ForensicLLM: A Local Large Language Model for Digital Forensics

Abstract:

Large Language Models (LLMs) excel in diverse natural language tasks but often lack specialization for fields like digital forensics. Their reliance on cloud-based APIs or high-performance computers restricts use in resource-limited environments, and response hallucinations could compromise their applicability in forensic contexts. We introduce ForensicLLM, a 4-bit quantized LLaMA-3.1-8B model fine-tuned on Q&A samples extracted from digital forensic research articles and curated digital artifacts. Quantitative evaluation showed that ForensicLLM outperformed both the base LLaMA-3.1-8B model and the RAG model. ForensicLLM accurately attributes sources 86.6% of the time, with 81.2% of the responses including both authors and title. Additionally, a user survey conducted with digital forensics professionals confirmed significant improvements of ForensicLLM and RAG model over the base model. ForensicLLM showed strength in “correctness” and “relevance” metrics, while the RAG model was appreciated for providing more detailed responses. These advancements mark ForensicLLM as a transformative tool in digital forensics, elevating model performance and source attribution in critical investigative contexts.

Recommended citation: Sharma, B., Ghawaly, J., McCleary, K., Webb, A. & Baggili, A. (2025). ForensicLLM: A Local Large Language Model for Digital Forensics. In 2025 DFRWS EU.