LLM Assisted Unified Forensic Platform utilizing Eric Zimmerman's tools

Abstract

In the field of digital forensics, the increasing volume of evidence and the use of fragmented command line tools significantly hinder the speed and efficiency of forensic investigations. Eric Zimmerman’s forensic toolkit named “EZ tools” is widely regarded for its granular level artifact data extraction and accuracy. The toolkit consist of multiple CLI tools built for analysis of various windows based artifacts. Forensic analysts are required to manually execute each and every tool necessary for the investigation and interpret the generated outputs separately. The absence of a centralized, automated and user-friendly tool integrating Eric Zimmerman’s tools places a cognitive and technical burden on digital forensic investigators, particularly with those who are less experienced or new to the field. This research proposes a unified forensic platform that integrates ten of Eric Zimmerman’s command-line tools into a single GUI based application. The platform allows investigators to select forensic artifacts and automatically invoke the appropriate Eric Zimmerman tool and parse the results to the tools interactive GUI for visibility. The tool will include a report generation module allowing forensic analysts to preserve and utilize the artifact data throughout the forensic investigation. The tool also includes a LLM based data analysis functionality which provides contextual analysis on suspicious activities identified within the generated data aiding the forensic analysts to improve the speed of the investigation. The unified forensic platform achieved a promising result of being able to successfully integrate and execute all ten Eric Zimmerman tools with the ability to generate PDF based reports and LLM based result explanations.