TY - GEN
T1 - LLM-Powered Automated Cloud Forensics
T2 - 18th IEEE International Conference on Cloud Computing, CLOUD 2025
AU - Alharthi, Dalal
AU - Yasaei, Rozhin
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Cloud forensics is a crucial yet challenging field, as traditional forensic techniques struggle to handle the large-scale, dynamic nature of cloud environments. Manual forensic analysis is time-consuming, error-prone, and often fails to detect evolving cyber threats. This paper presents a novel tool leveraging Large Language Models (LLMs) to fully automate cloud forensic investigations. Our approach utilizes few-shot learning to classify log data, extract forensic intelligence, and reconstruct attack timelines. We evaluate LLM-based automation against traditional machine learning models, including Random Forest, XGBoost, and Gradient Boosting, using cloud forensic log datasets. Experimental results demonstrate that LLMs improve forensic accuracy, precision, and recall while reducing the need for extensive feature engineering. However, challenges such as hallucination risks, adversarial manipulation, and forensic explainability must be addressed to ensure the reliability of AI-driven investigations. To mitigate these risks, we explore Retrieval-Augmented Generation (RAG) for context-aware forensic intelligence and propose hybrid AI models integrating rule-based forensic validation. Our findings highlight the potential of LLM-driven forensic automation to enhance cloud security operations while outlining key areas for future research, including adversarial robustness, forensic transparency, and multi-cloud scalability.
AB - Cloud forensics is a crucial yet challenging field, as traditional forensic techniques struggle to handle the large-scale, dynamic nature of cloud environments. Manual forensic analysis is time-consuming, error-prone, and often fails to detect evolving cyber threats. This paper presents a novel tool leveraging Large Language Models (LLMs) to fully automate cloud forensic investigations. Our approach utilizes few-shot learning to classify log data, extract forensic intelligence, and reconstruct attack timelines. We evaluate LLM-based automation against traditional machine learning models, including Random Forest, XGBoost, and Gradient Boosting, using cloud forensic log datasets. Experimental results demonstrate that LLMs improve forensic accuracy, precision, and recall while reducing the need for extensive feature engineering. However, challenges such as hallucination risks, adversarial manipulation, and forensic explainability must be addressed to ensure the reliability of AI-driven investigations. To mitigate these risks, we explore Retrieval-Augmented Generation (RAG) for context-aware forensic intelligence and propose hybrid AI models integrating rule-based forensic validation. Our findings highlight the potential of LLM-driven forensic automation to enhance cloud security operations while outlining key areas for future research, including adversarial robustness, forensic transparency, and multi-cloud scalability.
KW - Adaptive Prompt Engineering
KW - Cloud Forensics
KW - Cloud Security
KW - Forensic Intelligence
KW - Large Language Models (LLMs)
KW - Log Prioritization
KW - Threat Detection
UR - https://www.scopus.com/pages/publications/105015957273
UR - https://www.scopus.com/pages/publications/105015957273#tab=citedBy
U2 - 10.1109/CLOUD67622.2025.00012
DO - 10.1109/CLOUD67622.2025.00012
M3 - Conference contribution
AN - SCOPUS:105015957273
T3 - IEEE International Conference on Cloud Computing, CLOUD
SP - 12
EP - 22
BT - Proceedings - 2025 IEEE 18th International Conference on Cloud Computing, CLOUD 2025
A2 - Chang, Rong N.
A2 - Chang, Carl K.
A2 - Yang, Jingwei
A2 - Atukorala, Nimanthi
A2 - Chen, Dan
A2 - Helal, Sumi
A2 - Tarkoma, Sasu
A2 - He, Qiang
A2 - Kosar, Tevfik
A2 - Ardagna, Claudio
A2 - Elkhatib, Yehia
A2 - Nurmi, Petteri
A2 - Sarkar, Santonu
PB - IEEE Computer Society
Y2 - 7 July 2025 through 12 July 2025
ER -