Evaluating digital forensic findings in Trojan horse defense cases using Bayesian networks

Digital forensic scientists primarily rely on individual internal reasoning and categorical conclusions when evaluating evidence in casework. This can make it difficult to maintain structured reasoning that is logically sound, balanced, robust, and transparent. Trojan horse defense cases exemplify these challenges in evaluating digital forensic findings. The key challenge in such cases is combining multiple observations into a logically sound probabilistic evaluation while maintaining an understandable forensic report for court and other recipients. To address these challenges, we propose using the likelihood ratio framework to evaluate digital findings in Trojan horse defense cases, with Bayesian networks serving to visualize the evaluation and derive a likelihood ratio. We will illustrate this approach by demonstrating the construction of a Bayesian network through a case example. We show that these networks are very suitable to model the evaluation of digital evidence in Trojan horse defense cases and that they can be easily adapted for various case circumstances. Based on our findings, we strongly recommend broader exploration of Bayesian networks in digital forensic casework.