Timeline Analysis (TA) plays a crucial role in Timeline Forensics (TF) within the field of Digital Forensics (DF). It focuses on examining and analyzing time-based digital artefacts, such as timestamps derived from event logs, file metadata, and other relevant data, to correlate events linked to cyber incidents and reconstruct their chronological sequence. Traditional tools often struggle to efficiently handle the large volume and variety of data generated during DF investigations and Incident Response (IR) processes. This paper introduces a novel framework, GenDFIR, which combines Rule-Based Artificial Intelligence (R-BAI) algorithms with Large Language Models (LLMs) to enhance and automate the TA process. The proposed approach consists of two key stages: (1) R-BAI is used to identify and select anomalous digital artefacts based on predefined rules. (2) The selected artefacts are then transformed into embeddings for processing by an LLM with the assistance of a Retrieval-Augmented Generation (RAG) agent. The LLM uses its capabilities to perform automated TA on the artefacts and predict potential incident outcomes. To validate the framework, we evaluated its performance, efficiency, and reliability. Several metrics were applied to simulated cyber incident scenarios, which were presented as forensic case documents. Our findings demonstrate the significant potential of integrating R-BAI and LLMs for TA. This innovative approach underscores the power of Generative AI (GenAI), particularly LLMs, and opens up new possibilities for advanced threat detection and incident reconstruction, marking a significant advancement in the field.

翻译：时间线分析（TA）在数字取证（DF）领域的时间线取证（TF）中发挥着至关重要的作用。其核心在于检查和分析基于时间的数字痕迹，例如源自事件日志、文件元数据及其他相关数据的时间戳，以关联与网络安全事件相关的事件并重建其时间顺序。传统工具在处理数字取证调查和事件响应（IR）过程中产生的大量多样化数据时往往效率低下。本文提出了一种新颖的框架——GenDFIR，该框架结合了基于规则的人工智能（R-BAI）算法与大型语言模型（LLMs），以增强并自动化TA过程。所提出的方法包含两个关键阶段：（1）使用R-BAI，基于预定义规则识别和选择异常数字痕迹。（2）随后，在检索增强生成（RAG）代理的辅助下，将选定的痕迹转化为嵌入向量，供LLM进行处理。LLM利用其能力对痕迹执行自动化TA并预测潜在的事件结果。为验证该框架，我们评估了其性能、效率和可靠性。在模拟的网络安全事件场景（以取证案例文档形式呈现）中应用了多项指标进行评估。我们的研究结果表明，将R-BAI与LLMs集成用于TA具有巨大潜力。这一创新方法凸显了生成式人工智能（GenAI），特别是LLMs的强大能力，为高级威胁检测和事件重建开辟了新的可能性，标志着该领域的重大进展。