Authors: Hans Henseler, Timo Mecon
DFRWS EU 2025
Abstract
Recent advances in large language models (LLMs) allow the processing of entire case dossiers “in one breath” while employing deeper, step-by-step reasoning, heralding a new era in digital forensics. Where existing retrieval-augmented approaches can miss crucial clues by splitting long documents into fragments, larger context windows enable a more holistic view of all text, significantly reducing the risk of overlooking pivotal evidence. Coupled with explicit multi-step reasoning, these models can propose hypotheses, link scattered evidence, and illuminate investigative scenarios otherwise hidden from manual review.
This short paper reports on experiences gained from a proof-of-concept experiment involving the so-called “Crystal Clear-case,” a fictitious yet realistic digital forensics scenario. We also draw parallels to Steven Johnson’s “Long Context” experiment, illustrating how entire books or voluminous dossiers can be read and reasoned about cohesively. We discuss the potential for AI to automate tasks such as privilege filtering and data relevance assessments, thus helping protect fundamental rights. Finally, we present the Hansken Copilot Prototype—currently under development—a local LLM-based assistant designed to streamline investigative workflows in real forensic environments