AI-Assisted Digital Forensics: Application of Large Language Models in Evidence Prioritization

This article introduces a digital forensics evidence prioritization system based on large language models, developed by the Cybersecurity Master's Program team at Roehampton University. The system can automatically parse data output by mainstream forensic tools such as Autopsy and FTK, intelligently sort evidence using the GPT-4 model, and provide recommendations for next steps, solving the problem of filtering massive amounts of data. Project source: GitHub, original author: emmagbemiprojectwork-coder, release date: 2026-06-14.

Digital forensics is an important branch of cybersecurity, with the core task of identifying relevant evidence from massive electronic data. However, with the explosive growth of storage device capacity, forensic personnel need to filter high-value evidence from TB/PB-level data within limited time, facing huge challenges. The team developed this AI-assisted system to address this pain point, aiming to automate classification and sorting, improve efficiency, and reduce the risk of missing key evidence.

Data Parsing Layer

Supports formats such as CSV, JSON, TXT, LOG, HTML, etc. It can directly import output from mainstream forensic platforms and automatically convert it into a standardized internal format.

AI Analysis Engine

Based on GPT-4, it adopts a batch processing strategy of 20 items/groups, with a built-in intelligent caching mechanism to avoid repeated API calls. The analysis cost per case is ≤ £0.1, and the total estimated project cost is ≤ £2.

Evidence Sorting and Explanation

Automatically sorts evidence and generates detailed explanations, including importance assessment, relevance analysis, and recommendations for next steps, lowering the technical threshold for forensics.

Prompt Engineering Strategy

Uses professional prompt templates to guide GPT-4 to comply with forensic standards, and implements a response parsing module to extract structured information.

Cost Optimization Mechanism

Batch processing + caching + local storage form a case knowledge base, reducing long-term operational costs.

User Interface Design

A dark-themed GUI based on the Qt framework, including panels for file upload and result display, supporting drag-and-drop data import for intuitive operation.

Applicable to law enforcement agencies (as a preliminary screening tool to shorten case cycles), enterprise security teams (for internal investigations), and forensic training institutions (as a teaching tool). The system demonstrates the application potential of large language models in professional fields, transforming into a professional assistant through prompt engineering and workflow design.

Limitations: Relies on GPT-4's reasoning ability, prone to misjudgment in complex scenarios; only supports English interaction. Improvements: Introduce domain-fine-tuned models to improve accuracy, add multilingual support, expand forensic tool formats, integrate automated report generation, and strengthen data security and privacy protection.

This system combines natural language processing technology with traditional forensic processes to provide analysts with an intelligent auxiliary tool. Although it is in the prototype stage, its design concept and technical implementation provide valuable references for the development of similar systems.