A Comprehensive Analysis of the Role of Artificial Intelligence and Machine Learning in Modern Digital Forensics and Incident Response

In the dynamic landscape of digital forensics, the integration of Artificial Intelligence (AI) and Machine Learning (ML) stands as a transformative technology, poised to amplify the efficiency and precision of digital forensics investigations. However, the use of ML and AI in digital forensics is still in its nascent stages. As a result, this paper gives a thorough and in-depth analysis that goes beyond a simple survey and review. The goal is to look closely at how AI and ML techniques are used in digital forensics and incident response. This research explores cutting-edge research initiatives that cross domains such as data collection and recovery, the intricate reconstruction of cybercrime timelines, robust big data analysis, pattern recognition, safeguarding the chain of custody, and orchestrating responsive strategies to hacking incidents. This endeavour digs far beneath the surface to unearth the intricate ways AI-driven methodologies are shaping these crucial facets of digital forensics practice. While the promise of AI in digital forensics is evident, the challenges arising from increasing database sizes and evolving criminal tactics necessitate ongoing collaborative research and refinement within the digital forensics profession. This study examines the contributions, limitations, and gaps in the existing research, shedding light on the potential and limitations of AI and ML techniques. By exploring these different research areas, we highlight the critical need for strategic planning, continual research, and development to unlock AI's full potential in digital forensics and incident response. Ultimately, this paper underscores the significance of AI and ML integration in digital forensics, offering insights into their benefits, drawbacks, and broader implications for tackling modern cyber threats.


Introduction
In recent years, the field of digital forensics has expanded rapidly, relying on technology to collect and analyse digital evidence during criminal investigations, in accordance with Casey (2018).As the use of digital evidence in criminal investigations continues to rise, there is a greater need for efficient and effective crime investigation strategies.Machine learning (ML) and artificial intelligence (AI) are two potent technologies that have the potential to revolutionise digital forensics by enabling analysts to process vast amounts of data swiftly and precisely, thereby detecting crucial evidence, as stated by Du et al., (2020).
This research paper will begin by providing an overview of the field of digital forensics and the challenges that digital forensic analysts face, including the sheer volume of data, the variety of digital devices, and the dynamic nature of the digital world.The paper will then examine the current use of AI and ML in digital forensics and the obstacles it encounters, such as the lack of standardisation and interpretability issues.Also, this paper will explore several ways in which AI and ML can be utilised to improve the efficiency and accuracy of digital forensic analysis based on image and text analysis, network analysis, and machine-assisted decision-making.Lastly, the challenges and limitations of using AI and ML in digital forensics will be discussed, as well as potential future research directions, discussions, and findings.The use of digital forensics in criminal investigations has Contents lists available at Science Direct Forensic Science International: Digital Investigation emerged as a burgeoning area of interest.This new field requires intensive computing to acquire, process, and analyse enormous quantities of data, making the process laborious and timeconsuming.To address this challenge, Dunsin., et al. (2022) propose a variety of applications and the implementation of artificial intelligence (AI), such as how AI techniques can be applied in the field of disaster response (DF) and in the context of incident response in a constrained environment.Notably, the use of AI in criminal investigations is essential, especially given the increasing prevalence of technology and cybercrime.
Numerous studies have shown that electronic-based cybercrimes constitute the vast majority of offences, highlighting the significance of a digital solution as outlined by Qadir and Noor (2021).Even though databases for storing solved, unsolved, and pending cases are growing in size, it is necessary to maintain this information online for the sake of accessibility and security.Consequently, it is natural to utilise AI and machine learning (ML) applications to train datasets that digital forensics investigators can broadly utilise.Currently, according to Thagard (1990), forensics investigations are conducted by human experts using a variety of tools and script-based applications, which require time and experience and are susceptible to human error.In light of this, the introduction of AI technology has the potential to resolve these obstacles and enhance the investigative process's efficiency.With AI, digital forensics will be quicker, more accurate, and more streamlined, as algorithms will be able to swiftly scan through vast amounts of data, including previously closed cases.This frees up detectives' time so they can focus on other pressing matters.In addition, because AI is automated, it can create networks that give criminal investigators access to additional resources regardless of location.
In today's society, the use of artificial intelligence (AI) and machine learning (ML) in criminal investigations is becoming increasingly crucial.According to a report from the Insurance Information Institute (2022), cyberattacks have increased by 68% compared to the previous year.In digital forensics, which entails the acquisition, processing, and analysis of vast quantities of digital data for criminal investigations, AI and ML have proven particularly useful.According to Garfinkel (2010), the acquisition phase of digital forensics' lifecycle employs AI algorithms to analyse complex data sets that would be impossible for a human forensic expert to do manually.As a result, AI and ML have aided the criminal justice system in solving complex digital forensic investigation issues.According to Beebe (2009), despite the significant progress made with AI and ML, there are still numerous challenges in this field, such as the incompatibility of existing applications, the expansion in the use of storage devices, the advancement in attacks against available models, and legitimacy issues in countries lacking standardisation and laws for forensic investigations.Moreover, the acquisition and reconstruction of data for the identification of criminal acts may violate privacy laws, posing a moral and legal challenge in this field.In order for digital forensics to keep up with perpetrators, it is crucial to develop more agile and effective tools capable of overcoming these obstacles.
The deployment of artificial intelligence (AI) in digital forensics requires careful consideration of the validity of the data being analysed and processed.However, determining the validity of the data presents a significant challenge because few researchers have shared effective methods for validating the data.According to Quick and Choo (2014), assessing the value of processed data to enable researchers to reduce, compress, or duplicate large datasets during investigation and analysis is a challenge associated with the use of AI in digital forensics.It can be difficult to convey the value of data due to the fact that different cultures use different communication styles.Moreover, given their cultural backgrounds, various communities may place varying degrees of importance on a variety of factors.Moreover, according to Mohammed et al. (2019), forensic studies of digital data have not been sufficiently diversified, and the majority of cybercrime investigators have concentrated on cases involving popular Western culture.Nevertheless, dedicated machine learning of data from various regions and cultures could improve AI's ability to work with diverse groups and datasets.In addition, a more diverse group of researchers could play an important role in resolving these issues.

Research Motivation
There has been significant interest in the use of artificial intelligence (AI) and machine learning (ML) in digital forensics in recent years.This is due to the fact that current human expertise procedures are time-consuming, error-prone, and incapable of handling the vast quantities of forensic data that modern digital devices generate.According to Stoney and Stoney (2015), one compelling reason for this integration is to enhance the efficacy and overall performance of forensic examination.In addition, Jarrett and Choo (2021) state that by automating and streamlining various actions involved in reviewing digital evidence, such as data analysis, image and video processing, and pattern recognition, digital forensic investigators can swiftly analyse massive amounts of data, identify pertinent information, and establish connections that may not be discernible using conventional human methods.Guarino (2013) noted that the incorporation of AI and ML in digital forensics has grown in significance due to their potential to improve investigational precision and consistency.Moreover, Ngejane et al. (2021) reported that by training digital forensic tools to recognise specific patterns or characteristics that indicate certain types of behaviour, ML algorithms can reduce the number of false positives and improve overall accuracy.Moreover, some AI and ML algorithms, for instance, can detect patterns and anomalies that may not be immediately apparent to the human eye, which can be particularly advantageous when identifying concealed or disguised evidence, resulting in more accurate and reliable results.
AI and ML, as previously stated by Hemdan and Manjaiah (2017), can aid in digital forensic analysis by identifying anomalies in network traffic, detecting malware, classifying files based on their content, and recognising objects and people in images and videos.Another crucial application of AI and ML in digital forensics is their ability to enhance investigation consistency and identify new criminal trends.In addition, James et al., (2021) stated that machine learning (ML) models can be trained on data sets and use statistical learning to predict new data sets, allowing for the identification of new evidence and This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035P r e p r i n t n o t p e e r r e v i e w e d cases to investigate and reducing the number of cases that must be manually analysed.

Research Context and Scope
The purpose of the present study is to assess the current state of research on the application of artificial intelligence (AI) and machine learning (ML) to digital forensics and incident response tasks.Specifically, the investigation will examine the techniques and methods used to employ AI and ML for a variety of tasks, such as data analysis and triage, incident detection and response, forensic investigation and analysis, network security, and cyber security.The comparative analysis will also consider the advantages and disadvantages of deploying AI and ML in various contexts, such as bias, precision, and interpretability.In addition, the analysis will incorporate a thorough evaluation of the legal and ethical implications of employing AI and ML in digital forensics and incident response.

Research Challenges
The application of AI and ML in digital forensics presents a number of significant research challenges that demand scholarly attention.In 2018, Losavio et al., identified data privacy and security as one of the primary challenges that must be carefully managed to prevent intrusions and privacy violations during digital forensics investigations.The quality and integrity of data may be compromised during data collection and analysis, resulting in unreliable and inaccurate outcomes.Moreover, the presence of data bias and discrimination may result in unjust or inaccurate outcomes, highlighting the significance of ensuring unbiased training data.According to Zhang et al., (2018), the availability and quality of data can pose challenges for training and evaluating machine learning models in digital forensics, where incomplete, chaotic, or biassed data can present difficulties.
Brkan and Bonne (2020) stated another challenge involving the interpretability and explainability of ML, which can be considered "black boxes" and difficult to explain in court situations where evidence must be presented and justified.In addition, Mohammed et al., (2016) mentioned another challenge that pertains to scalability and performance, where processing massive volumes of data generated in digital forensics investigations is a significant issue that requires the optimisation of AI and ML algorithms.Furthermore, the lack of clear standards and best practices for using AI and ML in digital forensics poses an additional challenge for digital forensics experts, as it can be challenging to determine the most appropriate techniques for a particular investigation.Relatedly, the inability to interpret and explain machine learning models poses a significant challenge for digital forensics experts, as the findings and conclusions of such models may be difficult to articulate.
Due to the diverse array of devices, operating systems, and file format types encountered in digital forensics investigations, generalisation is another significant obstacle.According to Krizhevsky et al. (2017), machine learning models may struggle to generalise across these diverse categories of data.Lipton (2018) noted that it may be difficult to determine whether the model's outputs are accurate and reliable when machine learning techniques are employed, especially in complex and ambiguous situations.As a result, as machine learning becomes increasingly important in digital forensics, it is essential to be aware of potential adversarial attacks, in which an attacker generates inputs intended to confuse machine learning models, as noted by Biggio et al., (2013).Moreover, adversarial attacks are especially worrisome in digital forensics because the stakes are high and the consequences of inaccurate or unreliable results could be severe.

Research Approach
This research paper will rely on tested theories, hypotheses, and statistical analyses of numerous studies investigated, identifying the researcher's contribution, benefits, and drawbacks, and answering questions about our research context and scope.The methodology will consist of a comprehensive literature review employing secondary sources that are both scholarly and peer-reviewed in order to obtain a thorough understanding of the topic at hand.The literature review will investigate a variety of factors affecting the research problem and potential solutions.The gathered information will be synthesised and presented in order to emphasise key issues central to the solution of the research problem.In addition, this paper will assess the appropriateness of the presented solutions for addressing the identified issues.In order to provide a holistic view of the research, this paper will also evaluate the strengths and weaknesses encountered during the literature review, as well as the potential implications of the research findings.In addition, the literature review will assist in identifying future research directions in the field, such as emerging technologies, methodologies, or areas requiring additional study.This research paper will conclude with an in-depth analysis of the research strategy, findings, and recommendations based on a rigorous and systematic methodology.

Literature Review and Research Gaps
The digital forensic evidence life cycle is a complex and multifaceted procedure comprised of several interdependent phases.These stages include identification of data sources, collection, preservation, examination, analysis, and presentation.To acquire a comprehensive understanding of this procedure, it is imperative to meticulously investigate each phase individually, as depicted in Figure 1.This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035P r e p r i n t n o t p e e r r e v i e w e d This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035P r e p r i n t n o t p e e r r e v i e w e d

Big Data Digital Forensic Investigation
According to Song and Li (2020), the widespread adoption of the Internet has led to a significant increase in cybercrime, which poses a grave threat to safety, social and economic development, and critical infrastructure.As depicted in Figure 3, the research presents a practical framework for conducting digital forensic investigations utilising big data technologies that manage all aspects of data collection, processing, analysis, and presentation while incorporating the most effective and costeffective solutions.In the fight against cybercrime, the study contributes considerably to the fields of digital forensics and big data analytics.
However, the research does not address the issue of the validity of the data being processed in the preservation process of investigations involving big data.This is a significant challenge, as people from different parts of the globe present different types of data and obstacles, and the forms may vary across devices and platforms.In addition, distinct cultural backgrounds may influence the significance and meaning of data when compared to Western languages.Consequently, it is essential to analyse and differentiate the data using the same artificial intelligence technology, which the research neglected to mention.Song and Li's (2020) Despite this limitation, Song and Li's (2020) proposed framework model is robust, primarily because it takes into account the potential volume of big data and proposes advanced tools and methods for organising, standardising, and compressing the data in order to reduce the labour and cost of the process.Consequently, this expedites the investigation and reduces the financial burden, given the volume of data and the rate at which it is produced.In addition, the framework takes into account the investigation and presentation processes, as well as how to ensure the validity, precision, security, and legitimacy of the big data investigation.Consequently, this reduces the likelihood of errors, ensures dependability, and increases the likelihood that users will receive the intended results in response to their commands.
To improve the efficacy of forensic data investigations, it is crucial to avoid the inefficient use of time that frequently results from sifting through vast amounts of data without sufficient guidance or an adequate comprehension of the user's goals.Prior to initiating an investigation, it is crucial to ensure that the instructions and objectives are explicitly and exhaustively defined in order to achieve more accurate and meaningful results.Also, using artificial intelligence systems that are tailored to the region, the user's specific goals, and the values of the targeted data sources can make digital forensic investigations much more accurate and efficient than when standard intelligence systems are used alone.In this regard, Song and Li's (2020) research contributes to the advancement of digital forensics science by providing valuable insights into the use of big data technology to support cybercrime investigations, prevention, and online social interactions.

Volatile Memory Evidence Retrieval
Thantilage and Le Khac (2019) proposed a model for extracting memory dumps from RAM, as depicted in Figure 4, in order to acquire forensic evidence, with the primary goal of demonstrating that social media and instant messaging artefacts can serve as evidence for investigators.The authors also sought to elaborate on the nature of memory samples retrieved from RAM and their utility for digital forensics examiners and researchers.The authors acknowledged the advantages and disadvantages of existing research in the same field, noting that no existing instrument can retrieve volatile memory from all existing social media and messaging platforms.However, to address this deficiency, the researchers included PCs in their analysis.
Thantilage and Le Khac's (2019) proposed framework structure and functions include nine phases to assure the credibility of the evidence retrieved.The authors emphasised the significance of recovering RAM data as soon as possible and avoiding restarting the computer in order to avoid losing crucial evidence.In addition, the study suggested two software programmes, DumpIt for Windows and OSXpmem for Mac OS, to retrieve memory data.DumpIt was selected due to its userfriendliness and rapid memory data acquisition, but it cannot be used on computers with more than 4 GB of RAM, and some versions may not be compatible with 64-bit systems or Windows 8 or later.
OSXpmem retrieves data in RAW format, which is required for the proposed framework to produce accurate results.According to Kiley et al. (2008), using this tool requires the creation of separate profiles to guarantee volatility.Despite this, the paper fails to mention that users will be required to download a kernel that will operate concurrently with the framework in order for the extracted data to remain uncorrupted.Without the additional utility, however, the memory dump may request the necessary access permissions, rendering it ineffective.
This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035P r e p r i n t n o t p e e r r e v i e w e d  Thantilage and Le Khac (2019) According to Yusoff et al., (2017) the framework proposed by Thantilage and Le Khac (2019) included a REGEX-based string search for the memory dump, which supports most programming languages but is not suitable for complex recursive data formats such as XML and HTML.Despite this limitation, the framework was experimentally tested on different social media and messaging platforms and operating systems, successfully retrieving valuable data that examiners could use in an investigation, including usernames and passwords for specific social media accounts.However, Thantilage and Le Khac (2019) should expand their investigation to include mobile devices and other smart home appliances.Mittal et al., (2021) have contributed to the field of data carving and memory forensics by presenting a new identification method for files, as depicted in Figure 5.The research aimed to demonstrate the superiority of their tool, FiFTy, compared to older file-identifying tools.In addition, the research emphasises the advantages of FiFTy, including diversified and reliable 75 file-type datasets, faster processing, higher accuracy, and better scalability.The research, however, ignored the application of data-type classification and concentrated solely on the classification of commonly used file types.Although classification of data types would have required more complex combinations, it would have been beneficial to compare FiFTy's performance to that of other data carving tools.

File Type Identification
The 75 file-type datasets used in the Mittal et al., (2021) study had dependency issues, which made it difficult for the classifier to generalise and study images embedded in other file types such as PDF, PPT, and DOC.In addition, the study selected photographic and graphic data from modern and current files commonly found on present SD cards used in contemporary IoT (Internet of Things) devices, as opposed to a wide variety of data that included both old and new format types.In spite of this, the authors have contributed a robust research model by comparing their methodology to three other strong baselines to obtain a more objective comparison.
The research's strength resides in its exhaustive and detailed comparison of FiFTy to numerous baseline methods, as well as its extensive use of file-type datasets.This study investigated the various techniques utilised by various data carving tools for reassembling and recovering data files.It was discovered that FiFTy is a more efficient and trustworthy tool than others because it can perform multiple functions that were previously performed by multiple tools.However, the study could have specified the effectiveness of the file-type identification methods used on fragmented versus nonfragmented file structures.According to Sari and Mohamad (2020), file carving tools operate differently on fragmented and non-fragmented file structures, and only a limited number of tools are capable of recovering fragmented files.This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035P r e p r i n t n o t p e e r r e v i e w e d the large file-type datasets used and the thorough comparison of FiFTy to many baseline methods are important contributions to the field.In contrast, the limitations of the methodology include the dependency issues of the 75 file-type dataset and the emphasis on modern and current files in the selection of photographic and graphic data.According to Teimouri et al. (2020), comparing FiFTy to other robust baselines provides an unbiased assessment of its efficacy and dependability.

Neural Network-Based Classification
As illustrated in Figure 6, Mohammad's (2018) research focuses on the use of neural networks to analyse and derive conclusions from retrieved data for digital forensics in criminal investigations.The research has contributed to the reconstruction of the events leading up to the crime under investigation and the retrieval of crucial information from data such as cookies, log files, and web browser history.However, one of the limitations of his method is that data must first be transformed by third-party applications, which can be expensive and not scalable for large data volumes.Alternatively, the paper suggested that Machine Learning can address this issue by explicitly analysing data sets.
The objective of this study is to determine if neural networks are capable of identifying and tracing the history of events to determine if other applications have modified the files.Mohammad's work expands on Palmer's (2001) nine-step framework for digital forensics and proposes a finite-state machine model with ontology to facilitate the reconstruction of historical events based on the gathered data.According to Chabot et al. (2014), one of the limitations of the proposed model is that it treats events as instantaneous occurrences rather than intermittent ones, which may cast doubt on the validity of the acquired data.Mohammad (2018) The research proposes using neural network technology to determine whether or not files have been altered and whether or not the trained datasets can accurately reconstruct past events.During this process, however, criminals may readily manipulate the models used to generate features, leading to inaccurate data retrieval.In light of this limitation, the research produced robust models using the machine learning algorithm, despite the fact that the tool used to manage small datasets may run out of memory when processing large volumes of data.
The experimental results demonstrated that the created feed-forward model produced substantially satisfactory outcomes with an error rate of 10.07 percent across four distinct scenarios.However, using a single algorithm to execute multiple applications may result in system overlap and invalid results.Thus, it is of the utmost importance to develop alternative algorithms that produce accurate results.The research contributes to the advancement of digital forensics by providing valuable insights into the use of neural networks and machine learning while acknowledging the limitations and challenges that must be overcome.

AI-Based Incident Response
As depicted in Figure 7, Hasan et al., (2011) propose a computer model that uses artificial intelligence to expedite forensic investigations and reduce the time and resources needed by crime investigators.The strengths of the proposed model include its ability to efficiently analyse crime scene evidence and generate accurate conclusions.In addition, the use of a specialised software tool known as "chain of custody" guarantees the security of evidence and vital information, which can be stored in a database and used as a training source for the model.This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035P r e p r i n t n o t p e e r r e v i e w e d unauthorised system access, such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Log Analysis, User Behaviour Analytics (UBA), Multi-Factor Authentication (MFA), Audit Trails and Monitoring, Port Scanning and Vulnerability Scanning, Honeypots, Anomaly Detection, and File Integrity Monitoring.
Despite the challenges, the proposed model makes significant contributions to forensic investigations.The distinctiveness of the Hasan et al., (2011) model resides in its capacity to predict any crime and to adapt and learn independently to solve new and future crimes.With sufficient resources, the proposed improvement of contemplating criminals' psychology can be a valuable addition to collaboration with behaviour analysts.This can establish a pattern that can be added to grouped data sets to assist with crime prevention and resolution.

Automated Artefact Relevancy Determination
As depicted in Figure 8, Du et al., (2020) investigated the possibility of utilising previously investigated digital forensic cases to aid in the investigation of new digital forensic cases using automated artificial intelligence systems.Their research was specifically intended to rank the importance of file artefacts required for forensic examination.By evaluating the automation process with files from three distinct case scenarios to identify similar and unknown files, the study accomplished its objective.The researchers demonstrated the advantages of using trained automated processes to examine file evidence, such as significant time savings and the avoidance of negative psychological effects that human investigators may experience when scrutinising distressing evidence.
Figure 8: Overview of the Approach (Du et al., 2020) In addition, the researchers acknowledged the significance of timeline analysis in identifying and ordering events in chronological order.However, the research did not investigate how the applicability of known similar files and novel evidence would be weighed and prioritised in relation to new cases.In addition, the study did not account for situations in which there are fewer known file artefacts available for machine learning training, which may impact the approach's efficacy.
Although the research approach had some limitations, such as the difficulty in identifying "interesting" files and the possibility of overfitting, the study's model was robust because it was validated using experimental data from multiple case scenarios.The use of multiple scenarios by the researchers is an excellent method for preventing bias in future research.To avoid overfitting, future research should avoid using machine learning models with very few features.Moreover, Du et al., (2020) research could utilise disc images from actual past cases with permission from officials involved or generate experimental data with information similar to real cases to obtain better research outcomes as opposed to fabricated experimental data, which may lead to more false negatives and false positives, as stated by Eykholt et al., (2018).

Large-Scale E-mail Dataset Analysis
As shown in Figure 9, Ozcan et al., (2020) emphasised the importance of email analysis as a primary source of evidence when acquiring forensically pertinent data from disc images.The objective of their research is to develop an end-to-end distributed graph analysis framework for large-scale digital forensic datasets, along with an evaluation of the accuracy of the centrality algorithms and the scalability of the proposed framework in terms of running time performance.The research proposes an algorithm-based framework that can perform the task of analysing email files more efficiently and effectively in response to the challenges posed by traditional methods for managing large volumes of email files.Ozcan et al., (2020) The research by Ozcan et al., (2020) is robust and exhaustive, employing a controlled and empirical methodology that is critical and verifiable.The researchers developed an edge-transmitted graph methodological approach for coping with large forensic datasets, implemented it with widely adopted open-source technologies, and analysed the algorithmic precision of its nodes.The research paper presented three implementations to demonstrate the efficacy of the proposed framework, as well as experiments on an email dataset to demonstrate its superiority to conventional methods.
One limitation of Ozcan et al., (2020) research methodology is the framework treatment of email addresses in the dataset as originating from distinct individuals, which fails to account for the possibility that multiple email addresses belong to the same individual.To increase the accuracy with which prospective offenders are identified during forensic investigations, the pre-processing phase should be modified to permit the matching of email addresses.Notably, the research This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035P r e p r i n t n o t p e e r r e v i e w e d employs a secure and efficient local testing environment with high-performance computing resources, which increases the tests' credibility.
A future study could be enhanced by utilising multiple email datasets to evaluate the framework and avoid biassed results.While Ozcan et al., (2020) utilised the Enron email dataset, which is one of the largest and most exhaustive collections of meaningful emails, it may be incomplete due to the fact that it only contains messages from users who were employees of the same company.Balayn et al., (2021) discourage the use of unique, distinct, and trained datasets in testing experiments because they are likely to be unjust to groups that are not included in the dataset.On the other hand, the use of diverse email datasets would introduce a variety of cases from diverse groups, cultures, and situations that would further demonstrate the framework's dependability.
Lastly, Ozcan et al., (2020) research makes a significant contribution to the field of digital forensics by introducing an effective framework for evaluating the accuracy and scalability of large forensic datasets.Although their methodology has limitations, their diligence and empirical approach guarantee the study's reliability and validity.

Data Mining Methods
In their study, Tallón-Ballesteros and Riquelme (2014) examined various data mining techniques applicable to digital forensic tasks, focusing on glass identification as an illustration of a data problem.Digital data analysis is a quicker and more accurate method for evaluating large volumes of data than traditional forensic analysis through lab experiments, which can be challenging and expensive.To accomplish their research objective, the researchers employed the "stratified four-fold cross-validation" method, which involved dividing the existing dataset into four equal parts and analysing individual training sets.
The study acknowledged that statistical analysis can be used to identify statistically significant differences in the outcomes of stochastic methods.However, non-academic algorithms with a single output cannot be subjected to statistical analysis.Tallón-Ballesteros and Riquelme (2014) used a strong research model to evaluate a wide range of classifiers and machine learning methods, such as decision trees, Bayes classifiers, artificial neural networks, and rulebased classifiers.This comprehensive strategy yielded more reliable and comprehensive results.However, the research was restricted to only two analysis tests, namely Cohen's Kappa and accuracy measures, in order to evaluate the models developed by the various classifiers.Incorporating additional types of analysis experiments could have provided additional information for comparison in the machine learning task and identified any additional problems with the model or data.
As shown in Table 1, Tallón-Ballesteros and Riquelme (2014) obtained comparable results to Silva and Hruschka (2013) using a ten-fold cross-validation procedure on the same dataset.The ten-fold cross-validation procedure, however, lacked a statistical analysis for the stated problem.The research conducted by Tallón-Ballesteros and Riquelme (2014) highlighted the significance of having diverse results for comparison using various parameters.The results of the experiment improved after the parameters were fine-tuned, resulting in algorithmic performance that exceeded the values of the analysis measures of other experimental results with default parameters.

Table 1: Accuracy and Cohen's Kappa Measures for 6-class Training and
Test Results (Tallón-Ballesteros and Riquelme, 2014) In light of this, future research evaluating data mining approaches should not only concentrate on accuracy but also consider other crucial factors such as dependability and utility.In addition, these actions would provide information regarding the experiment and reduce data mining errors.Toraskar et al., (2019) recommended in their study the use of information acquired from storage devices to analyse and detect alterations, as illustrated by Figure 10's output results.In addition, the study explored the potential for unsupervised machine learning classification to aid in forensic analysis.The contribution of this study is to advocate for the appropriate application of machine learning and forensic technologies for data analysis, including SOM viability, in criminal investigations.

Metadata Analysis Using Machine Learning
This study emphasises the benefits of the Encase Imager tool, the Encase Forensic Tool, the FTK (Forensic Toolkit), and autopsy, which are known for their speed and efficiency in producing digital reports in CSV format.However, the research also acknowledges the limitations of these tools, such as their inability to process non-English languages and their inability to distinguish between false negatives and genuine positives.In addition, FTK lacks a user-friendly interface and effective search capabilities.Nonetheless, as stated by Wehrens (2009), research should introduce an alternative way to conduct simultaneous inquiries and compare results.
The research of Toraskar et al., (2019) introduces a selforganising map (SOM) as a clustering tool for MATLAB in order to resolve these limitations.Four cybercrime scenarios are utilised by the research methodology to evaluate the dependability of machine learning.SOM is advantageous because it can readily cluster data, identify common characteristics, and handle various problem classifications.The paper suggests using various cluster sizes to guarantee accurate results.
This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035P r e p r i n t n o t p e e r r e v i e w e d According to Toraskar et al., (2019), the SOM mappings generated by MATLAB were clustered, demonstrating the viability of using SOM with enumerated artefacts and metadata in criminal investigations.However, the research cautions that it may be difficult to acquire a perfect mapping if the groupings are unique.Therefore, anomalies may form, resulting in the appearance of two identical clusters in peculiar regions of the map.In spite of this limitation, the research findings are trustworthy, as the selected metadata and cluster sizes lead to accurate results.
The research of Toraskar et al., (2019) contributes significantly to the application of machine learning and forensic tools in digital forensic analysis.This study acknowledges the limitations of existing tools and introduces a novel method for clustering data using SOM.However, the research should have taken into account the difficulty of obtaining flawless mappings when groupings are distinct.Nevertheless, the findings are trustworthy and provide a firm foundation for future studies.

Chain of Custody
The research conducted by Tanner and Bruno (2019) proposes a valuable tool for visualising and organising data related to the chain of custody process in criminal investigations, as depicted in Figure 11.The objective of the research was to develop an instrument that satisfied the three fundamentals of timeline representation: literal, linear, and global timelines.The proposed implementation of the tool included HTML input and output in the form of tables and timelines, enabling examiners to efficiently manage criminal evidence.Walny et al., (2020) state that one of the Toraskar et al., (2019) research's strengths is the use of taffy.jsas a database library, which improves the tool's performance and reduces downtime, resulting in a system that runs smoothly.In addition, the offline feature of the application protects the system from online malware and hackers, while the .csvexport feature enables the secure storage of data.Also, the tool's userfriendly characteristics make it simple to use and interactive.
However, Tanner and Bruno (2019) research has neglected some deficiencies that need to be addressed, such as the tool's visual appeal.While the vi.js library used to construct the timeline network has built-in behaviours, it may need to be modified to enhance the visual appeal of the user interface.In addition, the system's load time may be sluggish due to the use of nodes instead of clusters, resulting in an annoying "loading..." message for users.One of the major contributions of Tanner and Bruno's (2019) research is the creation of a tool that satisfies all three fundamentals of timeline representation, making it superior to existing models.The implementation of the tool would assist minor departments in eliminating the manual chain of custody process and storing information securely for an extended period of time without risk of modification.According to Elgohary et al., (2022), the paper acknowledges the need for additional enhancements, such as the addition of a search engine and a data grouping feature, to facilitate access to information and patterns in similar cases.Overall, the research was successful in accomplishing its goal of developing a chain of custody data visualisation tool based on time.

Memory Forensics Using Machine Learning
Through the extraction of memory images, Mosli et al., (2016) sought to develop a model for automating the detection of malware.Specifically, the study concentrated on three key malware artefacts: imported DLLs (Dynamic Link Library), malware-modified registry keys, and API (Application Programming Interface) functions, with the intention of developing a highly accurate and user-friendly model.Through experimentation, the researchers were able to accomplish their goal, with the model achieving accuracy rates ranging from 85.7% to 96%.The study emphasises the significance of using memory images in malware detection because they permit the extraction and analysis of multiple artefacts, resulting in more precise conclusions.
While there are numerous malware detection techniques on the market, Mosli et al., (2016) contend that the proposed model is preferable due to its resistance to manipulation.The extracted information is uncommon, precise, and diverse and is capable of handling millions of global malware variants.According to Sihwail et al., (2019), it is important to note that the design of the proposed model only enables the detection of already-present malware and does not prevent malware from This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035P r e p r i n t n o t p e e r r e v i e w e d infiltrating the system.Mosli et al., (2016) research employed the finest featureextraction techniques, resulting in a flawless data acquisition and feature extraction process, regardless of the volume of data being analysed, in order to develop a method that can address potential vulnerabilities in malware design.Scikit Learn is recommended as a tool for feature extraction due to its precision and user-friendliness, but it is not appropriate for data visualisation or string processing.
Table 2: Summary of Accuracy and Auroc Scores (Mosli et al., 2016) The research of Mosli et al., (2016) utilised seven training models to establish accuracy and generate linear, simple-toanalyse results.Nevertheless, the use of both accuracy and AUROC yielded significant and conclusive results, as shown in Table 2, indicating that the proposed model is capable of detecting malware even with immense amounts of data if the proper equipment is employed.The study accomplished its objective and demonstrated that it is possible to detect malware using machine learning with the proper tools and techniques.The study suggests that future research should concentrate on identifying additional memory artefacts for analysis, broadening the spectrum of data, and developing methods to detect malware before it enters the system.This can be accomplished by collecting and analysing a sufficient quantity of malware data.

Malware Classification using Feature Engineering
As depicted in Figure 12, Lashkari et al., (2021) presented VolMemLyzer, a digital instrument that enables memory analysis of live malware infections to extract feature sets for characterising malware.The research contributes significantly to the field of digital forensics by addressing multiple tasks, including malware extraction, memory dump analysis, feature extraction, feature ranking, and machine learning classification of both benign and malicious samples.One of the research's strengths is its emphasis on the importance of memory analysis tools in identifying the specific areas affected or compromised by malware, thereby guiding digital forensics analysts as to where to concentrate their examinations.Additionally, the study acknowledges the limitations of classifiers used for analysis and classification, which can memorise training samples and produce incorrect results.To circumvent this restriction, the researchers added 7% noise to the sampled data, and by increasing the memory dump size by 100%, they were able to acquire 1900 samples in the dataset through Weka.
Additionally, the research emphasises the significance of employing multiple classifiers to achieve a more precise classification of malware families.In addition, various classifiers, such as random forests, k-nearest neighbour, decision trees, and Adaboost, were used to identify benign samples during binary classification.It was discovered that Random Forest and k-nearest neighbour classifiers were more effective at classifying malware families.This is an important contribution to the discipline because it emphasises the significance of using the most effective classifiers for accurate classification.
Nonetheless, Lashkari et al., (2021) study has some limitations.The researchers did not account for the prospect of receiving fewer memory dumps for analysis after malware execution, necessitating a 100% increase in samples to obtain 1900 samples in the Weka dataset.In addition, the research did not address the difficulty posed by contemporary malware, which employs techniques such as process hollowing to avoid detection and analysis.As a result, future research can explore methods to detect and analyse modern malware that employs process hollowing techniques and address these limitations.2021) is a significant contribution to the field of malware analysis, providing insight into the significance of memory analysis tools, the limitations of classifiers used for analysis and classification, and the necessity of using multiple classifiers to achieve more accurate classification.

Comparative Analysis
This section provides a thorough comparison of the various AI and ML applications discussed in the literature review.Numerous investigation-improving applications are now feasible as a result of the incorporation of AI and ML techniques in digital forensics.The investigation of AI and ML applications has gained prominence as digital forensics professionals seek to remain ahead of evolving cyber threats.The comparative analysis reveals the transformative potential of AI and ML applications in digital forensics.Consequently, each application area presents unique contributions and difficulties, but collectively they pave the way for more effective, precise, and proactive investigation techniques.By leveraging AI and ML, digital forensics professionals can not only keep pace with the ever-changing cyber landscape, but also foster a culture of continuous development and innovation within the field.
This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035P r e p r i n t n o t p e e r r e v i e w e d A new file identification method for data carving and memory forensics Improved processing speed and functionality.
Overlooked the application of data-type classification Low Classification using Neural Networks (Mohammad., 2018) Method for using neural networks to evaluate, analyse, and draw conclusions from retrieved data for digital forensics.
Reconstruction of past events using neural networks.
The model may not be effective on certain types of data.
Medium AI in Digital Forensics (Hasan et al., 2011) The model uses a database of crime scene evidence to train itself Solve new and future crimes that may be strange to crime investigators Vulnerable to hackers and third-party software Low Automated Artefact Analysis (Du, Le and Scanlon, 2020) Using Machine Learning to rank the order of priority of file artefacts needed for forensic examination Reduce the psychological impact on human investigators who may be exposed to distressing evidence.
The system may be susceptible to over-fitting.

Medium
Network Analysis (Ozcan et al., 2020) Developed an edge-transmitted graph methodological approach for dealing with large forensic datasets The framework can identify potential offenders by analysing the patterns of their email communication The framework could be biased towards certain groups.

Medium Data Mining & ML in Digital Forensics
(Tallón-Ballesteros and José, 2014) Explored different data mining methods that investigators can apply to a digital forensic analysis and exammination.
The model can be used to assess large quantities of data faster and more accurately than human forensic.
Insufficient explanation of the model decision-making process.

Machine
Learning in Digital Forensics (Toraskar et al., 2019) Demonstrated SOM viability in criminal investigations.
SOM can be used to cluster data sets into groups that can be used to identify patterns of criminal activity.
Tools may be ineffective if a non-English language is used.

Medium
Live Memory Forensics Using ML (Mosli et al., 2016) Proposes a "heuristic approach" to automate malware detection The approach can be used to detect malware already present in a system Limitations in data visualisation and string processing

High
Live Memory Forensics (Lashkari et al., 2020) Uses a variety of classifiers to identify benign samples during binary classification.
Extracts essential features for malware analysis.
Risk of classifiers memorising too much noise.

Medium
Digital Forensic Investigation (Casey, 2011) Employs case studies to exemplify digital forensics utilisation in realworld investigations.The framework relies on a deep learning algorithm trained on an extensive dataset of digital forensic artefacts.
The framework aids in the detection of overlooked evidence and novel patterns.
The framework's computational demands may limit its viability across diverse cases.

Medium
This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035Identified the challenges posed by the increasing volume of digital forensic data and discusses the impact on the cost, complexity, and speed of digital forensic investigations.
A concise overview of the challenges posed by the increasing volume of digital forensic data.
Does not provide a detailed discussion of the technical or methodological aspects of digital forensic data analysis.

Medium
Digital Forensics and Cybercrime Legislation (Mohammed et al., 2019) Identify several future research challenges to address the rising volume of cybercrime in Nigeria.
Provides overview of the challenges faced by law enforcement officers investigating cybercrime.
Focusing on Nigeria jurisdiction limits its applicability to other countries.

Low
Forensic Trace Evidence Analysis (Stoney and Stoney, 2015) Propose a hybrid approach to forensic trace evidence analysis, integrating conventional and unconventional methodologies.
Concisely surveys the challenges in forensic trace evidence analysis.
Advocates a new approach to forensic trace evidence analysis but didn't elaborate on it.

AI Automation in Digital
Forensics.(Jarrett and Choo, 2021) Present a concise review of the research on the impact of automation and AI on digital forensics.
Artificial intelligence and automation are poised to revolutionise digital forensics.
Ethical and legal considerations must be addressed before the full adoption of automation and AI in digital forensics.

Low
Big Data in Digital Forensics (Guarino, 2013) Concisely survey the challenges of digital forensics posed by the increasing volume of digital data.
Suggests some practical solutions to the challenges of digital forensics that could be beneficial to practitioners.(Mohammed et al., 2016) Evaluated on a real-world dataset, with results showing effectiveness in identifying and extracting digital evidence from heterogeneous big data.
Reviews the challenges of digital forensics analysis of heterogeneous big data and how the authors' approach addresses them.
Reviews the challenges of digital forensics analysis of heterogeneous big data and how the authors' approach addresses them.

Low
Digital Forensics and Image Analysis (Krizhevsky et al., 2017) The CNN achieved an 84.6% classification accuracy on the ImageNet database, a significant improvement over previous methods.Propose a method for improving the reliability of the chain of custody for image forensics investigation applications.

Advancements
The method can improve the accuracy of image forensics investigations.
The method requires a large image dataset for training the mathematical model.

Low
This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035P r e p r i n t n o t p e e r r e v i e w e d

Discussions
On the basis of the findings of the systematic literature review, it is strongly recommended that the digital forensics community continue to embrace and research the benefits of artificial intelligence (AI) and machine learning (ML).Significant investments in the development and implementation of sophisticated tools and applications are required to fully leverage these technologies.These resources are necessary to effectively support the growth and expansion of digital forensic technologies, processes, and procedures.Digital forensics experts should investigate the use of artificial intelligence techniques such as pattern recognition, expert systems, and knowledge representation.These techniques have the potential to significantly enhance the efficiency and effectiveness of cybercrime investigation capabilities and processes.
It is necessary to resolve a number of obstacles associated with the adoption of AI techniques in order to ensure their optimal application.Due to the vast quantities and intricacy of data generated by online activities, scalability is a crucial concern.Significantly expanding the applicability of AI techniques in digital forensics can be accomplished by enhancing their efficiency in managing and processing such vast amounts of data.In addition, the admissibility of AIcollected evidence in court proceedings is contingent on its reliability being established.This can be achieved by instituting standardised procedures and guidelines that facilitate the admissibility of digital evidence in legal settings.
In addition, there is a need for numerous, distinct, and extensive studies that can help address the ongoing issues and deficits in forensic examinations.These studies should concentrate on the development of more efficient and effective AI techniques capable of addressing the unique challenges faced by professionals in digital forensics.During the analysis and examination phases of the digital forensics lifecycle, it is also crucial to investigate novel AI and ML application domains.Notably, digital forensics must address two major issues: malware infection investigation and Windows registry forensics.Developing comprehensive AI-based strategies to resolve these issues will enable the detection and analysis of malware infections as well as the extraction and interpretation of pertinent information from Windows registry files.
In addition, it is crucial to maintain vigilance when monitoring and assessing the use of AI and ML techniques in digital forensics.This governance is required to ensure that their deployment is ethical, transparent, and respectful of data subjects' rights and privacy.Constant evaluation and assessment aid in identifying potential risks or negative outcomes associated with the use of these technologies, thereby enabling prompt mitigation measures.
The systematic literature review concludes by highlighting the importance of AI and ML in digital forensics and recommending their continued application.For AI techniques to attain their full potential in this field, it is necessary to address scalability and evidence validation concerns, conduct exhaustive research, and monitor their ethical application.In addition, a focus on significant issues such as malware infection investigation and Windows registry forensics contributes to the improvement of forensic specialists' daily work activities, thereby making their investigations more effective and efficient.Nonetheless, additional research and collaboration within the digital forensics community are required to advance the field and overcome these obstacles.

Conclusions and Future Research Directions
Based on the exhaustive survey conducted in this study, a strong recommendation emerges for the integration of artificial intelligence (AI) and machine learning (ML) methodologies in ongoing and future digital forensics research.These techniques hold significant potential for enhancing investigative precision and efficacy, particularly in addressing the escalating prevalence of cybercrime.Nonetheless, the issue of data validity demands careful attention, especially when dealing with diverse data from various individuals, devices, platforms, and cultural contexts.Achieving higher success rates necessitates the formulation of precise objectives, utilising AI systems and data sources tailored to specific regions.
Recent insights from memory forensics underscore the need for cautious consideration when selecting tools for memory dump retrieval, weighing their strengths and limitations.Expanding the scope of research to encompass mobile devices and intelligent home appliances represents a logical progression to address the evolving landscape of digital evidence sources.
By making AI and ML applications more powerful, refining pre-processing techniques and email address matching, and using data from many different sources, potential offenders can be found much more accurately.The incorporation of various analysis experiments for comparison purposes promises improved data mining techniques and reduced errors during the analytical process.Embracing machine learningbased metadata analysis, the utilisation of multiple cluster sizes, and the adoption of self-organising maps can enhance the precision of results and contribute to the development of innovative methodologies.
A pivotal gap exists in malware artefact detection within current forensic investigations.In response, this study proposes the application of Reinforcement Learning, modelling it as a Markov decision process (MDP), aligning with RL's strength in capturing intricate agent-environment dynamics.Integrating this into a comprehensive framework offers a path towards automated malware detection.The transition matrix diagram serves as a visual representation, aiding comprehension of potential transitions and their probabilities within the MDP and guiding the construction of robust malware detection models.
Finally, this study underscores the vitality and practical applicability of AI in the realm of digital forensics.The adoption of AI techniques promises swifter and more effective investigations, facilitated by the identification of data patterns indicative of cybercrime and potential culprits.While AI techniques such as pattern recognition, expert systems, and knowledge representation contribute significantly to This preprint research paper has not been peer reviewed.Electronic copy available at: https://ssrn.com/abstract=4554035P r e p r i n t n o t p e e r r e v i e w e d combating cyber threats, the evolving nature of data representation necessitates adaptable methods.Recognising the limitations of existing approaches and addressing scalability concerns within a legal framework is paramount.This demands a concerted focus on the development of tools and applications that harness the full potential of AI in digital forensics while ensuring ethical and legally admissible processes.

Figure 1 :
Figure 1: Digital Forensic Evidence Life Cycle This paper presents a systematic literature review (SLR) as depicted in Figure 2, that investigates the potential of AI and ML methodologies for automating digital forensics processes.This paper's SLR provides detailed technical insights into the research gaps, limitations, and strengths of previous studies and suggests ways in which future research can resolve these gaps.

Figure 2 :
Figure 2: Cyber Forensics Cycle-Inspired Proposed Roadmap for Systematic Literature Review (SLR) of AI and ML Techniques in DFIR

Figure 5 :
Figure5: The Proposed Network Architecture byMittal et al., (2021) Most importantly,Mittal et al., (2021) research provides invaluable insights into the creation of a new instrument, FiFTy, for file identification in data carving and memory forensics.Even though data-type classification wasn't used,

Figure 7 :
Figure 7: Proposed Model System byHasan et al., (2011)    Nonetheless, the proposed model contains certain flaws.According toNila et al., (2020), the extensive work required to collect enough data to train the model is inadequately described, and the data collected from various police agencies in the United Kingdom may be vulnerable to malware, anomalies, and malicious code injections.On the other hand, the research concisely emphasises the significance of continuously training the model to ensure accuracy, given that AI systems require substantial data inputs for training.Failure to do so can result in falsified facts and findings, leading to incorrect conclusions, according to the research.According toTrifonov et al., (2019),Hasan et al., (2011)   research method fails to account for the risk of interference from hackers and third-party software, which is a significant challenge.The model should include a method for detecting

Figure 12 :
Figure 12: Proposed Model Lashkari et al., (2021) Last but not least, the research conducted by Lachkari et al., (2021) is a significant contribution to the field of malware analysis, providing insight into the significance of memory analysis tools, the limitations of classifiers used for analysis and classification, and the necessity of using multiple classifiers to achieve more accurate classification.

Table 3 :
Comparative Analysis of AI and ML Techniques in DFIR