Jan Gruber

Jan Gruber, Jan-Niclas Hilgert

Agentic Al systems are increasingly deployed as personal assistants and are likely to become a common object of digital investigations. However, little is known about how their internal state and actions can be reconstructed during forensic analysis. Despite growing popularity, systematic forensic approaches for such systems remain largely unexplored. This paper presents an empirical study of OpenClaw a widely used single-agent assistant. We examine OpenClaw's technical design via static code analysis and apply differential forensic analysis to identify recoverable traces across stages of the agent interaction loop. We classify and correlate these traces to assess their investigative value in a systematic way. Based on these observations, we propose an agent artifact taxonomy that captures recurring investigative patterns. Finally, we highlight a foundational challenge for agentic Al forensics: agent-mediated execution introduces an additional layer of abstraction and substantial nondeterminism in trace generation. The large language model (LLM), the execution environment, and the evolving context can influence tool choice and state transitions in ways that are largely absent from rule-based software. Overall, our results provide an initial foundation for the systematic investigation of agentic Al and outline implications for digital forensic practice and future research.

Janine Schneider, Florian Ramming, Maximilian Eichhorn et al.

Anti-forensics includes a growing set of techniques designed to obstruct forensic analysis. While cybercriminals increasingly rely on these methods, they also help researchers identify and remedy weaknesses in forensic tools, advancing the overall robustness of digital forensics. Despite repeated efforts to define it, anti-forensics remains vague and inconsistent in its use. It also poses ethical challenges regarding the appropriateness of research practices and the legitimacy of the field itself. This article presents a systematic analysis of 123 publications on anti-forensics, combining qualitative and quantitative methods. We quantify the main techniques and attack vectors, examine their occurrence in different digital forensic subdomains, and identify typical research methods, motivations, and applications. This work also discusses what these findings mean for future research and proposes directions for building a more coherent and ethically grounded understanding of anti-forensics.

Dominic Deuber, Jan Gruber, Merlin Humml et al.

Cryptocurrency forensics became standard tools for law enforcement. Their basic idea is to deanonymise cryptocurrency transactions to identify the people behind them. Cryptocurrency deanonymisation techniques are often based on premises that largely remain implicit, especially in legal practice. On the one hand, this implicitness complicates investigations. On the other hand, it can have far-reaching consequences for the rights of those affected. Argumentation schemes could remedy this untenable situation by rendering underlying premises transparent. Additionally, they can aid in critically evaluating the probative value of any results obtained by cryptocurrency deanonymisation techniques. In the argumentation theory and AI community, argumentation schemes are influential as they state implicit premises for different types of arguments. Through their critical questions, they aid the argumentation participants in critically evaluating arguments. We specialise the notion of argumentation schemes to legal reasoning about cryptocurrency deanonymisation. Furthermore, we demonstrate the applicability of the resulting schemes through an exemplary real-world case. Ultimately, we envision that using our schemes in legal practice can solidify the evidential value of blockchain investigations as well as uncover and help address uncertainty in underlying premises - thus contributing to protect the rights of those affected by cryptocurrency forensics.