Enhancing Digital Forensics Investigation Process through Large Language Model

Abstract

Abstract Digital forensics, particularly file system analysis, often requires specialized knowledge and complex tools like The Sleuth Kit (TSK), which can hinder the efficiency of investigations. To address this, we propose a framework that leverages Large Language Models (LLMs) and AI agents to interpret natural language instructions and automate TSK commands. By automating complex forensic tasks through natural language processing, our framework has the potential to significantly accelerate investigations, reduce the likelihood of errors, and democratize access to advanced forensic tools. This approach aims to make digital forensics more accessible, efficient, and user-friendly for a broader range of investigators. The research addresses key challenges in digital forensics, such as the complexity of command-line tools and the need for rapid, accurate analysis in time-sensitive cases. Through a Design Science Research Methodology (DSRM), the framework was developed and refined by establishing a secure environment with local LLMs and AI agents, enhanced by Retrieval-Augmented Generation (RAG) and ReAct prompting to mitigate LLM hallucination and improve reasoning, implementing a user-friendly chat interface with logging and case tracking features based on practitioner feedback, and integrating tool-calling functionality for dynamic access to TSK documentation, further improving accuracy and flexibility. Quantitative evaluation using AutoDFBench demonstrated that the framework achieved an average precision of 64.74%, recall of 28.70%, and an F1-score of 36.56% across forensic string search tasks. These results indicate that while the framework shows strong precision in executing forensic commands accurately, opportunities remain to further optimize recall and overall retrieval performance. Input from digital forensic experts further confirmed the framework’s effectiveness in streamlining investigations and reducing errors. The multi-agent architecture, with specialized roles for task translation, code writing, and reporting, ensures a modular and efficient approach to forensic analysis. This work contributes a novel, user-centric solution to digital forensics, making advanced forensic tools more accessible and paving the way for future AI-powered forensic systems. Keywords: digital forensics, file system analysis, AI agents, large language models, The Sleuth Kit, natural language processing, forensic automation, forensic ai assistant