SOLVE-IT-X: AI Applicability Report

A structured review of AI applicability across SOLVE-IT digital forensic techniques, organised by investigative objective. Back to interactive viewer

Summary Total techniques: 178 Assessed: 117 (49 with data) Recently assessed: 12 Unassessed: 61 SOLVE-IT synced: 2026-03-27
Categories In Tools: 6 Academic Implementation: 9 Academic Idea: 36

Objectives

DFO-1015: Prepare for a digital investigation

Conduct activities in preparation of conducting a digital investigation

DFT-1110: Preserving reference data Unassessed

This technique has not yet been assessed for AI applicability.

DFO-1014: Find potential digital evidence sources

Locate sources of digital evidence that may be relevant to the investigation.

DFT-1005: Conduct a search of a crime scene Previously assessed (2025-04-03)

The process of 'carefully documenting the conditions at a crime scene and identifying all relevant physical evidence.' (Birzer 2018).

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Wickramasekara, Akila and Breitinger, Frank and Scanlon, Mark (2024)
📋📚
Help identifying pieces of evidence e.g. with VisionLLM
Reference details
Sok: Exploring the potential of large language models for improving digital forensic investigation efficiency, arXiv e-prints, pp. arXiv--2402
@article{wickramasekara2024sok,
  title={Sok: Exploring the potential of large language models for improving digital forensic investigation efficiency},
  author={Wickramasekara, Akila and Breitinger, Frank and Scanlon, Mark},
  journal={arXiv e-prints},
  pages={arXiv--2402},
  year={2024}
}

DFT-1006: Use digital sniffer dogs to locate digital devices Previously assessed (2025-04-03)

The use of canines to locate obscured digital storage devices.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1009: Locate cloud account identifiers Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps AI could match cloud identifiers in addition to deterministic matching
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1008: Profiling network traffic Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Implementation
Gratian, Margaret and Bhansali, Darshan and Cukier, Michel and Dykstra, Josiah (2019)
📋📚
Identifying potentally infected machines from network traffic
Reference details
Identifying infected users via network traffic, Computers \& Security, pp. 306--316
@article{gratian2019identifying,
  title={Identifying infected users via network traffic},
  author={Gratian, Margaret and Bhansali, Darshan and Cukier, Michel and Dykstra, Josiah},
  journal={Computers \& Security},
  volume={80},
  pages={306--316},
  year={2019},
  publisher={Elsevier}
}

DFT-1007: Use a SyncTriage-based approach to detect existence of devices Previously assessed (2025-04-03)

A technique developed in Hargreaves & Marshall (2018) whereby synchronisation artefacts on a device are examined and used to identify the existence of a related device. Also sometimes used to infer activity that occurred on an inaccessible or unavailable device.

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps AI could match references to other devices in addition to deterministic matching
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFO-1005: Prioritize digital evidence sources

Rank the evidence sources based on their relevance and potential value to the investigation.

DFT-1001: Triage Previously assessed (2025-04-03)

Digital forensic triage is a partial forensic examination conducted under (significant) time and resource constraints [DFCite-1115].

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Du, Xiaoyu and Hargreaves, Chris and Sheppard, John and Anda, Felix and Sayakkara, Asanka and Le-Khac, Nhien-An and Scanlon, Mark (2020)
📋📚
Identifying the most relevant devices from a set could potentially be improved with AI
Reference details
SoK: Exploring the state of the art and the future potential of artificial intelligence in digital forensic investigation, Proceedings of the 15th international conference on availability, reliability and security, pp. 1--10
@inproceedings{du2020sok,
  title={SoK: Exploring the state of the art and the future potential of artificial intelligence in digital forensic investigation},
  author={Du, Xiaoyu and Hargreaves, Chris and Sheppard, John and Anda, Felix and Sayakkara, Asanka and Le-Khac, Nhien-An and Scanlon, Mark},
  booktitle={Proceedings of the 15th international conference on availability, reliability and security},
  pages={1--10},
  year={2020}
}

DFO-1010: Preserve digital evidence

Ensure the integrity and authenticity of digital evidence is maintained.

DFT-1011: Store seized devices in evidence bags Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1010: Place device in faraday environment Previously assessed (2025-04-03)

Place a device in an environment designed to shield a mobile phone or small digital device from radio waves entering the environment and reaching the device, and to stop radio waves escaping from the environment (adapted from Lennox-Steele & Nisbet (2016))

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1012: Connect storage medium via hardware write blocker Previously assessed (2025-04-03)

A hardware write blocking device [should] prevent any change to data in the user area of a hard drive while allowing access to all data on a hard drive. (Lyle 2006)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1013: Use software write blockers to provide read only access to storage media Previously assessed (2025-04-03)

Use of a software-based tool that prevents a computer from writing to computer storage media connected to it (NIST 2006)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFO-1021: Access device data for acquisition

Connect to physical sources of digital evidence to facilitate data extraction

DFT-1029: Access data from a desoldered eMMC via a chip reader Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1171: Access file system via live operating system Recently assessed (2026-03-17)

This involves accessing a live system and relying on the operating system's parsing of the file system to access files.

Assessments: 2025-04-03 (Chris Hargreaves) 2026-03-17

No AI applicability identified during review.

DFT-1113: Access internal storage via bootable environment Recently assessed (2026-03-17)

Booting the suspected computer device into an alternative operating system in order to image the attached disks.

Assessments: 2026-03-17 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1028: Chip-off Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps analysing data from thermal experiments to minimise chip damage
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1166: Connect directly to storage media Recently assessed (2026-03-17)

This technique describes the occasions where it is necessary to connect directly to a disk without a hardware write blocker. This would typically then involve a subseqeunt software write blocker, which then presents a write protected interface.

Assessments: 2026-03-17 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1112: Physical disk identification and removal Unassessed

Identifying physical storage media within devices and removing them

This technique has not yet been assessed for AI applicability.

DFO-1016: Overcome protection mechanisms

Attempt to gain access to protected data sources or other restricted data.

DFT-1039: Downgrade apps to facilitate data extraction Previously assessed (2025-04-03)

Downgrading an app to a version in which data is available e.g. via a backup method

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1034: Brute force attack Previously assessed (2025-04-03)

A brute force attack, or exhaustive search is a password cracking approach where every combination of characters is tested until the correct one is found. This method is "guaranteed to work" given infinite time and resources which in a real-life scenario is not feasible.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1035: Dictionary attack Previously assessed (2025-04-03)

A dictionary attack is a password cracking technique where an attacker uses a list of passwords, called a dictionary, to attempt to guess a password.

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Implementation
Hitaj, Briland and Gasti, Paolo and Ateniese, Giuseppe and Perez-Cruz, Fernando (2019)
📋📚
GAN for password generation
Reference details
Passgan: A deep learning approach for password guessing, Applied Cryptography and Network Security: 17th International Conference, ACNS 2019, Bogota, Colombia, June 5--7, 2019, Proceedings 17, pp. 217--237
@inproceedings{hitaj2019passgan,
  title={Passgan: A deep learning approach for password guessing},
  author={Hitaj, Briland and Gasti, Paolo and Ateniese, Giuseppe and Perez-Cruz, Fernando},
  booktitle={Applied Cryptography and Network Security: 17th International Conference, ACNS 2019, Bogota, Colombia, June 5--7, 2019, Proceedings 17},
  pages={217--237},
  year={2019},
  organization={Springer}
}

DFT-1033: Extraction of credential from an accessible device Previously assessed (2025-04-03)

Accessing a device with limited or no security to obtain a credential (e.g. password, PIN, token) that can be used to access another device or service.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1031: Key recovery from memory Previously assessed (2025-04-03)

This describes the technique whereby an attempt is made to extract key material from memory, or a memory acquisition of a running system to fascinate the decryption of some data

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1041: Pin2Pwn Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps AI assistance analysing PIN out
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1038: Rainbow table-based password attack Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1032: Obtain encryption key information using side channel attacks Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Implementation
Le, Quan and Miralles-Pechu{\'a}n, Luis and Sayakkara, Asanka and Le-Khac, Nhien-An and Scanlon, Mark (2021)
📋📚
Identifying activites on IoT devices using ML-based side channel attacks
Reference details
Identifying Internet of Things software activities using deep learning-based electromagnetic side-channel analysis, Forensic Science International: Digital Investigation, pp. 301308
@article{le2021identifying,
  title={Identifying Internet of Things software activities using deep learning-based electromagnetic side-channel analysis},
  author={Le, Quan and Miralles-Pechu{\'a}n, Luis and Sayakkara, Asanka and Le-Khac, Nhien-An and Scanlon, Mark},
  journal={Forensic Science International: Digital Investigation},
  volume={39},
  pages={301308},
  year={2021},
  publisher={Elsevier}
}

DFT-1036: Smudge attack Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps image processing to infer lock code or pattern
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1037: Obtain password from the device owner Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1040: Use mobile device exploit Previously assessed (2025-04-03)

A process that typically exploits a security flaw in a specific device or operating system to enable users to perform higher privileged functions on a device (derived from Grover 2013)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1158: Configure device to enable a service needed for data extraction Unassessed

Change a setting on a device such that a service needed for data extraction is enabled. This may require a user PIN that can be obtained using other techniques.

This technique has not yet been assessed for AI applicability.

DFO-1006: Acquire data

Collect data from the identified evidence sources.

DFT-1163: Automated screenshot-based capture of a mobile device Unassessed

Programmatically controlling a mobile device while capturing screenshots of the display.

This technique has not yet been assessed for AI applicability.

DFT-1023: Cloud data collection to access data via a live web page using credentials Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1024: Cloud data collection via submission of request to service provider Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1104: Collect data using open source intelligence Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Suggesting other related places where information may be available based on content reviewed so far
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1160: Collect data with 'cloud backup restore' approach Unassessed

Restore a device's cloud backup to a donor device, then subsequently use a local acquisition approach on that donor device, e.g. T1019/T1020

This technique has not yet been assessed for AI applicability.

DFT-1030: Data read from unmanaged NAND Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1002: Disk imaging Previously assessed (2025-04-03)

Copying of sectors from a storage media, typically LBA~0~ to LBA~max~ to a bitstream that can be stored in a image format (DFT-1025).

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1157: Extract device data using exposed service Recently assessed (2026-03-17)

Use an exposed service on a device to extract data. This represents several of the mobile data extraction methods e.g. Query content providers (android), AFC (iOS).

Assessments: 2026-03-17 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1019: Mobile backup extraction Previously assessed (2025-04-03)

Using the backup capability of a device to extract a subset of its contents

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1159: Extract mobile data via deployed agent Recently assessed (2026-03-17)

Deploy software to a mobile device that can carry out some function, either collect data with available permissions or attempt further exploitation e.g. sandbox escape.

Assessments: 2026-03-17 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1016: Live data collection Previously assessed (2025-04-03)

Running commands on a live system to collect specific pieces of information e.g. running processes or open ports

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1114: Memory Acquisition via Cold Boot Attack Recently assessed (2026-03-17)

Extracting volatile memory (RAM) from a powered-off system by quickly rebooting or transferring the memory module to another system before residual data fades. Cooling the memory modules can significantly slow down data decay, preserving critical data such as encryption keys or passwords.

Assessments: 2026-03-17 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1003: Memory imaging Previously assessed (2025-04-03)

Involves creating a copy of the live memory data of a running system

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps non-linear imaging could minimise smearing and AI may help identify locations to prioritise
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1022: Mobile device screenshot based capture Previously assessed (2025-04-03)

An examiner directly manipulates the target mobile device using the device's input interface (i.e., keypads and buttons), and records the content shown on the display of the device. (Fukami et al 2021)

Assessments: 2025-04-03 (Chris Hargreaves)
In Tools
X-Ways (2021)
🔗📋📚
OCR already can be used to extract text from images
Reference details
X-Ways Forensics 20.3 Public Announcement
@misc{xways,
  author = "X-Ways",
  title = "X-Ways Forensics 20.3 Public Announcement",
  year = "2021",
  url = "https://www.x-ways.net/winhex/forum/messages/1/5308.html?1673371179"

}

DFT-1017: Network packet capture Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1162: Read data from a device via In-System Programming (ISP) Unassessed

This technique has not yet been assessed for AI applicability.

DFT-1027: Data read using JTAG Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps AI assistance with finding JTAG TAPs
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1111: Recording system clock offset Recently assessed (2026-03-17)

Recording a system clock compared with trusted time source

Assessments: 2026-03-17 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1018: Remote data collection Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1004: Selective file acquisition Previously assessed (2025-04-03)

Views a set of files (typically via direct access from previewing) and acquires a subset of them.

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Use of AI to scan for relevant content, determining content prioritised for acquisition
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1015: Privacy preserving selective extraction Previously assessed (2025-04-03)

Previewing a data source and selecting a subset of the data for collection into a container such as a tar/zip file or a forensic image format for the purposes of protecting the privacy of the complainant or witness.

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Webb, Helena and Fitzroy-Dale, Nicholas and Aqeel, Saamiya and Piskopani, Anna Maria and Stafford-Fraser, Quentin and Nikolaou, Christos and Dowthwaite, Liz and Mcauley, Derek and Hargreaves, Christoper (2024)
📋📚
Perhaps AI could match relevant content without human review to provide some privacy protections
Reference details
Responsible AI in policing, Proceedings of the Second International Symposium on Trustworthy Autonomous Systems, pp. 1--5
@inproceedings{webb2024responsible,
  title={Responsible AI in policing},
  author={Webb, Helena and Fitzroy-Dale, Nicholas and Aqeel, Saamiya and Piskopani, Anna Maria and Stafford-Fraser, Quentin and Nikolaou, Christos and Dowthwaite, Liz and Mcauley, Derek and Hargreaves, Christoper},
  booktitle={Proceedings of the Second International Symposium on Trustworthy Autonomous Systems},
  pages={1--5},
  year={2024}
}

DFT-1020: Mobile file system extraction Previously assessed (2025-04-03)

Accessing the file system(s) of the device and extracting a set of files (full or partial depending on level of access)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1175: Extract data using content queries Unassessed

Use of content queries on Android devices via adb to extract specific pieces of data exposed by content providers.

This technique has not yet been assessed for AI applicability.

DFT-1164: Direct data read from a block device Unassessed

Rather than imaging a block device, this involves accessing it directly without the expectation of saving block data to a forensic image format.

This technique has not yet been assessed for AI applicability.

DFO-1022: Store acquired data

Store acquired data in one or more formats for subsequent examination and analysis

DFT-1025: Writing bitstream data to a forensic image format Previously assessed (2025-04-03)

Storage of bitstream data recovered from a digital device

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1026: Writing data to standard archive format Previously assessed (2025-04-03)

Storing acquired data in a standard archive format such as rar, tar or zip

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFO-1018: Read data from digital evidence storage formats

Access data within digital evidence containers such as disk images, memory dumps, or archive formats.

DFT-1045: Decode standard archive format Previously assessed (2025-04-03)

Extract files from a common archive format e.g. TAR, RAR, ZIP

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1042: Hash verification of source device against stored data Previously assessed (2025-04-03)

Computing the hash function of the entire contents of a disk, recording it, and then subsequently computing the hash over any disk image created to detect if any content is different (adapted from Lyle 2002)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1043: Access forensic image content (bitstream) Previously assessed (2025-04-03)

The decoding of a forensic format such as EWF such that the raw sectors can be accessed by a forensic tool (typically performed on-the-fly internally in a tool.)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1044: Mobile backup decoding Previously assessed (2025-04-03)

Processing an extracted mobile device backup to access the files contained within.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1102: Decode data from image from unmanaged NAND Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps finding patterns in unknown NAND types
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1170: Decode forensic image format (logical) Recently assessed (2026-03-17)

Decodes logical image formats such as L01, AD1, CTR, or AFF4-L. The output here is not an image file but rather a set of files and their metadata.

Assessments: 2026-03-17 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1172: Access raw image content Recently assessed (2026-03-17)

This technique reads data from a raw image e.g. a dd image.

Assessments: 2026-03-17 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1173: Extract data from captured screenshots Unassessed

Processing a screenshot captured from a device to extract data for further processing.

This technique has not yet been assessed for AI applicability.

DFT-1174: Read evidential files stored directly on local file system Recently assessed (2026-03-17)

Represents reading files that have been acquired or extracted directly to the local file system.

Assessments: 2026-03-17 (Chris Hargreaves)

No AI applicability identified during review.

DFO-1007: Reduce data under consideration

Filter the data to be considered in the investigation for practical, legal, or privacy protection reasons.

DFT-1047: Hash matching (reduce) Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1048: Privacy protection via partial processing Previously assessed (2025-04-03)

Limiting the scope of file processing based on type, date or other criteria to protect privacy.

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps in determining which aspects should be partially processed
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1046: Privileged material protection Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps searching for and matching privileged material
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFO-1013: Access partitions, volumes and file systems data

Process core data storage structures such as partitions, volumes, and file systems, recovering content and metadata.

DFT-1062: Decryption of encrypted file systems/volumes Previously assessed (2025-04-03)

The process of decrypting an encrypted file system/volume to make its contents accessible for analysis.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1061: Recover non-allocated files Previously assessed (2025-04-03)

The recovery of files from non-allocated space

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1150: Recover non-allocated files using residual file metadata Unassessed

Use metadata that remains in the file system to recover non-allocated files

This technique has not yet been assessed for AI applicability.

DFT-1064: File carving Previously assessed (2025-04-03)

The process of recovering files from non-allocated space using only the structural properties of files.

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Implementation
Alam, Shahid and Demir, Alper Kamil (2024)
📋📚
e.g. file fragment identification
Reference details
SIFT: Sifting file types—application of explainable artificial intelligence in cyber forensics, Cybersecurity, pp. 52
@article{alam2024sift,
  title={SIFT: Sifting file types—application of explainable artificial intelligence in cyber forensics},
  author={Alam, Shahid and Demir, Alper Kamil},
  journal={Cybersecurity},
  volume={7},
  number={1},
  pages={52},
  year={2024},
  publisher={Springer}
}

DFT-1063: Identify file types Previously assessed (2025-04-03)

Applying a process that identifies the types of files.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1059: Identify partitions Previously assessed (2025-04-03)

Partitions are defined as ‘allocated contiguous sets of sectors from storage media’. This involves recovering the list of partitions that exist on a storage media.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1060: Enumerate allocated files and folders Previously assessed (2025-04-03)

This involves parsing the live file system data structures and reconstructing the file system of the target media or device.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1168: Identify volumes Unassessed

From a partition or data from a full disk, identify volumes and extract file systems.

This technique has not yet been assessed for AI applicability.

DFO-1017: Extract artifacts stored by the operating system

Process data stored by the operating system to extract digital forensic artifacts.

DFT-1067: Cloud synchronisation feature examination (OS) Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1065: Content indexer examination (OS) Previously assessed (2025-04-03)

Examine information from operating system artifacts relating to content indexing and search capabilities e.g. Windows Desktop Search

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1097: Installed programs identification (OS) Previously assessed (2025-04-03)

Extraction and analysis of information that allows programs installed on an OS to be identified.

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps separating default programs from installed ones or identifying ones of interest
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1066: Log file examination (OS) Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Scanlon, Mark and Breitinger, Frank and Hargreaves, Christopher and Hilgert, Jan-Niclas and Sheppard, John (2023)
📋📚
Identifying anomalies
Reference details
ChatGPT for digital forensic investigation: The good, the bad, and the unknown, Forensic Science International: Digital Investigation, pp. 301609
@article{scanlon2023chatgpt,
  title={ChatGPT for digital forensic investigation: The good, the bad, and the unknown},
  author={Scanlon, Mark and Breitinger, Frank and Hargreaves, Christopher and Hilgert, Jan-Niclas and Sheppard, John},
  journal={Forensic Science International: Digital Investigation},
  volume={46},
  pages={301609},
  year={2023},
  publisher={Elsevier}
}

DFT-1068: Recently used file identification (OS) Previously assessed (2025-04-03)

The process of examining operating system files to extract artifacts that may indicate file accesses.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1096: Run programs identification (OS) Previously assessed (2025-04-03)

The process of examining operating system files to extract artifacts that may indicate a program has been run.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1098: User account analysis (OS) Previously assessed (2025-04-03)

Examination of information related to user account creation and logins

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1083: Memory examination (OS-level) Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Implementation
Oh, Dong Bin and Kim, Donghyun and Kim, Huy Kang (2024)
📋📚
Use of LLMS to detect identify ransomware-related processes within memory dumps
Reference details
volGPT: Evaluation on triaging ransomware process in memory forensics with Large Language Model, Forensic Science International: Digital Investigation, pp. 301756
@article{oh2024volgpt,
  title={volGPT: Evaluation on triaging ransomware process in memory forensics with Large Language Model},
  author={Oh, Dong Bin and Kim, Donghyun and Kim, Huy Kang},
  journal={Forensic Science International: Digital Investigation},
  volume={49},
  pages={301756},
  year={2024},
  publisher={Elsevier}
}

DFT-1116: Extract references to connected devices Unassessed

Examine artifacts and extract indicators of devices that have been connected to the target device.

This technique has not yet been assessed for AI applicability.

DFT-1149: File versioning feature examination Unassessed

Extraction of data from the versioning system used by an operating system to store older versions of files.

This technique has not yet been assessed for AI applicability.

DFO-1011: Extract artifacts stored by applications

Process data stored by the applications to extract digital forensic artifacts.

DFT-1069: Browser examination Previously assessed (2025-04-03)

Recovery of information left from web browsing activity (derived from Oh et al (2011))

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Reviewing browser history and identifying items of interest or summarisation
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1137: Browser history examination Unassessed

The examination of the history component of a web browser.

This technique has not yet been assessed for AI applicability.

DFT-1138: Browser cache examination Unassessed

The examination of the content saved locally by browsers to improve performance

This technique has not yet been assessed for AI applicability.

DFT-1139: Browser session examination Unassessed

The examination of sessions and open tabs and their individual histories

This technique has not yet been assessed for AI applicability.

DFT-1140: Browser autofill examination Unassessed

The examination of data that is stored to autocomplete entries in forms

This technique has not yet been assessed for AI applicability.

DFT-1141: Browser bookmarks examination Unassessed

The examination of the links saved within a browser to facilitate quick access

This technique has not yet been assessed for AI applicability.

DFT-1142: Browser downloads examination Unassessed

The examination of records of files downloaded with a browser

This technique has not yet been assessed for AI applicability.

DFT-1143: Browser configuration examination Unassessed

The examination of a browsers configuration

This technique has not yet been assessed for AI applicability.

DFT-1144: Browser profile enumeration Unassessed

The enumeration of the separate user profiles set up within a browser

This technique has not yet been assessed for AI applicability.

DFT-1145: Browser extensions examination Unassessed

The examination of the extensions installed within a browser

This technique has not yet been assessed for AI applicability.

DFT-1146: Browser synchronization feature examination Unassessed

The examination of the settings and artifacts resulting from a browser synchronization feature

This technique has not yet been assessed for AI applicability.

DFT-1147: Browser cookie examination Unassessed

The examination of stored browser cookies

This technique has not yet been assessed for AI applicability.

DFT-1148: Browser web storage examination Unassessed

The examination of

This technique has not yet been assessed for AI applicability.

DFT-1073: Calendar app examination Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Implementation
Reviewing calendar entries and identifying items of interest or summarisation

DFT-1072: Chat app examination Previously assessed (2025-04-03)

Analysis of the files that provide the backing store for a chat or messenger application

Assessments: 2025-04-03 (Chris Hargreaves)
In Tools
Identification of grooming (e.g. Magnet AI)
Academic Implementation
Piętak, Kamil and Dajda, Jacek and Kisiel-Dorohinicki, Marek (2025)
📋📚
Named entitiy recognition in message content
Reference details
Mobint – an advanced platform supporting integration and analysis of mobile data coming from various sources, DFRWS EU 2025
@conference{mobint-named,
    title="Mobint – an advanced platform supporting integration and analysis of mobile data coming from various sources",
    author="Piętak, Kamil and Dajda, Jacek and Kisiel-Dorohinicki, Marek",
    booktitle = "DFRWS EU 2025",
    year="2025"
}

DFT-1078: Cloud sync app examination Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1070: Email examination Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Reviewing emails and identifying items of interest or summarisation
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1075: Maps/travel app examination Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1077: Photos app examination Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
In Tools
Finding images with specific type of content (e.g. Magnet AI)

DFT-1074: Social network app examination Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Inferring nature of the social network
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1105: Memory examination (application-level) Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Identifying relevant memory structures within application memory space
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1107: Health/Fitness app examination Unassessed

This technique has not yet been assessed for AI applicability.

DFT-1108: Reminders app examination Unassessed

This technique has not yet been assessed for AI applicability.

DFT-1109: Payment app examination Unassessed

This technique has not yet been assessed for AI applicability.

DFT-1133: AI companion app examination Unassessed

The forensic examination of the artifacts describing the configuration or the interaction with an AI companion app or service.

This technique has not yet been assessed for AI applicability.

DFO-1002: Extract artifacts, or content of specific types

Process data to extract artifacts or stored content of specific types.

DFT-1021: Configuration file examination Previously assessed (2025-04-03)

Examination of a file that was designed for storing configuration information for a piece of software (e.g. an application or operating system feature)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1071: SQLite database examination Previously assessed (2025-04-03)

Examination of a SQLite database file(s) to extract information from within.

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Identifying critical tables in the schema
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1076: Log file examination Previously assessed (2025-04-03)

Examination of a file that was designed for incremental logging from a piece of software (e.g. an application or operating system feature)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1100: EXIF data extraction Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1099: File repair with grafting Previously assessed (2025-04-03)

Repair file by grafting different reference data onto fragment(s)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1052: Timeline generation Previously assessed (2025-04-03)

The extraction and normalisation of timestamps from a data source into a set of timeline entries

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Du, Xiaoyu and Hargreaves, Chris and Sheppard, John and Anda, Felix and Sayakkara, Asanka and Le-Khac, Nhien-An and Scanlon, Mark (2020)
📋📚
Clock anomaly detection
Reference details
SoK: Exploring the state of the art and the future potential of artificial intelligence in digital forensic investigation, Proceedings of the 15th international conference on availability, reliability and security, pp. 1--10
@inproceedings{du2020sok,
  title={SoK: Exploring the state of the art and the future potential of artificial intelligence in digital forensic investigation},
  author={Du, Xiaoyu and Hargreaves, Chris and Sheppard, John and Anda, Felix and Sayakkara, Asanka and Le-Khac, Nhien-An and Scanlon, Mark},
  booktitle={Proceedings of the 15th international conference on availability, reliability and security},
  pages={1--10},
  year={2020}
}

DFT-1153: Apply offset to a timestamp Unassessed

Application of a time offset to a timestamp

This technique has not yet been assessed for AI applicability.

DFT-1053: Entity extraction Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Identifying names, addresses and other entities with AI rather than pattern matching
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1056: Entity connection enumeration Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1120: Automated artifact extraction from app data Unassessed

The use of automation to extract pieces of data that are potentially useful for a digital forensic investigation from app data.

This technique has not yet been assessed for AI applicability.

DFT-1167: Extract search terms from URLs Unassessed

Parsing a URL and extracting search terms from the parameters.

This technique has not yet been assessed for AI applicability.

DFT-1169: Filter files related to an application Unassessed

This technique takes a set of files and determines which are related to a specified application.

This technique has not yet been assessed for AI applicability.

DFT-1121: Keyword indexing Unassessed

Extracting strings from a data source and adding them to an index for subsequent searching.

This technique has not yet been assessed for AI applicability.

DFO-1012: Locate potentially relevant content

Attempt to find digital artifacts relevant to the investigation.

DFT-1051: Fuzzy hash matching Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1050: Hash matching (locate) Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1049: Keyword searching Previously assessed (2025-04-03)

This technique involves searching data in the case for specific strings

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Scanlon, Mark and Breitinger, Frank and Hargreaves, Christopher and Hilgert, Jan-Niclas and Sheppard, John (2023)
📋📚
Generating keyword lists
Reference details
ChatGPT for digital forensic investigation: The good, the bad, and the unknown, Forensic Science International: Digital Investigation, pp. 301609
@article{scanlon2023chatgpt,
  title={ChatGPT for digital forensic investigation: The good, the bad, and the unknown},
  author={Scanlon, Mark and Breitinger, Frank and Hargreaves, Christopher and Hilgert, Jan-Niclas and Sheppard, John},
  journal={Forensic Science International: Digital Investigation},
  volume={46},
  pages={301609},
  year={2023},
  publisher={Elsevier}
}

DFT-1125: Keyword search (live) Unassessed

Searching for keywords over the raw data in a case without using an index of text content

This technique has not yet been assessed for AI applicability.

DFT-1126: Keyword search (live) (physical) Unassessed

Searching for keywords over the raw data on a sector by sector basis

This technique has not yet been assessed for AI applicability.

DFT-1127: Keyword search (live) (logical) Unassessed

Searching for keywords over the raw data, without an index of text content, but on a file by file basis

This technique has not yet been assessed for AI applicability.

DFT-1124: Keyword search (indexed) Unassessed

Searching for keywords within a generated index of data in a case

This technique has not yet been assessed for AI applicability.

DFT-1122: Keyword search (case-type wordlists) Unassessed

Searching for case-type specific keywords

This technique has not yet been assessed for AI applicability.

DFT-1123: Keyword search (case-specific wordlists) Unassessed

Searching for case-specific keywords, e.g. people's names, places etc.

This technique has not yet been assessed for AI applicability.

DFT-1151: Keyword search (over extracted artifacts) Unassessed

Keyword searching only applied over extracted artifacts

This technique has not yet been assessed for AI applicability.

DFT-1118: Locate relevant files by path Recently assessed (2026-03-17)

Use the path of file name to determine potential relevance of artefact

Assessments: 2026-03-17 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1086: Timeline analysis Previously assessed (2025-04-03)

The process of searching, filtering, sorting, highlighting, or aggregating timeline entries to determine which are relevant for event reconstruction, or to identify times of interest (adapted from Breitinger et al. 2025)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Implementation
Studiawan, Hudan and Sohel, Ferdous (2021)
📋📚
Anomaly detection in forensic timelines
Reference details
Anomaly detection in a forensic timeline with deep autoencoders, Journal of Information Security and Applications, pp. 103002
@article{studiawan2021anomaly,
  title={Anomaly detection in a forensic timeline with deep autoencoders},
  author={Studiawan, Hudan and Sohel, Ferdous},
  journal={Journal of Information Security and Applications},
  volume={63},
  pages={103002},
  year={2021},
  publisher={Elsevier}
}

DFT-1134: Use time anchors to estimate clock offset Unassessed

Correlate timestamps from the system clock and an external trusted time source (Time Anchoring)

This technique has not yet been assessed for AI applicability.

DFO-1003: Review content for relevance

Review potentially relevant content to determine its significance or meaning.

DFT-1054: Manual content review for relevant material Previously assessed (2025-04-03)

Manual examination of files or artifacts to determine their relevance to the investigation.

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Scanlon, Mark and Breitinger, Frank and Hargreaves, Christopher and Hilgert, Jan-Niclas and Sheppard, John (2023)
📋📚
Summarisation, and identifying specific content types
Reference details
ChatGPT for digital forensic investigation: The good, the bad, and the unknown, Forensic Science International: Digital Investigation, pp. 301609
@article{scanlon2023chatgpt,
  title={ChatGPT for digital forensic investigation: The good, the bad, and the unknown},
  author={Scanlon, Mark and Breitinger, Frank and Hargreaves, Christopher and Hilgert, Jan-Niclas and Sheppard, John},
  journal={Forensic Science International: Digital Investigation},
  volume={46},
  pages={301609},
  year={2023},
  publisher={Elsevier}
}

DFT-1055: File system content inspection Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Scanlon, Mark and Breitinger, Frank and Hargreaves, Christopher and Hilgert, Jan-Niclas and Sheppard, John (2023)
📋📚
Summarisation, and identifying specific content types
Reference details
ChatGPT for digital forensic investigation: The good, the bad, and the unknown, Forensic Science International: Digital Investigation, pp. 301609
@article{scanlon2023chatgpt,
  title={ChatGPT for digital forensic investigation: The good, the bad, and the unknown},
  author={Scanlon, Mark and Breitinger, Frank and Hargreaves, Christopher and Hilgert, Jan-Niclas and Sheppard, John},
  journal={Forensic Science International: Digital Investigation},
  volume={46},
  pages={301609},
  year={2023},
  publisher={Elsevier}
}

DFT-1079: Audio content analysis Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps speaker identification
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps detection of AI generated speech
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1080: Video content analysis Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
In Tools
Deep fake identification (e.g. Amped Authenticate - Amped Software)

DFT-1106: Deep fake detection (video) Unassessed

This technique has not yet been assessed for AI applicability.

DFT-1081: Image content analysis Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
In Tools
Finding images with specific type of content (e.g. Magnet AI)

DFT-1082: Document content analysis Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Reviewing document content and identifying items of interest or summarisation
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1176: Identification of synthetic images Recently assessed (2026-03-27)

Classification of images with respect to their origin, i.e., whether they are synthetically generated or naturally captured by a camera.

Assessments: 2026-03-27 (Chris Hargreaves)
In Tools
{Amped Software} (2026)
🔗📋📚
Offers some deepfake detection capability.
Reference details
Amped Authenticate: Photo, Video, and Deepfake Forensics
@misc{amped_authenticate,
  author       = {{Amped Software}},
  title        = {Amped Authenticate: Photo, Video, and Deepfake Forensics},
  year         = {2026},
  url          = {https://ampedsoftware.com/authenticate},
  note         = {Accessed: 2026-03-27},
  howpublished = {\url{https://ampedsoftware.com/authenticate}}
}

DFO-1019: Detect anti-forensics and other anomalies

Search for indicators of anti-forensic techniques or other anomalies such as malware, which could affect interpretation.

DFT-1057: Search for indicators of steganography Previously assessed (2025-04-03)

Searching for the presence of current or historical steganography software on a system

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1058: Search for mismatched file extensions Previously assessed (2025-04-03)

Checking the content of a file against its file extension to identify mismatches.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1128: Search for indicators of malware Unassessed

Searching for the presence of current or historical malware on a system

This technique has not yet been assessed for AI applicability.

DFT-1129: Search for indicators of clock tampering Unassessed

Searching for indicators that the system clock has been tampered with

This technique has not yet been assessed for AI applicability.

DFT-1130: Search for indicators of encrypted data Unassessed

Searching for the presence of current or historical encrypted data on a system

This technique has not yet been assessed for AI applicability.

DFT-1131: Search for indicators of trail obfuscation Unassessed

Searching for the presence of current or historical trail obfuscation on a system

This technique has not yet been assessed for AI applicability.

DFT-1132: Search for indicators of artifact wiping Unassessed

Searching for the presence of current or historical artifact wiping

This technique has not yet been assessed for AI applicability.

DFO-1008: Establish identities

Attempt to link data or devices to individuals.

DFT-1084: Extraction of user accounts Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1085: Identify conflation Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFO-1009: Create visualizations

Display information using visual representations to assist with analysis.

DFT-1103: Virtualise suspect system for previewing Previously assessed (2025-04-03)

A suspect disk image can be configured to boot as a virtual machine, which allows screenshots to be taken showing how the user's desktop looked for example.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1115: Visualisation of geolocation information Unassessed

Presenting points or paths visually using extracted data, typically on a map

This technique has not yet been assessed for AI applicability.

DFO-1004: Conduct research

Conduct research to gain additional knowledge to support the acquisition, extraction, or interpretation of digital evidence.

DFT-1090: Experimentation Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Identifying relevant traces from a set of actions carried out in an experiment

DFT-1095: Instrumentation Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1089: Source code review Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Chen, Eason and Huang, Ray and Chen, Han-Shin and Tseng, Yuen-Hsien and Li, Liang-Yi (2023)
📋📚
Explaining source code operations
Reference details
GPTutor: a ChatGPT-powered programming tool for code explanation, International Conference on Artificial Intelligence in Education, pp. 321--327
@inproceedings{chen2023gptutor,
  title={GPTutor: a ChatGPT-powered programming tool for code explanation},
  author={Chen, Eason and Huang, Ray and Chen, Han-Shin and Tseng, Yuen-Hsien and Li, Liang-Yi},
  booktitle={International Conference on Artificial Intelligence in Education},
  pages={321--327},
  year={2023},
  organization={Springer}
}

DFT-1101: Cell site survey Previously assessed (2025-04-03)

Taking measurements to assess which cells actually provide service at a specific location (adapted from Tart et al 2012).

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1119: Automatically scan for artifact changes caused by app updates Unassessed

Monitor every version change of an application to determine if there are changes to the way the app stores data

This technique has not yet been assessed for AI applicability.

DFO-1001: Reconstruct events

Use available digital evidence to formulate and test hypotheses about events.

DFT-1087: Location-based event reconstruction Previously assessed (2025-04-03)

The process of assigning location properties to a reconstructed event

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Assistance in finding patterns in location information
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1088: Relational-based event reconstruction Previously assessed (2025-04-03)

The process of determining the existence and nature of relationships between entities during event reconstruction

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Henseler, Hans and Hyde, Jessica (2019)
📋📚
Graph Neural Networks (GNN) to model interesting relation graphs
Reference details
Technology Assisted Analysis of Timeline and Connections in Digital Forensic Investigations., LegalAIIA@ ICAIL, pp. 32--37
@inproceedings{henseler2019technology,
  title={Technology Assisted Analysis of Timeline and Connections in Digital Forensic Investigations.},
  author={Henseler, Hans and Hyde, Jessica},
  booktitle={LegalAIIA@ ICAIL},
  pages={32--37},
  year={2019}
}

DFT-1117: Time-based event reconstruction Unassessed

The process of assigning a time component to a reconstructed event

This technique has not yet been assessed for AI applicability.

DFT-1154: Identity-based event reconstruction Unassessed

The process of attempting to link an identity (account, person etc.) to a reconstructed event

This technique has not yet been assessed for AI applicability.

DFT-1155: Operation-based event reconstruction Unassessed

The process of reconstructing that an operation occurred on a digital system

This technique has not yet been assessed for AI applicability.

DFT-1156: Functional-based event reconstruction Unassessed

Reconstructing the configuration or capabilities of a system at the time of an event

This technique has not yet been assessed for AI applicability.

DFO-1020: Document digital forensic activities

Create documentation about techniques used and findings.

DFT-1091: Bookmark artifacts Previously assessed (2025-04-03)

Make a record of selected files or pieces of data so they can be accessed easily, or used for generating automated reports.

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps some automated bookmarking based on investigator specified criteria
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}

DFT-1094: Disclosure Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1092: Produce tag-based automated report Previously assessed (2025-04-03)

Generate a report in PDF, HTML or other format that compiles tagged (or bookmarked) items from a case into a package that can be reviewed.

Assessments: 2025-04-03 (Chris Hargreaves)

No AI applicability identified during review.

DFT-1093: Write expert report Previously assessed (2025-04-03)

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Implementation
Michelet, Ga{\"e}tan and Breitinger, Frank (2024)
📋📚
LLMs (Llama-2 & ChatGPT-3.5) to genereate reports from tool output
Reference details
ChatGPT, Llama, can you write my report? An experiment on assisted digital forensics reports written using (local) large language models, Forensic Science International: Digital Investigation, pp. 301683
@article{michelet2024chatgpt,
  title={ChatGPT, Llama, can you write my report? An experiment on assisted digital forensics reports written using (local) large language models},
  author={Michelet, Ga{\"e}tan and Breitinger, Frank},
  journal={Forensic Science International: Digital Investigation},
  volume={48},
  pages={301683},
  year={2024},
  publisher={Elsevier}
}

DFT-1014: Document the chain of custody Previously assessed (2025-04-03)

A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer [DFCite-1147].

Assessments: 2025-04-03 (Chris Hargreaves)
Academic Idea
Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan (2025)
📋📚
Perhaps automatically highlighting inconsistencies or errors in documentation
Reference details
SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK, Forensic Science International: Digital Investigation, pp. 301864
@article{hargreaves2025solve,
  title={SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT\&CK},
  author={Hargreaves, Christopher and van Beek, Harm and Casey, Eoghan},
  journal={Forensic Science International: Digital Investigation},
  volume={52},
  pages={301864},
  year={2025},
  publisher={Elsevier}
}