chevron-down Created with Sketch Beta.
June 11, 2024 Feature

The Impending Impact of Artificial Intelligence on Digital Forensics

Michael C. Maschke

Technology changes rapidly. Within a short time, innovations and advancements present overwhelming benefits for humanity. But there are also downsides, including greater access to tools used for nefarious use by “bad guys.” The rapid changes also impact the field of digital forensics. As such, digital forensics examiners must stay on top of all the latest technological advances because they will end up in a courtroom one day soon, in one form or another, as electronic evidence in a legal matter.

A qualified digital forensics examiner must be well-versed in many technologies—a jack-of-all trades. Whether preserving a computer or a mobile device or acquiring cloud-based data, an examiner should be able to handle any electronic device they may come across during an investigation. Digital forensics examiners carry a lot of weight and responsibility on their shoulders, from preservation to analysis, providing expert testimony, and explaining to the common person the intricacies of technology—with integrity and accuracy. That is certainly not an easy job to do while having to keep up with rapidly changing technology. Have you ever tried to explain technology to a group of lawyers? It is, to say the least, a challenge.

One area of technology in particular is challenging those in the legal profession—artificial intelligence (AI). In this article, I will explore how the rise and usage of AI may positively and negatively affect the digital forensics field.

The Rise of Artificial Intelligence

Three decades after Terminator 2 featured the destruction of Skynet, AI is here. For those who may not remember the movie, Skynet was an AI system created for the U.S. military and was designed to control the country’s nuclear arsenal. T-800, played by none other than Arnold Schwarzenegger, was sent back in time to protect a young John Connor. T-800’s several mission objectives included destroying Skynet, which had gained full control of the planet. Luckily, Skynet is still at least two decades off, according to most AI experts, so we can all breathe a sigh of relief—for now.

The rise of AI over the past year is nothing short of incredible. OpenAI’s ChatGPT (Chat Generative Pre-Trained Transformer), currently at version 4, was the fastest-growing consumer software application in history, with over 100 million users within just a few short months. AI will inevitably change the technology landscape for all industries, including the digital forensics field. Already in its infancy, ChatGPT has shaken up the legal community and is being integrated into many commonly used legal applications and research platforms. AI is widely being used for legal research, marketing, and other common business purposes. AI has found its way into the courtroom, helping attorneys draft legal pleadings, sometimes with incorrect or nonexistent case citations. That is a great example of how not to use this game-changing technology: Do not blindly take its responses as wholly accurate; those who use it must be aware of its tendency to hallucinate—a problem that its trainers have not yet resolved.

Make no mistake, AI will impact every industry, so much so that experts are now stating we are entering the Fifth Industrial Revolution, where machines think, learn, self-replicate, and master many tasks that were once reserved for humans. The field of digital forensics is not exempt from such change and integration. AI will alter how digital forensics examiners perform their jobs, especially when it comes to forensic analysis and data correlation. Already being integrated into digital forensics software, AI can speed up the time it takes to process and analyze multimedia content, correlate data from different sources, as well as automate multiple tasks to help those firms compensate for limited staffing.

One day soon, examiners will be able to ask their digital forensics software to identify any pictures that contain drug-related content, find photos of the defendant, or locate possible sexually explicit material. Within a few seconds, the results will appear on the screen for review. Reviewing multimedia in a digital forensics matter is an extremely time-consuming and costly process, probably the most expensive type of analysis there is due to the time it takes to manually scroll through a gallery of images and videos. There can be thousands, if not hundreds of thousands, of multimedia files on a single computer system or smartphone. If AI can assist in accurately narrowing down the volume of multimedia to review, that greatly helps lower client costs and keep the legal process moving forward. At the end of the day, digital forensics examiners must still rely on their training and experience to authenticate any electronic evidence they plan to testify about in court, whether or not the images were found with the assistance of AI, following the same rules of evidence that have always governed them.

The Growth of Volume Doesn’t Stop

There was a time not too long ago when computers were sold with 120 gigabyte (GB) hard drives. Cell phones (before smartphones) had internal storage capacities measured in terms of megabytes (MB) (1,000 MB = 1 GB). All that has changed—with storage capacities increasing and the costs decreasing. In today’s world, smartphones often are purchased with more storage capacity than computers or laptops. The Apple iPhone 15 Pro and Pro Max, the latest models of the iPhone, are offered with up to 1 terabyte (TB) of storage (1,000 GB = 1 TB). Samsung has similar 1 TB smartphone offerings. This is an incredible amount of storage for a portable device.

One of the major downsides of increased storage of smartphones is that the volume of data to preserve and analyze in electronic evidence matters has greatly increased, including the time needed to forensically image and collect data from these devices. More phones are analyzed today than computers at about a four-to-one ratio. Ten years ago, that was not the case.

Everything seems to have increased—the volume of data, the length of time needed to get to a point where the data are ready to be forensically analyzed, and, ultimately, the costs to both the client and the companies that employ the digital forensics examiners. When you increase the volume of data to be preserved on a per-case basis, the digital forensics examiner needs more storage capacity available to store the forensic images and work product.

How Can Digital Forensics Examiners Productively Handle This Increase in Data Volume?

One thing that AI has proven that it’s good at is being able to go through large volumes of data very quickly. AI can be scalable, which allows you to increase the capacity of its resources as needed, especially when harnessing the power of the cloud, such as Microsoft Azure or Amazon AWS, to host your digital forensics software. Many forensic software vendors have offerings for the cloud, including OpenText’s integration with Microsoft Azure for cloud-based investigations.

Because of the growth in storage volume, it’s not uncommon for an examiner to have to preserve and analyze several TBs of data in a single matter. Throw in a mobile device, a tablet, and a network attached storage unit, and you can easily have 6 TBs of data or more to sort through. Anything that can help digital forensics examiners analyze this volume of data in a quicker, more efficient, and potentially more accurate manner is greatly welcomed by all parties involved in digital forensics matters.

The integration of AI into digital forensics software and processes is only in its infancy. Shortly, AI will be used to help examiners process extraordinary volumes of data to correlate information across various evidence items at a far greater speed than ever before. The efficiency with which an examiner will be able to sort through and analyze several TBs of data will be one of the greatest benefits of the integration of AI in the field of digital forensics.

The Downsides of AI

Nothing can go wrong with relying on AI in the field of digital forensics, right? Wrong! Besides the fabrication of electronic evidence—more on that in a bit—digital forensics examiners are humans after all and may become too reliant on automated processes. They may tend to do as little as possible to get the answers—an advancement of the moniker “push-button forensics.” If they can tell AI what they are looking for and just press the “Go” button, they’re all set. That is what some examiners will surely believe.

Decline in Quality

The quality of digital forensics examinations will suffer, as will the clients they serve, if that type of mindset is allowed to permeate the field. That’s why continued training and experience will be required to combat this train of thought—continuing to require the examiner to validate and verify any findings. The examiner must be able to withstand cross-examination in court and cannot die on the hill of “AI found it so it must be true.” Even with the great advances in technology, digital forensics examiners and courts must continue to rely on the foundations of electronic evidence for this integration to work effectively.

Increase in Fake Content and How to Authenticate

Another potential downside of a reliance on AI is an increase in the generation of fake images and videos, including deepfakes and revenge pornography. This upcoming presidential election cycle is predicted to be littered with fake ads and deepfake videos of politicians. States are updating existing laws against revenge pornography to include deepfakes or digitally manipulated pornographic content, providing victims with a right of action and, in some instances, criminalizing the actions.

How can examiners determine what is a “real” image or video versus one that has been created using AI? How can we conclusively verify that something is real? The answer varies greatly. Fabricated evidence has been around since the introduction of electronic evidence in legal matters. That’s when digital forensics examiners came into the equation and were desperately needed to authenticate and verify the electronic evidence presented in court. The question about how certain content was generated or came to exist is one frequently asked by lawyers, especially criminal defense attorneys.

Did the computer user create it, download it from a website, or search for it online? There are ways digital forensics examiners can analyze data to answer these questions, especially artifacts left behind that may help determine how it was generated, even potentially deleted-recoverable information. Nothing is ever truly deleted and gone, right? Sometimes that is the case, but not always. Determining whether an image was created by a smartphone camera or an AI prompt is not that much different. As digital forensics software and processes advance to keep up with new technologies, this should become a little easier to determine in the future.

Microsoft, Meta, Google, and Adobe have recognized the need to identify AI-generated content and are now including a hidden digital watermark identifying AI-generated content to help crack down on deepfakes. This only helps if the standard is adopted by all major content providers, and even then, only if the “bad guys” use their services to create content—which is not likely in most cases. But it is a positive first step forward for the technology industry, realizing the misuse such images may cause.

At the end of the day, it all comes back to making sure digital forensics examiners are up-to-date on the latest AI trends and technologies so they can use their knowledge to craft processes and analysis techniques to determine the authenticity of the data they’re examining, even if it was created using AI. AI can be transformative for the field of digital forensics and much good can come from its integration, but examiners must be aware of the negative impacts and use instances as well. It would be prudent to take baby steps with AI’s integration into the field of digital forensics, but if the current adoption rate provides any guidance on how this will play out, it looks like the levees have been breached and we will need to hold on tight. 

Michael C. Maschke

Sensei Enterprises, Inc.

Michael C. Maschke is the CEO of Sensei Enterprises, Inc. He is an EnCase Certified Examiner (EnCE), a Certified Computer Examiner (CCE #744), a Certified Ethical Hacker (CEH), an AccessData certified examiner (ACE), and a Certified Information Systems Security Professional (CISSP). He may be reached at [email protected].

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.