Scout: Leveraging Large Language Models for Rapid Digital Evidence Discovery

TL;DR

Scout leverages large language models to rapidly identify and prioritize relevant digital evidence across various file types, significantly reducing investigation time and false positives.

Contribution

This work introduces Scout, a novel framework that uses foundational language models for efficient preliminary evidence processing in digital forensics.

Findings

Effective identification of relevant evidence files

Reduction in false positives during investigation

Rapid processing of diverse digital evidence types

Abstract

Recent technological advancements and the prevalence of technology in day to day activities have caused a major increase in the likelihood of the involvement of digital evidence in more and more legal investigations. Consumer-grade hardware is growing more powerful, with expanding memory and storage sizes and enhanced processor capabilities. Forensics investigators often have to sift through gigabytes of data during an ongoing investigation making the process tedious. Memory forensics, disk analysis all are well supported by state of the art tools that significantly lower the effort required to be put in by a forensic investigator by providing string searches, analyzing images file etc. During the course of the investigation a lot of false positives are identified that need to be lowered. This work presents Scout, a digital forensics framework that performs preliminary evidence processing and prioritizing using large language models. Scout deploys foundational language models to identify relevant artifacts from a large number of potential evidence files (disk images, captured network packets, memory dumps etc.) which would have taken longer to get identified. Scout employs text based large language models can easily process files with textual information. For the forensic analysis of multimedia files like audio, image, video, office documents etc. multimodal models are employed by Scout. Scout was able to identify and realize the evidence file that were of potential interest for the investigator.