Digital Forensic Investigation of the ChatGPT Windows Application

TL;DR

This paper conducts a comprehensive forensic analysis of the ChatGPT Windows application, identifying recoverable digital artifacts like chat logs and network data to aid investigations of potential misuse.

Contribution

It introduces a forensic methodology using common tools to extract and analyze artifacts from the ChatGPT Windows app, highlighting evidence recovery even after deletion.

Findings

Recovery of chat history and user interactions

Identification of system-level traces and metadata

Evidence persists after deletion, aiding investigations

Abstract

The ChatGPT Windows application offers better user interaction in the Windows operating system (OS) by enhancing productivity and streamlining the workflow of ChatGPT's utilization. However, there are potential misuses associated with this application that require rigorous forensic analysis. This study presents a holistic forensic analysis of the ChatGPT Windows application, focusing on identifying and recovering digital artifacts for investigative purposes. With the use of widely popular and openly available digital forensics tools such as Autopsy, FTK Imager, Magnet RAM Capture, Wireshark, and Hex Workshop, this research explores different methods to extract and analyze cache, chat logs, metadata, and network traffic from the application. Our key findings also demonstrate the history of the application's chat, user interactions, and system-level traces that can be recovered even after deletion, providing critical insights into the crime investigation and, thus, documenting and outlining a potential misuse report for digital forensics.