Intention Recognition for Digital Forensics: A Formal Model

1. Introduction

The exponential expansion of cyberspace, coupled with its inherent vulnerabilities and the challenges in raising awareness, has created an optimal environment for the proliferation of cybercrime [1,2]. Cybercrime encompasses not only attacks on cyber infrastructure but also the use of cyberspace to facilitate traditional crimes, as well as crimes that involve cyberspace in any capacity [3,4]. In the current digital era, the lines between traditional crime and cybercrime are increasingly blurred, as digital technology becomes more integrated with the physical world [4,5]. The surge in cybercrime is evident not only in the rising number of cases but also in the escalating volume and complexity of the data and technologies that must be scrutinized in each instance [1,2,3]. Digital forensics laboratories, tasked with the scientific investigation of cybercrimes, are currently inundated with cases, both in terms of case complexity as well as quantity and the sheer volume of data to be analyzed [6,7]. The digital investigation is now recognized as a significant big data challenge as without automation it is impossible to solve cases [8,9]. Various strategies have been proposed to manage the vast volumes of data encountered in digital forensics (DF), including data reduction techniques, data mining methodologies, triage procedures, and intelligence-driven approaches [10]. Each of these strategies offers a unique perspective on how to tackle the challenges posed by the ever-growing datasets in DF investigations.

To address the challenge of managing large volumes of data in digital forensics, we propose a novel approach centered on Intention Recognition (IR). By discerning the underlying intentions, investigators can more effectively navigate the complexities of cyber investigations. Existing models for IR span various domains, primarily focusing on predicting goals and recognizing plans through the analysis of action sequences and state transitions. Some models employ Causal Networks to infer intent, while another leverages Path Analysis for similar purposes [11]. Further models incorporate advanced techniques such as Hidden Markov Models (HMM) [12], Deep Learning (DL) [13], and Long Short-Term Memory (LSTM) [14].

Despite the diversity of these models, they share a commonality: they are all predicated on a technical interpretation of IR, aimed at anticipating an attacker’s objectives based on the subsequent actions and the current states. However, the aspect of intention as legally defined, considering the nuances of law and its implications, remains an unexplored territory in research. This gap presents an opportunity to develop a model that not only predicts technical behaviors but also aligns with legal definitions of intent, thereby bridging the divide between cyber forensics and legal aspects.

Legal doctrine categorizes intent, also known as mens rea, into four distinct types: purposeful, knowing, reckless, and negligent [15,16]. An individual is said to possess a purposeful intent when they consciously engage in actions that result in harm. Conversely, a knowing intent is ascribed to those who, while not actively seeking to cause harm, are aware that their actions have the potential to do so, thus representing a lesser degree of intent compared to purposeful intent. Recklessness is characterized by a disregard for a substantial and unjustifiable risk that a reasonable person would not ignore under similar circumstances. Lastly, negligent intent is attributed to individuals who fail to exercise the level of care that a reasonable person would consider prudent [15]. Each criminal act is evaluated against these gradations of intent, with the degree of culpability being largely contingent upon the level of intent demonstrated. This nuanced understanding of intent is crucial for the legal adjudication of crimes, as it directly influences the severity of charges and penalties imposed [15,17].

1.1. Paper Organization

This manuscript is structured into five comprehensive sections. The Introduction forms the first section, setting the stage for the ensuing discourse and establishing the context of the research. Section 2 delves into a critical examination of digital forensics and intention recognition, offering a synthesis of pertinent literature and existing methodologies. Section 3, discusses the methodology and approach we employed to develop the model. In Section 4, we formally define the important concepts in relation to DF and IR, laying the ground to the development of the model. Section 5, presents our innovative model for integrating IR within DF. This section not only elucidates the theoretical underpinnings of the model but also subjects it to validation through a series of scenarios. Section 6, the Discussion, is dedicated to a thorough analysis of the results obtained from the model’s application on the scenarios. Here, we interpret the findings, drawing connections to the broader implications for the field of digital forensics. Finally, Section 7 encapsulates the Conclusion of our study, reflecting on the research outcomes and proposing trajectories for future inquiry. This conclusive part aims to provide closure to the current research while simultaneously opening avenues for subsequent scholarly exploration.

2. Literature Review

2.1. Digital Forensics

Digital forensics (DF) is a specialized field of forensic science that focuses on the recovery and investigation of digital technologies, often in connection with computer crime [18,19]. The practice involves the application of scientific principles and technological methods by considering legal requirements, to collect, analyze, and present data from digital sources [19,20]. It plays a crucial role in solving crimes that involve digital technologies, ensuring that digital evidence is handled in a legally admissible way.

The essence of DF lies in its ability to establish the truth about digital events or activities. It applies a rigorous, scientific approach to the digital domain to uncover facts that can have real-world consequences, combining elements of law, computer science, and ethics [18,20,21]. It provides crucial evidence in legal proceedings, enhances cybersecurity, aids in incident response, ensures accountability, helps prevent future attacks, recovers data, contributes to cybersecurity intelligence, and builds trust in digital systems.

DF faces several challenges, including the overwhelming volume of data, strong encryption, data destruction, device diversity, cloud forensics, legal and ethical issues, tool efficacy, training and resources, rapid technological change, and the complexity of cases [6,21,22,23,24]. These challenges necessitate continuous development in the field, both technologically and in terms of expertise.

Various methodologies have been employed to address the challenges posed by the vast volume of data and the complexity of case analysis. In this study, we leverage the principles of intention recognition to develop a model for digital forensic investigation.

2.2. Intention Recognition

Intention recognition (IR) is a crucial concept in artificial intelligence, human-computer interaction, and psychology, aimed at understanding and predicting a person’s goals based on their behavior, context, and communication [25,26,27]. It involves interpreting various cues to determine what a person intends to do. This concept is particularly important in areas like artificial intelligence (AI), human-computer interaction (HCI), and robotics, where understanding human intent is key for effective interaction or decision-making. [27,28,29].

In DF and cyber security, IR can be considered as identifying the plan or goal of the attacker or a criminal by analyzing the actions they perform or the observable behaviors they exhibit, and then inferring the specific plan they might be following to achieve those goals [11,25,30]. The problem of IR has been approached using a variety of AI methodologies, including logic-based approaches [31,32], classical machine learning [14,33], and deep learning methods [34,35] [30].

However, intention recognition faces several challenges. Ambiguity in human intentions can make accurate recognition difficult, as a single action might have multiple interpretations depending on the context [30,36]. Additionally, understanding intentions requires a thorough grasp of the surrounding context, which can be complex in dynamic or unfamiliar environments such as DF and Cybersecurity [30].

Since DF investigation is a highly sensitive task that requires meticulous attention to detail and a cautious approach, the application of intention recognition in this domain necessitates a deep understanding of the context as well as precise specification of the requirements. To effectively define and clarify these requirements, the use of formal methods presents an ideal solution, offering rigorous, structured approach to ensure accuracy and reliability in requirement specification process [37,38].

2.3. Formal Modeling

Modeling by utilizing formal methods is an approach in computer science and systems engineering that involves using mathematical techniques to create precise and unambiguous models of systems [37,39]. This method focuses on defining and analyzing system behavior through formal specifications and mathematical proofs, ensuring that systems are both reliable and efficient. Formal methods provide a rigorous framework for describing system properties and behaviors, which can be crucial for verifying correctness and consistency, especially in complex or critical systems [37,38]. In practical applications, formal methods are widely used in fields such as software engineering, aerospace, and telecommunications. For example, in software engineering, formal methods help in verifying that software programs meet their specifications and are free from critical errors [38,39,40].

To achieve effective modeling with formal methods, several techniques are used. These include formal specification languages, which provide a precise way to describe system or model requirements and behaviors, and theorem proving, which involves using mathematical proofs to verify that a system adheres to its specifications. Model checking is another technique that systematically explores all possible states of a system to ensure that it meets desired properties. These methods help in rigorously analyzing and validating system models to ensure their correctness [41,42].

There are various tools employed by formal methods to define and specify concepts, such as Temporal Logic, Z Notation, and Predicate Logic. In this work, we utilize Predicate Logic, a formal framework commonly used in mathematics, philosophy, and computer science to express statements and reason about relationships between objects. Predicate logic extends propositional logic by incorporating quantifiers and predicates, enabling more expressive statements that involve variables. In this system, predicates are functions that return true or false based on the values of their arguments, while quantifiers such as "for all" (∀) and "there exists" (∃) allow for generalizations over sets of objects. Predicate Logic provides a rigorous foundation for modeling and verifying system properties, making it an essential tool across various fields [37].

Despite their advantages, formal methods come with challenges. One major issue is the complexity and resource intensity of applying these methods, particularly for large or highly complex systems. Developing formal specifications and proofs can be time-consuming and requires specialized knowledge [43,44].

2.4. Related Works

Intention recognition plays a crucial role in various domains of cybercrime, including Advanced Persistent Threats (APT), mobile security, artificial intelligence (AI) security, network security, physical security (including video surveillance), and social media. The literature on this topic reveals a diverse range of approaches and methodologies tailored to each specific area of concern. For clarity, we categorize the related works into four main groups: the first category encompasses general domains such as APT, mobile, and AI security; the second focuses on network security; the third addresses physical security and video surveillance; and the fourth covers social media. Each category involves distinct techniques and challenges, reflecting the unique requirements and complexities associated with recognizing malicious intentions across these varied fields.

Ahmed et al. [45] propose a method for recognizing cyberattack intentions through similarity analysis, distinguishing between general intentions (such as availability, confidentiality, and integrity) and specific intentions (like DDoS attacks). Their approach, using the fuzzy min-max (FMM) neural network model, enhances the ability to anticipate attacks by filtering out similar cases. Tested on a subset of the page block dataset, the method demonstrates high accuracy and efficiency. Kim et al. [46] develop an Android application that uses an attack tree approach to detect attack intentions, operating through two phases: a pre-phase and a post-phase, which includes log collection, analysis, visualization, and alerting. This system effectively identifies smishing and backdoor attacks. Cheng et al. [47] tackle the challenge of understanding Advanced Persistent Threats (APTs) in Internet of Things (IoT) systems by introducing APTALCM, a framework that uses a similarity-based approach and an ontology to model APT attack scenarios. This framework includes modules for correlating alerts and logs, and it achieves a low false positive rate of 4.2% and a high true positive rate of 83.7%. Pang et al. [48] introduce AdviMind, a model for early detection of query-based adversarial attacks on deep neural networks (DNNs). It features three variants, including the Naive Intent Estimator, which provides baseline intent detection but lacks robustness. AdviMind achieves over 75% accuracy in detecting attack intents after observing fewer than three query batches and increases the query cost of adaptive attacks by over 60%.

Several network-related studies have explored intent recognition in cybercrime. Mirsky et al. [49] develop two metric-based algorithms, Plan Edit Distance (PED) and APC, for goal recognition in network security. PED measures the distance between observed sequences and optimal plans without requiring online planning, demonstrating superior performance in prediction accuracy, noise resistance, and processing times compared to traditional planner-based methods. Meanwhile, Chen et al. [50] propose an attack graph-based approach for identifying attacker intentions in network security. Their method effectively uncovers complex, multi-step attack intentions across various network environments. Li et al. [12] propose a method for recognizing multi-step attacks using a hidden Markov model (HMM) with probabilistic reasoning and temporal relationships to capture interrelated attack phases. They develop three models—HMM, HMM with Probabilistic Inference (HMM-PI), and HMM-PI with an updated Conditional Probability Table (HMM-PI-UCM)—and find the HMM-PI-UCM model to be the most effective, based on experiments with the LLDOS1.0 dataset.

Zhang et al. [32] introduce a technique for recognizing attack intentions by modeling attack-defense interactions as a strategic game and solving for game equilibria to compute attack probabilities. Validated through NetLogo simulations, their approach significantly enhances the accuracy of attack intention recognition. Shinde et al. [31] present a model based on the Interactive Partially Observable Markov Decision Process (I-POMDP) for identifying cyberattack intentions in a honeypot environment. This model shows improved accuracy and robustness in detecting attacker actions and intentions compared to traditional methods. Zhao et al. [51] propose HinAp, a framework that leverages heterogeneous attention networks and transductive learning to analyze intruder attack preferences. By integrating semantic information from meta-paths and meta-graphs, their model outperforms six other competing models. Kang et al. [52] introduce ActDetector, a framework designed to automatically detect attack activities from raw Network Intrusion Detection System (NIDS) alerts, thus reducing the workload for security analysts. ActDetector comprises an extractor, an embedder, and a classifier, and is evaluated using three datasets. It achieves an average of 94.8% precision, 95.0% recall, and 94.6% F1-score.

Some studies focus on advancements in physical security and video surveillance. Hsu et al. [53] developed a comprehensive method that integrates access control, surveillance, and host defense systems to detect malicious activity in physical environments. Their approach aggregates threat scores from these systems to generate effective alerts for identifying potential threats. Tang et al. [54] introduced a method for detecting attack intentions in power systems using Graph Convolutional Networks (GCNs). Their model, known as Attack Intention Detection for Power Systems Using Graph Convolutional Networks (AIGCN), operates in two main stages and achieves high precision rates of 97.34% and 98.25% on two datasets, significantly outperforming baseline methods and demonstrating its effectiveness and robustness.

Navalgund et al. [13] developed a real-time deep learning system for detecting criminal intentions from CCTV footage. Their system enhances crime prevention by integrating Faster R-CNN to identify weapons such as guns and knives and includes a text alert feature to notify authorities of potential threats. Martinez-Mascorro et al. [55] introduced a deep learning model utilizing 3D Convolutional Neural Networks (3D CNNs) for spatio-temporal analysis to identify shoplifting intentions from surveillance videos. Their model achieves a 75% accuracy rate, proving effective in the early detection of criminal intent. Bhugul et al. [34] developed a deep learning model designed for real-time detection of suspicious activities in private settings, such as bank robberies. Their system, which has been tested across various hardware platforms, detects firearms with an impressive 99.3% accuracy, surpassing existing methods like YOLO v3, v4, v5, and SVM.

On the other hand, several studies have concentrated on social media. Mendonça et al. [56] tackle the challenge of detecting criminal intentions in social media texts that are encoded with slang. They developed a framework that classifies such texts effectively. Tested on a dataset of 8.8 million tweets, their framework successfully identifies criminal intentions, contributing to cybercrime prevention by analyzing Portuguese social media slang. Abarna et al. [14] introduced an algorithm for detecting cyberharassment and intent in Instagram comments. By employing natural language processing (NLP) and a fast text model to analyze lexical meaning and word order, their algorithm demonstrates superior performance in precision, recall, and F1 score compared to existing methods, offering improved accuracy and lower error rates in detecting cyberharassment and its intent on social media platforms. Bokolo et al. [33] assessed five machine learning algorithms—logistic regression, ridge regression, SVM, Stochastic Gradient Descent (SGD), and random forests—for intent recognition on Twitter. Their analysis revealed that logistic regression achieved the highest accuracy at 92.87%, surpassing SVM (92.56%), random forests (92.39%), ridge regression (90.88%), and SGD (89.51%), establishing it as the most effective method for intent detection in social media contexts.

Pandey et al. [57] proposed a distributional semantic approach for detecting malicious intent in Twitter conversations about sexual assault. By developing a typology for malicious intent and using a convolutional neural network (CNN), their model—tested on messages collected over four months—outperformed several baseline models in detecting such intents. Tsinganos et al. [58] presented CSE-PersistenceBERT, a transfer learning model designed to detect the persistence of chat-based social engineering (CSE) attacks that exploit users’ psychological vulnerabilities. This model helps alert users and administrators to potential threats. Additionally, Tsinganos et al. [35] proposed another deep learning model using dialogue state tracking to recognize CSE attack intentions. By creating an ontology and a dataset named SG-CSE, and adapting BERT-base into SG-CSE BERT, their approach shows promising results in detecting these attacks.

The literature on intention recognition can be categorized into three main approaches: logic-based, classical machine learning-based, and deep learning-based methodologies. These approaches span various application areas, including network security, Internet of Things (IoT) systems, Advanced Persistent Threats (APT), social media, visual surveillance, and AI security [30]. While much of the existing work focuses on enhancing technical aspects of cybersecurity and detecting social engineering attacks in social media contexts, there is a notable absence of research addressing criminal intent recognition from a legal perspective. This gap in the literature highlights the need for integrating legal frameworks with intention recognition systems, which is the primary focus of our research.

The growing application of intention recognition to identify various types of criminal activities marks a significant and encouraging trend in research. This progression not only demonstrates the potential of IR in crime analysis but also provides valuable guidance for extending its application to a wider range of crime types. By leveraging this concept, researchers and practitioners can explore new avenues to predict and analyze intentions associated with different forms of crime, contributing to improved prevention and enforcement strategies.

Additionally, the integration of diverse technologies—ranging from traditional machine learning and logic-based systems to advanced deep learning techniques and ontologies—highlights the adaptability and innovation in this area. This diversity not only enriches the research landscape but also offers extensive opportunities for developing our own model. By drawing from these various technological approaches, we can design a system that is robust, efficient, and tailored to the complexities of intention recognition.

However, a noticeable limitation in existing studies is their predominant focus on the technical aspects of IR. While technical precision is undoubtedly critical, most works lack a holistic perspective that considers the broader implications and contexts of intention, particularly in the legal domain. Our approach aims to bridge this gap by adopting a more holistic model that integrates IR within its broader legal sense. This enables us to address the multifaceted nature of intention, ensuring that our model aligns with legal principles and contributes meaningfully to both academic research and practical applications.

3. Method

The model development methodology is structured into three phases. In the concept development phase, the approach integrates essential concepts from law, computer science, and mathematics to establish a robust foundation for the model. The design phase follows, concentrating on the structuring of the model by defining its components and the interrelationships between them. Finally, in the testing phase, the model is tested using various scenarios to evaluate its practical applicability.

3.1. Concept Development

In the concept development phase, the approach involves integrating key concepts from law, computer science, and mathematics to establish a comprehensive foundation for the model. This entails integrating legal definitions of crime and intent with computational methods and mathematical rigor to create a unified model. The goal is to formally define critical concepts related to crime and intent using mathematical and logical formulations. This step ensures that the foundational theories and terminology are well-aligned and clearly articulated, providing a robust basis for further development of the model.

3.2. Designing the Model

The design phase focuses on structuring the model by defining its components and the relationships among them. This includes identifying and specifying the various elements that make up the model, such as suspects, crimes, evidence, and intentions, and determining how these components interact. This phase is crucial for defining theoretical concepts and the overall IR based DF model using formal method which can be understood by computers as well as it will be easy to simulate the model by using scenarios.

3.3. Testing the Model

In the final step, the model is simulated with different cases or scenarios to assess its practical applicability. This step helps identify any discrepancies or limitations in the model, allowing for adjustments and refinements to enhance its robustness and ensure it effectively meets the requirements of real-world applications.

Figure 1. Model Development Approach.

Figure 1. Model Development Approach.

4. Formal Definitions

This section takes the commonly accepted definitions of key concepts and transforms them into formal definitions that computers can process, using formal methods, specifically predicate logic. It provides formal representations for the terms "Crime," "Intent," each type of Intent, and "Intent Recognition," ensuring that these concepts are clearly defined in a way that can be understood and manipulated by computational systems.

4.1. Crime

Definition 4.1. 

Crime is an action or omission that constitutes an offense and is punishable by law. [59,60,61,62,63]

Definition 1: Crime is an action or omission that constitutes an offense and is punishable by law. [59,60,61,62,63]

This definition encompasses three essential elements: first, it identifies the specific action or omission attributed to the suspect; second, it recognizes that such actions or omissions are legally classified as offenses against individuals or society; and third, it stipulates that the offense is punishable under the law, commensurate with the degree of culpability. Thus, the concept of crime hinges on the simultaneous fulfillment of these three conditions.

Let

Sets:

• Let $\mathcal{C}$ = Set of all crimes.
• Set $\mathcal{A}$ = Set of all possible actions and inactions.
• Set $\mathcal{O}$ = Set of all offenses.
• Set $\mathcal{P}$ = Set of all punishments.

Predicates:

• $\mathrm{Constitutes}(a,o)$: Specifies that Action (or Inaction) a constitutes an Offense o. This can be expressed as (1)

  $$\exists o\in \mathcal{O}\left|\mathrm{Action}\right(a)\wedge \mathrm{Constitutes}(a,o)$$

  (1)
• $\mathrm{Punishable}(o,p)$: Indicates that offense o is punishable by law with punishment p. This can be expressed as (2)

  $$\exists p\in \mathcal{P}\left|\mathrm{Offense}\right(o)\wedge \mathrm{Punishable}(o,p)$$

  (2)
• Crime: The definition of crime can be expressed as (3)

  $$\begin{array}{c}\forall c\mathrm{Crime}\left(c\right)\iff \mathrm{Action}\left(a\right)\wedge \mathrm{Offense}\left(o\right)\wedge \hfill \\ \mathrm{Constitutes}(c,a)\wedge \mathrm{Constitutes}(a,o)\wedge \\ \hfill \mathrm{Punishable}(o,p)\end{array}$$

  (3)

A crime constitutes of entity a that is either an action or omission, which in turn constitutes an offense o, and the offense is punishable by law with punishment p.

4.2. Criminal intent

Criminal intent, also termed mens rea, denotes the specific mental state or mindset that is legally requisite to substantiate a conviction for a criminal offense [15]. It encapsulates the defendant’s state of mind at the time of committing the alleged criminal act, and it is crucial in determining culpability [15,64,65].

Criminal intent is a fundamental element that serves to differentiate between varying degrees of criminal responsibility based on the defendant’s psychological disposition towards their conduct and its potential consequences [15,66,67].

To establish criminal intent, the prosecution must demonstrate that the defendant possessed a requisite level of mental awareness or purposefulness regarding their actions and the outcomes thereof. This mental state can vary across different crimes depending on the nature of the offense and the legal standards applicable [15,66]. According to the Modal Penal Code, criminal intent can be categorized as Purposely, Knowingly, Recklessly and Ignorantly [15]. the following are the formal definitions of Intent and Intent Types:

Definition 4.2. 

A suspect hasCriminal Intentwhen the evidence shows that the suspect commits a crime and the criminal action (or inaction) matches the elements required for the specific level of intent defined by the law [15]. Formally, continuing from the above:

Let

• E: Set of all evidence,
• $I=\{I_p,I_k,I_r,I_i\}$: A finite set specifying the four levels of intention or mens rea, where:

  −

  $I_p$ represents Purposely: Acting with the intention to achieve a specific result.

  −

  $I_k$ represents Knowingly: Acting with awareness that a result is practically certain to follow.

  −

  $I_r$ represents Recklessly: Acting with disregard for a substantial and unjustifiable risk.

  −

  $I_i$ represents Ignorantly: Acting without knowledge of the nature of the act or its consequences.

• S: Set of all suspects involved in the criminal activities.

• $\mathrm{Commits}(s,c,e)$: Specifies that the evidence e shows that the suspect s has committed the crime c. This can be expressed as (4)

  $$\exists e\in E\left|\mathrm{Suspect}\right(s)\wedge \mathrm{Crime}(c)\wedge \mathrm{Commits}(s,c,e)$$

  (4)
• $\mathrm{IsAdequate}(e,l,i)$: Specifies that the evidence e adequately satisfies the expected elements by the law l for the intent level i. This can be expressed as (5)

  $$\exists e\in E\left|\mathrm{LawElements}\right(l)\wedge \mathrm{IntentLevel}(i)\wedge \mathrm{IsAdequate}(e,l,i)$$

  (5)
• $\mathrm{CriminalIntent}(s,c,i)$: defines whether a suspect s has the criminal intent elements necessary for a crime c with intention i. For criminal intent to be established, the suspect must both commit the crime c and have the specific intention level i. Thus, criminal intent is true if and only if the evidence shows that the suspect has committed the crime and adequately satisfies the expected elements of the intention level i according to the law. This can be expressed as (6)

  $$\begin{array}{c}\forall s,c,i\mathrm{CriminalIntent}(s,c,i)\iff \mathrm{Suspect}\left(s\right)\wedge \mathrm{Crime}\left(i\right)\wedge \hfill \\ \mathrm{Intent}\left(i\right)\wedge \exists e,l\mathrm{Evidence}\left(e\right)\wedge \mathrm{LawElements}\left(l\right)\wedge \\ \hfill \mathrm{Commits}(s,c,e)\wedge \mathrm{IsAdequate}(e,l,i)\end{array}$$

  (6)
• Alternatively:

  $$\begin{array}{c}\forall s,c,i\mathrm{CriminalIntent}(s,c,i,l)\iff \mathrm{Suspect}\left(s\right)\wedge \mathrm{Crime}\left(i\right)\wedge \hfill \\ \mathrm{Intent}\left(i\right)\wedge \mathrm{LawElement}\left(l\right)\wedge \exists e\mathrm{Evidence}\left(e\right)\\ \hfill \wedge \mathrm{Commits}(s,c,e)\wedge \mathrm{IsAdequate}(e,l,i)\end{array}$$

  (7)
  This definition (7) is equivalent to the above definition, however, it gives us the flexibility to reuse it in defining each type of intent based on the relation to the required intent elements by the law.

4.3. Intent Types

The four types of intents can be formally defined as follows, continuing from above:

• Z: Set of all Outcomes.

• Purposeful Intent:

Definition 4.3.A suspect exhibits purposeful intent if there exists a clear and deliberate goal to commit the crime, and their actions are aimed at achieving this goal [15].

$\mathrm{AimFor}(s,z)$: Specifies that the suspect s aims for the outcome z. This can be expressed as (8)

$$\exists z\in Z\left|\mathrm{Suspect}\right(s)\wedge \mathrm{AimsFor}(s,z)$$

(8)

$\mathrm{Purposely}(s,c)$ : Specifies that the suspect s has purposefully aim for the outcome of Crime c. This can be expressed as (9)

$$\begin{array}{c}\forall s,c\mathrm{Purposely}(s,c)\iff \exists z\in Z\hfill \\ \hfill \left|\mathrm{CriminalIntent}\right(s,c,I_p,\mathrm{AimsFor}(s,z))\end{array}$$

(9)

There must be specific goals or plans (e.g., to cause harm) and the suspect’s actions must be supported by evidence that shows these actions are aimed at achieving these goals.

2

Knowing Intent:

Definition 4.4.A suspect exhibits knowing intent if they are aware that their actions will likely contribute to the crime, even if they do not have the direct goal to commit the crime [15].

$\mathrm{AwareOf}(s,z)$: Specifies that the suspect s is aware of the outcome z. This can be expressed as (10)

$$\exists z\in Z\left|\mathrm{Suspect}\right(s)\wedge \mathrm{AwareOf}(s,z)$$

(10)

$\mathrm{Knowingly}(s,c)$ : Specifies that suspect s is aware that their actions will almost certainly result in a specific outcome when committing crime c. This can be expressed as (11)

$$\begin{array}{c}\forall s,c\mathrm{Knowingly}(s,c)\iff \exists z\in Z\hfill \\ \hfill \left|\mathrm{CriminalIntent}\right(s,c,I_p,\mathrm{AwareOf}(s,z))\end{array}$$

(11)

Evidence must show that the suspect was aware or should have been aware of the potential consequences of their actions, even if they did not intend to commit the crime.

3

Reckless Intent

Definition 4.5.A suspect exhibits reckless intent if they consciously disregard a substantial risk that their actions will result in a crime [15].

$\mathrm{DisregardRisk}(s,z)$: Specifies that the suspect s disregards a substantial risk of the outcome z. This can be expressed as (12)

$$\exists z\in Z\left|\mathrm{Suspect}\right(s)\wedge \mathrm{DisregardRisk}(s,z)$$

(12)

$\mathrm{Recklessly}(s,c)$ : denotes that suspect s disregards a substantial and unjustifiable risk of causing a specific outcome when committing crime c. This can be expressed as (13)

$$\begin{array}{c}\forall s,c\mathrm{Recklessly}(s,c)\iff \exists z\in Z\hfill \\ \hfill \left|\mathrm{CriminalIntent}\right(s,c,I_p,\mathrm{DisregardRisk}(s,z))\end{array}$$

(13)

There must be evidence that the suspect was aware of significant risks associated with their actions and acted despite these risks.

4

Ignorant Intent

Definition 4.6.A suspect exhibits ignorant intent if they are unaware of the harmful nature of their actions and do not know that their actions could contribute to a crime [15].

$\mathrm{UnawareOf}(s,z)$: Specifies that the suspect s is unaware of the outcome z. This can be expressed as (14)

$$\exists z\in Z\left|\mathrm{Suspect}\right(s)\wedge \mathrm{UnawareOf}(s,z)$$

(14)

$\mathrm{Ignorantly}(s,c)$ : denotes that suspect s is unaware of the nature of their actions or the possible consequences when committing crime c. This can be expressed as (15)

$$\begin{array}{c}\forall s,c\mathrm{Ignorantly}(s,c)\iff \exists z\in Z\hfill \\ \hfill \left|\mathrm{CriminalIntent}\right(s,c,I_p,\mathrm{UnawareOf}(s,z))\end{array}$$

(15)

Evidence must show that the suspect was genuinely unaware of the harmful nature or potential criminal outcome of their actions.

One of the basic properties of these intent types is they are mutually exclusive that a suspect cannot be convicted of a crime in more than one intent level [15]. This property can formally be captured as (16)

$$\forall i\ne j(\neg (I_i\wedge I_j))$$

(16)

specifying for all pairs of intents sequenced by i and j (where $i\ne j$), the intent levels $I_i$ and $I_j$ cannot both be true simultaneously. This is because the intents are somehow hierarchical in the sense that to prove a suspect is convinced of a crime at some higher level of intent (like purposely intent), the prosecutor needs more additional evidence than lower level intent (like knowingly intent).

5. The IR based Model

The IR based model is designed to enhance investigations by combining evidence processing and criminal intent recognition. As shown below, Figure 2, it comprises three main components: Evidence Analysis, Intention Recognition, and Crime Knowledge Base (CKB). The Evidence Analysis component filters and examines relevant evidence to support the investigation, transforming it into action formats. Intention Recognition analyzes this evidence to determine the suspect’s level of intent, categorizing it as Purposely, Knowingly, Recklessly, Ignorantly, or None. Additionally, this component features a recommendation capability, which provides actionable suggestions for enhancing investigations by indicating the additional evidence needed or refining investigative approaches based on the analysis. The CKB serves as a critical reference, storing legal definitions, crime intent elements, crime intent patterns, and relevant data to guide the entire process. This integrated approach aids in assessing digital crime and optimizing investigation strategies.

Figure 2. The Criminal Intention Recognition high-level model.

Figure 2. The Criminal Intention Recognition high-level model.

5.1. Evidence Analysis

The Evidence Analysis component is central to filtering and examining the digital evidence to ensure only the relevant data is processed in subsequent stages of the investigation. The component is divided into two sub-components: Identification of Potential Evidence and Examination of Evidence.

5.1.1. Identification of Potential Evidence

The task of this sub-component is to filter and select potential evidence related to a specific crime, considering the details of the criminal act. This involves pulling the list of relevant elements of the crime from the CKB and matching them against the overall digital evidence collected in relation to the suspect. The tasks of this sub component is highly related to the identification phase of the DF investigation phases [19]

For instance, to convict a suspect in a phishing attack, the court would generally require certain minimum elements to be fulfilled, although the specific requirements may depend on the legal system and the nature of the case. The minimum elements typically necessary to conclude the suspect is guilty at the level of "Purposely" intent are: Connection to the Suspect, Plan to Deceive, Transmission of Fraudulent Communications, and Loss (or Victim’s Response). The details of these are discussed in the Scenario section

These four elements with the possible actions and state changes will be extracted from the CKB and this sub-component filters the evidence collected accordingly to identify the Potential Evidence.

• Related(e,c,k): specifies that the evidence e is related to the crime c according to the crime knowledge repository k. This can be expressed as (17)

  $$\begin{array}{c}\hfill \exists e\in E\left|\mathrm{Evidence}\right(e)\wedge \mathrm{Crime}(c)\wedge \mathrm{CKB}(k)\wedge \mathrm{Related}(e,c,k)\end{array}$$

  (17)
• PotentialEvidence(p,c): denotes the set of potential evidence p, that is the subset of the overall evidence, which is filted by applying the crime knowledge base related to the crime c. This can be expressed as (18)

  $$\begin{array}{c}\forall p,c\mathrm{PotentialEvididence}(p,c)\iff \exists e,k\left|\mathrm{Evidence}\right(e)\wedge \hfill \\ \hfill p\in e\wedge \mathrm{Crime}\left(c\right)\wedge \mathrm{CKB}\left(k\right)\wedge \mathrm{Related}(p,c,k)\end{array}$$

  (18)

5.1.2. Examiniation of Evidence

This sub-component’s task is to thoroughly examine the filtered potential evidence and assess its relevance for supporting the case. The goal is to examine the potential evidence to identify the relevant entries from logs, histories, files or any other potential evidence categories and to convert these raw evidence into a common format that can be processed by the Intention Recognition component. The evidence is analyzed for actions and states indicative of the suspect’s behavior. The tasks of this sub component are similar to the Examination phase of the DF invetigation [19]

• RelatedEntry(q, p, c, k): specifies that the entry q is recorded in the potential evidence p and it is related to crime c according to the knowledge base k. This can be expressed by (19)

  $$\begin{array}{c}\hfill \exists q\in Q,c,k\left|\mathrm{PotentialEvididence}\right(p,c)\wedge \mathrm{RelatedEntry}(q,p,c,k)\end{array}$$

  (19)
• Relevant(r): specifies that the evidence r is a relevant entry in the potential evidence for the crime c according to the crime knowledge repository k. This can be expressed by (20)

  $$\begin{array}{c}\forall r\mathrm{Relevant}\left(r\right)\iff \exists r,p,c,k\left|\mathrm{Crime}\right(c)\wedge \hfill \\ \hfill \mathrm{CKB}\left(k\right)\wedge \mathrm{RelatedEntry}(r,p,c,k)\end{array}$$

  (20)

5.2. Intent Recognition

The Intention Recognition component processes the evidence from the Evidence Analysis component and determines the suspect’s criminal intention. This component consists of two sub-components: Intention Analysis and Recommendation.

5.2.1. Intention Analysis

The Intention Analysis sub-module is tasked with evaluating the suspect’s involvement in various criminal activities based on the alignment of evidence with the knowledge base. This analysis involves assessing the extent of the suspect’s engagement in multiple crimes, as well as determining the potential for the suspect to face charges reflecting a higher degree of intent within a single crime. The sub-module systematically calculates the likelihood of different levels of criminal intent, thereby providing a nuanced understanding of the suspect’s criminal engagement. To do so the component utilizes the output of the the Evidence Analysis component to contract the crime scene. The tasks of this component is highly related to the analysis phase of the DF investigation, however this component follows the intention recognition perspective [19].

• Match(r, k, c, i): specifies that each elements of the crime c at the intention level of i which are found in the Crime Knowledge Base k has a match in the relevant evidence r. This can be expressed by (21)

  $$\begin{array}{c}\exists r,k,c,i\left|\mathrm{Relevant}\right(r)\wedge \mathrm{CKB}(k)\wedge \mathrm{Crime}(c)\wedge \hfill \\ \hfill \mathrm{Intention}\left(i\right)\wedge \mathrm{Match}(r,k,c,i)\end{array}$$

  (21)
• Culpable(s,c,i,r,k): specifies that the Suspect s is culpable of the Crime c at an intention level of i, given the match of the Relevant evidence r and the CKB k. This can be expressed by (22)

  $$\begin{array}{c}\forall s,c,i\mathrm{Culpable}(s,c,i,r,k)\iff \exists r,k\left|\mathrm{Crime}\right(c)\wedge \hfill \\ \mathrm{Suspect}\left(s\right)\wedge \mathrm{Intention}\left(i\right)\wedge \mathrm{Relevant}\left(r\right)\wedge \\ \hfill \mathrm{CKB}\left(k\right)\wedge \mathrm{Match}(r,k,c,i)\end{array}$$

  (22)

5.2.2. Recommendation

The Recommendation sub-module is responsible for guiding the investigation process by proposing optimal strategies based on the suspect’s level of involvement. It evaluates the likelihood of uncovering additional evidence and suggests investigative pathways that align with the suspect’s degree of engagement in the crime. This sub-module ensures that the investigative approach is both targeted and efficient, facilitating a thorough examination of the evidence and supporting the formulation of appropriate charges. The tasks of this sub component are mainly related to the reporting phase of the DF investigation, and this component emphasizes on the recommendations [19].

• NeededEvidence(d): specifies that from the elements of the crime c at the intention level of i which are found in the Crime Knowledge Base k, there are some elements d which are missing in the relevant evidence r. This can be expressed by (23)

  $$\begin{array}{c}\exists d\left|\mathrm{Relevant}\right(r)\wedge \mathrm{CKB}(d)\wedge \mathrm{Crime}(c)\wedge \hfill \\ \hfill \mathrm{Intention}\left(i\right)\wedge \neg \mathrm{Match}(r,d,c,i)\end{array}$$

  (23)
• RelatedToOtherCrime(r): specifies that the Relevant evidence r is also related to other Crime c’ according to the CKB k. This can be expressed by (24)

  $$\begin{array}{c}\forall r,c^{\prime }\mathrm{RelatedToOtherCrime}(r,c^{\prime })\iff \exists r|\mathrm{Relevant}\left(r\right)\wedge \hfill \\ \hfill \mathrm{CKB}\left(k\right)\wedge \mathrm{Crime}\left(c^{\prime }\right)\wedge \mathrm{Related}(r,c^{\prime },k)\end{array}$$

  (24)

5.3. Crime Knowledge Repository

The Knowledge Repository is a critical component that supports both the Evidence Analysis and Intention Recognition processes. It contains a comprehensive database of legal frameworks, crime definitions, instigator experiences, and digital forensics best practices, enabling effective analysis and interpretation of evidence. It provides the necessary information to identify and categorize evidence, as well as assist in determining the appropriate criminal intention level.

6. Scenario

To clarify how the model works, let us consider the following four scenarios of a single crime case, phising via email [68]. All the four levels of intention are mapped one-to-one to the scenarios. We try to capture the main phases of the model, the interaction among the components and the high-level data exchange during the processes.

• Purposely
  • Context: An attacker (S1) designs a phishing email with a malicious link, aiming specifically at the company. The email is crafted to closely resemble legitimate communications from the company’s trusted partners.
  • Specific Situation: The attacker sends the email to the finance officer, intending for it to be clicked and to initiate a DDoS attack on the company.
  • Action Taken: The attacker’s goal is clear: to cause disruption or harm to the company’s operations by tricking the finance officer into clicking the malicious link.
  • Categorization: The attacker’s intent is categorized as "purposely" because the malicious email was sent with the specific objective of causing harm.
  For this level of culpability, the following crime elements are considered minimal requirements.
  • Connection to the Suspect: The court needs to establish that the suspect was indeed involved in the phishing attack. This can be done by showing evidence such as Network logs, email metadata, or records and transactions linking the suspect to the phishing activity [69,70]. (The necessary evidence are: Network logs, Email logs, Browser History)
  • Plan to Deceive: The court would need evidence showing that the suspect intentionally crafted a fraudulent communication to manipulate the victim into disclosing personal or financial information. This can be shown from the evidence by disclosing the phishing tools and techniques the attacker employed [68,69]. (The necessary evidence are: Network logs, Event logs, System Logs, Browser History, System files)
  • Transmission of Fraudulent Communications: The court would need proof that the suspect was responsible for sending the phishing communication—whether by email, phone, or other means. This can be shown through evidence such as email headers, phone logs, or IP address tracing [68,69]. (The necessary evidence are: Network log, email log, email content, phone log )
  • Loss (or Victim’s Response): To prove that a phishing attack took place, it is generally necessary to show that the victim was deceived and suffered some form of harm, such as revealing sensitive information or losing money. Evidence such as victim testimony, transaction records, or documentation of identity theft can be used in establishing that the phishing attempt had a tangible impact [68,69]. (The necessary evidence are: Bank Transaction, Account History, reputation assessment, customer statistics)
  The model will run the case as follows:
  • Identification of Potential Evidence:

    −

    Input: The overall evidence collected in relation to the Suspect, S1.

    −

    Process: The sub component will filter the overall evidence by considering the evidence list for the specific crime, Phishing via email, from the Crime Knowledge Base.

    −

    Output: List of potential evidence extracted from the whole evidence. (Network log, Event log, Email log, Browser History, system files, Email Content, Phone log, Bank Transaction, Account History, Reputation Assessment, Customer statistics)

  • Examination of Evidence:

    −

    Input: Potential evidence identified which is the output of previous (Identification of Potential Evidence) sub component.

    −

    Process: The sub component go through each potential evidence and identify the relevant entries in relation to the Suspect S1 and the phishing crime. Besides this sub component convert the entries to a common format used by the CKB using action and state template.

    −

    Output: List of Relevant entries in the form of actions and state documentation.

  • Intention Analysis:

    −

    Input: List of Relevant entries in action and state format which is the output of the previous (Examination of Evidence) sub component.

    −

    Process: The sub component analyses the relevant entries with the expected evidence for the crime as documented in the CKB.

    −

    Output: The whole analysis as well as the entries and the expected evidence.

  • Recommendation:

    −

    Input: The analysis, the entries and the expected evidence which are the output of the previous (Intention Analysis) sub component.

    −

    Process: The sub component analyzes: considering the available evidence what should be the conviction level, what evidence are needed to support or clarify the case, what other criminal activities are related to the evidence.

    −

    Output: List of recommendations.

• Ignorance
  • Context: The company receives a phishing email that closely mimics previous legitimate communications and creates a sense of urgency.
  • Specific Situation: The finance officer, recognizing the email as urgent and similar to past legitimate messages, forwards it to the cyber security officer for validation. After not receiving a prompt response and due to the urgency conveyed in the email, the finance officer decides to click the link.
  • Action Taken: The finance officer clicks the link, assuming the email is legitimate, and is unaware of its malicious nature.
  • Categorization: The finance officer’s action is categorized as "ignorance" because they acted under the mistaken belief that the email was legitimate, lacking awareness of its malicious intent.
• Recklessly
  • Context: A phishing email, designed to appear legitimate, is sent to the company and is forwarded by the finance officer to the cyber security officer for validation.
  • Specific Situation: The cyber security officer, overwhelmed by other urgent tasks, quickly responds to the finance officer’s inquiry without thoroughly checking the link, indicating it is safe.
  • Action Taken: The cyber security officer’s hasty response, without proper verification of the link, demonstrates a disregard for the potential risks involved.
  • Categorization: The cyber security officer’s action is categorized as "recklessly" because they failed to exercise due diligence and responded in a manner that ignored the potential risks of the link.
• Knowingly
  • Context: A phishing email is received by the company, which closely resembles legitimate communications and contains a malicious link.
  • Specific Situation: The finance officer forwards the email to the cyber security officer, requesting validation and indicating urgency. The cyber security officer, recognizing the link as malicious and knowing it could potentially lead to a DDoS attack, chooses not to respond to the finance officer’s inquiry.
  • Action Taken: The cyber security officer makes a deliberate decision to ignore the email, based on the belief that the company’s security measures will mitigate any impact from the attack.
  • Categorization: The cyber security officer’s action is categorized as **knowingly** because they were aware of the threat and chose not to act, assuming the company’s defenses would handle the risk.

Description:

• States
  • $q_0$: Attacker Sends Malicious Email and is guilty of "Purposefully" intent.
  • $q_1$: Email Received by Finance Officer
  • $q_2$: Finance officer is free from crime, (no criminal intent).
  • $q_3$: Finance officer is guilty of "ignorantly" intent
  • $q_4$: Finance Officer forwards the email to Cyber Security Officer for verification
  • $q_5$: Cyber Security Officer is free from crime (no criminal intent).
  • $q_6$: Cyber Security Officer is guilty of "recklessly" intent
  • $q_7$: Email investigated by Cyber Security Officer
  • $q_8$: Cyber Security Officer is guilty of "knowingly" intent
• Transitions
  • 0: Attacker sends the email.
  • 1: Finance officer ignores the email.
  • 2: Finance officer clicks the malicious link inside the email, assuming it’s legitimate.
  • 3: Finance officer forwards the email to the Cyber Security Officer for validation.
  • 4: Cyber Security Officer forbids the Finance Officer from clicking the malicious link.
  • 5: Cyber Security Officer allows the Finance Officer to click the malicious link.
  • 6: Cyber Security Officer ignores the email.
  • 7: Cyber Security Officer analyzes the malicious link inside the email.
  • 8: Cyber Security Officer allows the Finance Officer to click the malicious link, assuming the security measures are already in place to handle it.
  • 9: Cyber Security Officer ignores the email, which is inaction despite knowing the threat.
  • 10: Cyber Security Officer forbids the Finance Officer from clicking the malicious link.

7. Discussion

The evolution of forensic investigations heavily relies on sophisticated computational techniques to keep pace with the ever-expanding data landscape [6,7,8]. Without automated systems, the task of identifying pertinent information and piecing together a coherent narrative from the vast sea of digital artifacts would be insurmountable. The proposed model introduces a novel approach to addressing the challenge of managing vast volumes of digital evidence in forensics by focusing on intention recognition in a legal context. It systematically navigates through the evidence, identifying relevant information, reconstructing crime scenes, determining the nature of the crime, and assessing the suspect’s intent. Operating autonomously around the clock with minimal human guidance, the model streamlines the forensic process and reduces the need for constant supervision. Additionally, it leverages both legal and technical expertise, as well as the experience of professionals, through a knowledge repository, CKB. This integration enhances the model’s ability to provide valuable recommendations for the conviction process, including identifying additional evidence needed and suggesting further investigation into suspects’ potential connections to other related crimes.

The model’s design offers flexibility through its four autonomous sub-components, which are aligned with the NIST four-stage digital forensics framework. This alignment ensures that the model is easy to integrate into existing digital forensics practices, as it follows a well-established and widely recognized framework. Investigators can quickly adapt the model to their workflow, minimizing the learning curve and ensuring a smoother transition into its use. Furthermore, the autonomy of the sub-components enhances the model’s versatility, as each component can be implemented using different technologies, making it adaptable to various digital forensics environments. This flexibility allows investigators to tailor the model to the specific tools, platforms, or software they currently utilize, ensuring compatibility with a wide range of technological setups.

The use of formal methods in developing the model brings several key benefits, starting with the accuracy and completeness of its specifications. As formal methods rely on mathematical expressions, it ensures that the model’s definitions and specifications are precise and unambiguous. This rigorous approach contributes to a more correct and comprehensive representation of the processes involved in digital forensics. Additionally, by utilizing formal methods, the model allows for greater flexibility in the implementation of each of its four sub-components, as well as the orchestration among them. The mathematical foundation of the model facilitates a clear definition of how the components interact, providing a solid framework for their integration and operation in different environments. Beyond its specific application in digital forensics, the formal definitions presented here can be adapted and extended to other fields related to forensics. This makes the model not only a valuable tool for digital forensics but also a versatile framework that can contribute to the development of methods in other interdisciplinary areas.

To ensure the effectiveness and accuracy of the model, we employ scenarios that encompass all four intent types—Purposely, Knowingly, Recklessly, and Ignorantly. These scenarios are designed to simulate various criminal activities and provide a test of the model’s capabilities. By applying the model to these scenarios, we assess its ability to correctly identify and differentiate between the different types of intent based on the evidence and context provided. It confirms that the model can accurately process and analyze complex data sets, effectively recognizing and categorizing the mental states of suspects as defined by legal standards.

While our proposed model demonstrates significant potential, it is not without its limitations. One key constraint is its heavy reliance on the knowledge base. The model’s ability to perform effectively hinges on the accuracy, consistency, and comprehensiveness of the knowledge base. Any errors, inconsistencies, or inadequacies in the knowledge base can compromise the model’s performance, leading to inaccurate or incomplete intention recognition. This reliance highlights the critical need for meticulous curation and maintenance of the knowledge base to ensure the model’s reliability.

Another limitation lies in the scope of the model’s applicability. While it has the flexibility to be extended to address other types of criminal activities, such as those involving strict liability, its current implementation is restricted to handling only the four types of intentions. This limited scope may reduce its immediate applicability to a broader range of legal contexts and criminal behaviors. Future iterations of the model would need to expand its capacity to address additional types of crimes and intentions to maximize its utility and effectiveness.

8. Conclusion and Future Work

In summary, our work addresses one of the pressing challenges faced by digital forensics investigators due to the overwhelming volume of evidence. By integrating concepts from law, computer science, and mathematics, we have developed a model that effectively navigates through vast amounts of digital data to identify relevant evidence, reconstruct crime scenes, and recognize suspect intent. The model’s structure—comprising Evidence Analysis, Intent Recognition, and the Criminal Repository—ensures a comprehensive approach to forensic investigations, enhancing both accuracy and efficiency. Through the application of formal methods, we have rigorously defined key concepts such as crime and intent, ensuring that the model operates on a solid theoretical foundation. Simulating with scenarios has demonstrated the model’s capability to accurately identify intent types and manage complex cases. Ultimately, our contributions bridge the gap between legal definitions and computational analysis, providing a valuable tool that addresses the volume challenge in digital forensics and significantly improves investigative effectiveness.

Looking ahead, we recommend implementing the model by incorporating AI utilizing its capabilities and effectiveness. Specifically, since the huge volume challenge better be solved with minimal human interaction, a self reliant AI model such as Agentic AI approach, that mimics agency, would be ideal [72,73]. This would enable the model to function as a self-reliant assistant, capable of autonomous action, decision-making, and goal pursuit. Ultimately, this would allow the model to provide well-informed recommendations for the investigation and conviction of the suspect.

Alternatively, implementing the model utilizing the hybrid approach that combines logic-based methodologies with explainable deep learning techniques could provide advantages. Integrating logic-based approaches ensures that the model retains its formal rigor and precise definitions, while the application of explainable deep learning can offer advanced pattern recognition and adaptive learning capabilities. This combination would enable the model to handle increasingly complex and dynamic data sets, improving its ability to identify subtle patterns and trends in evidence that may not be easily captured by traditional methods. Moreover, explainable AI can provide transparency in decision-making, allowing investigators to understand and trust the model’s conclusions. By leveraging both these technologies, the model could evolve into a more robust and adaptive tool, further addressing the challenges of DF and supporting more nuanced and accurate investigative outcomes.