Analyst-In-Loop LLM Systems for Forensic Timeline Analysis Assistance

Abstract

The increasing volume and complexity of digital evidence in digital forensic investigations of today have made manual timeline analysis not only inefficient but a reckless waste of resources and effort. Tools such as Plaso (Log2timeline) have shown to be highly effective at creating “super timelines” that gather information from various sources. Creating datasets spanning thousands of events, which can be actively considered “noise” for the forensics examiner. However, within the past years, we have made great strides in the field of artificial intelligence. These allow for the utilization of the processing power of the neural networks to assist with the process of detecting anomalies and filtering for essential parts of an investigation. Through extracting general outputs with Plaso as a CSV file, we can utilize said outputs to highlight the role that private AI models will begin to take within the field after considerable training with the available forensic training data. Keywords ⎯ Digital Forensics, Event Reconstruction, LLM, Plaso Supertimeline.