ChatGPT for Digital Forensic Investigation: The Good, The Bad, and The Unknown

TL;DR

This paper evaluates ChatGPT's capabilities and limitations in digital forensics, highlighting its potential as a supportive tool while cautioning about risks and current unsuitability for certain applications.

Contribution

It provides a comprehensive assessment of GPT-4's performance in digital forensic tasks, identifying strengths, risks, and practical considerations for its use in the field.

Findings

ChatGPT shows potential in artefact understanding and evidence searching.

Risks include inaccuracies and privacy concerns when uploading evidence.

Certain forensic tasks are currently unsuitable for ChatGPT use.

Abstract

The disruptive application of ChatGPT (GPT-3.5, GPT-4) to a variety of domains has become a topic of much discussion in the scientific community and society at large. Large Language Models (LLMs), e.g., BERT, Bard, Generative Pre-trained Transformers (GPTs), LLaMA, etc., have the ability to take instructions, or prompts, from users and generate answers and solutions based on very large volumes of text-based training data. This paper assesses the impact and potential impact of ChatGPT on the field of digital forensics, specifically looking at its latest pre-trained LLM, GPT-4. A series of experiments are conducted to assess its capability across several digital forensic use cases including artefact understanding, evidence searching, code generation, anomaly detection, incident response, and education. Across these topics, its strengths and risks are outlined and a number of general conclusions are drawn. Overall this paper concludes that while there are some potential low-risk applications of ChatGPT within digital forensics, many are either unsuitable at present, since the evidence would need to be uploaded to the service, or they require sufficient knowledge of the topic being asked of the tool to identify incorrect assumptions, inaccuracies, and mistakes. However, to an appropriately knowledgeable user, it could act as a useful supporting tool in some circumstances.