat," 2023.
M. L. Tsai, C. W. Ong, and C. L. Chen, "Exploring the use of large language models (LLMs) in chemical engineering education: Building core course problem models with Chat-GPT," Educ. Chem. Eng., vol. 44, pp. 71–95, 2023.
D. Glukhov, I. Shumailov, Y. Gal, N. Papernot, and V. Papyan, "LLM censorship: A machine learning challenge or a computer security problem?" arXiv preprint arXiv:2307.10719, 2023.
S. Moore et al., "Empowering education with LLMs—the next-gen interface and content generation," in Int. Conf. Artif. Intell. Educ., Cham: Springer, pp. 32–37, Jun. 2023.
M. Scanlon, F. Breitinger, C. Hargreaves, J. N. Hilgert, and J. Sheppard, "ChatGPT for digital forensic investigation: The good, the bad, and the unknown," Forensic Sci. Int.: Digit. Investig., vol. 46, p. 301609, 2023.
S. Silalahi, T. Ahmad, and H. Studiawan, "Transformer-based sentiment analysis for anomaly detection on drone forensic timeline," in 2023 11th Int. Symp. Digit. Forensics Security (ISDFS), pp. 1–6, May 2023.
H. M. van Beek, E. J. Van Eijk, R. B. van Baar, M. Ugen, J. N. C. Bodde, and A. J. Siemelink, "Digital forensics as a service: Game on," Digit. Investig., vol. 15, pp. 20–38, 2015.
H. Henseler and H. van Beek, "ChatGPT as a copilot for investigating digital evidence," in LegalAIIA@ICAIL, pp. 58–69, Jun. 2023.
E. Kalaimannan, J. N. Gupta, and S. M. Yoo, "Maximizing investigation effectiveness in digital forensic cases," in 2013 Int. Conf. Social Comput., pp. 618–623, Sep. 2013.
Y. Wolf, N. Wies, O. Avnery, Y. Levine, and A. Shashua, "Fundamental limitations of alignment in large language models," arXiv preprint arXiv:2304.11082, 2023.
M. U. Hadi et al., "Large language models: A comprehensive survey of its applications, challenges, limitations, and future prospects," Authorea Preprints, 2024.
Y. Qin et al., "ToolLLM: Facilitating large language models to master 16000+ real-world APIs," arXiv preprint arXiv:2307.16789, 2023.
L. Fröhling and A. Zubiaga, "Feature-based detection of automated language models: Tackling GPT-2, GPT-3 and Grover," PeerJ Comput. Sci., vol. 7, p. e443, 2021.
W. Wang et al., "VisionLLM: Large language model is also an open-ended decoder for vision-centric tasks," Adv. Neural Inf. Process. Syst., vol. 36, 2024.
H. Dubey, S. Bhatt, and L. Negi, "Digital forensics techniques and trends: A review," Int. Arab J. Inf. Technol. (IAJIT), vol. 20, pp. 644–654, 2023.
S. Thapa, U. Naseem, and M. Nasim, "From humans to machines: Can ChatGPT-like LLMs effectively replace human annotators in NLP tasks," in Proc. Workshop 17th Int. AAAI Conf. Web Social Media, Jun. 2023.
B. D. Lund and T. Wang, "Chatting about ChatGPT: How may AI and GPT impact academia and libraries?" Library Hi Tech News, vol. 40, no. 3, pp. 26–29, 2023.
N. Rahman and E. Santacana, "Beyond fair use: Legal risk evaluation for training LLMs on copyrighted text," in ICML Workshop Generative AI Law, 2023.
R. Bommasani et al., "On the opportunities and risks of foundation models," arXiv preprint arXiv:2108.07258, 2021.
E. M. Bender, T. Gebru, A. McMillan-Major, and S. Shmitchell, "On the dangers of stochastic parrots: Can language models be too big?" in Proc. 2021 ACM Conf. Fairness, Accountability, and Transparency, pp. 610–623, Mar. 2021.
Y. Qin et al., "ToolLLM: Facilitating large language models to master 16000+ real-world APIs," arXiv preprint arXiv:2307.16789, 2023.
Q. Wu et al., "AutoGen: Enabling next-gen LLM applications via multi-agent conversation framework," arXiv preprint arXiv:2308.08155, 2023.
G. Michelet and F. Breitinger, "ChatGPT, Llama, can you write my report? An experiment on assisted digital forensics reports written using (local) large language models," Forensic Sci. Int.: Digit. Invest., vol. 48, p. 301683, 2024.
J. Sundman and W. Hedenskog, "Evaluating the Usability of Large Language Models as Tools in Cybersecurity: A Comparison of Censored and Uncensored Models in Penetration Testing and Digital Forensics," unpublished.
A. Wickramasekara and M. Scanlon, "A Framework for Integrated Digital Forensic Investigation Employing AutoGen AI Agents," in Proc. 12th Int. Symp. Digit. Forensics Security (ISDFS), Apr. 2024, pp. 01–06.
A. Nikolakopoulos et al., "Large language models in modern forensic investigations: Harnessing the power of generative artificial intelligence in crime resolution and suspect identification," in Proc. 5th Int. Conf. Electron. Eng., Inf. Technol. & Educ. (EEITE), May 2024, pp. 1–5.
D. B. Oh, D. Kim, and H. K. Kim, "volGPT: Evaluation on triaging ransomware process in memory forensics with Large Language Model," Forensic Sci. Int.: Digit. Invest., vol. 49, p. 301756, 2024.
J. Adkins, A. Al Bataineh, and M. Khalaf, "Identifying Persons of Interest in Digital Forensics Using NLP-Based AI," Future Internet, vol. 16, no. 11, p. 426, 2024.
S. Jia et al., "Can ChatGPT detect deepfakes? A study of using multimodal large language models for media forensics," in Proc. IEEE/CVF Conf. Comput. Vis. Pattern Recognit. (CVPR), 2024, pp. 4324–4333.
M. M. Al Mahdi and S. Baror, "Proof of Concept of a Digital Forensic Readiness Cybercrime Language as a Service," in Proc. Int. Conf. Cyber Warfare and Security, vol. 19, no. 1, pp. 191–199, Mar. 2024.
M. Ivanova and S. Stefanov, "Regarding Artificial Intelligence in Digital Forensic Investigation: Applications and Solutions," in Proc. XXXIII Int. Sci. Conf. Electron. (ET), Sep. 2024, pp. 1–6.
S. Qi et al., "What is the limitation of multimodal LLMs? A deeper look into multimodal LLMs through prompt probing," Inf. Process. & Manag., vol. 60, no. 6, p. 103510, 2023.
K. Chugh and P. Ahuja, "A forensic approach: identification of source printer through deep learning," Int. J. Electron. Secur. Digit. Forensics, vol. 16, no. 6, pp. 775–798, 2024.
Y. Yao et al., "A survey on large language model (LLM) security and privacy: The good, the bad, and the ugly," High-Confidence Comput., p. 100211, 2024.
S. H. Kamtam, H. S. Lallie, and M. A. Azad, "The application of AI techniques for firearm detection in digital forensic investigation," Int. J. Electron. Secur. Digit. Forensics, vol. 16, no. 3, pp. 372–396, 2024.
Z. Ji et al., "Towards mitigating LLM hallucination via self reflection," in Findings Assoc. Comput. Linguist.: EMNLP, Dec. 2023, pp. 1827–1843.
I. A. Kandhro, U. Khan, S. Memon, and M. Yasir, "Discover and safe: an automated security management system for educational institutions," Int. J. Electron. Secur. Digit. Forensics, vol. 15, no. 2, pp. 158–176, 2023.
D. Patrick et al., "A novel comparison of data analytics and business intelligence tools: an information preservation and ledger management solution," Int. J. Electron. Secur. Digit. Forensics, vol. 15, no. 4, pp. 387–412, 2023.
F. Y. Loumachi and M. C. Ghanem, "Advancing Cyber Incident Timeline Analysis Through Rule Based AI and Large Language Models," arXiv preprint arXiv:2409.02572, 2024.
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License (CC-By) that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
This work is licensed under a Creative Commons Attribution License CC BY
