Digital Forensic Logistics: The Basics of Scientific Theory

Investigations of complex crimes with digital evidence increasingly require the use of modern digital devices and computer programs. Working with big data involves the accumulation, processing, and analysis of forensic information for further algorithmization and modeling of investigative actions, as well as the automation of the organizational activities of investigators. The article substantiates the need for the use of digital forensic logistics to optimize information flows and build the most effective analytical human and computer processing, not excluding the use of artificial intelligence systems. Digital forensic logistics is a sub-branch of digital forensics in the collection, identification, storage, verification, and analysis of data, as well as the generation of electronic evidence for evidence in court. The article provides the main directions of digital forensic logistics, including the logistics of evidence in criminal cases; logistics of the general organization of crime investigation; logistics planning (selection of tools and methods of investigation); logistics of putting forward versions of events; logistics of decisions in criminal matters. It is argued that the efficiency of the entire system will largely depend on the establishment of information flows and the prioritization of tasks. Quality work requires the improvement of applied digital technologies capable of providing the necessary algorithms of the evidentiary process. The use of special software, including the use of artificial intelligence systems, is becoming increasingly relevant. The logistics of making decisions in criminal cases ideally represents an electronic assistant, endowed with artificial intelligence or in the form of a special computer program, capable, based on the determination of the forensic significance of the obtained digital information (electronic evidence), to offer the investigator solutions that can change the course of the investigation and transfer the entire information system in a new state.


Introduction
The effectiveness of solving and investigating crimes committed using digital technologies depends on the solution of the logical, algorithmic, automatic, mathematical, and legal problems of working with big data (accumulation, processing, analysis of information) coming from various sources, for further optimal use of the results obtained in criminal cases.
Walder H. and Hansjakob T. believe that in some cases, crime investigation often consists of 10% forensics and 90% painstaking work with data arrays. For example, if each of the suspects in a case stores several thousand WhatsApp messages on their phone, then certain tools are needed to analyze the message data which may contain forensic information. If there are five suspects for 20 criminal acts, it will be extremely difficult to analyze the available information if such activities are not properly structured and organized [1].
Solving such issues requires scientifically-based recommendations on working with forensically-significant information flows subject to analytical human and computer processing, including through the use of modern technical means and special software, not excluding the application of artificial intelligence systems.

What Is Digital Forensic Logistics
Software makes it possible to collect information, upload it to electronic devices, download it from electronic devices, change the data expression format, and analyze processed data without the need for human labor. The subject of forensic knowledge (the investigator) receives results according to predefined parameters and algorithms for the movement of information.
Like many other terms in the sciences of the criminal law cycle, the term "logistics" originally refers to the field of military affairs and denotes the totality of knowledge and their derivative actions in the procurement, maintenance, and transportation of military equipment, equipment and people 1 . Information logistics can be understood in two ways: as "an area of organization logistics that studies and solves the problems of organizing and integrating information flows for making managerial decisions in logistics systems" (as a kind of add-on to "analog" production processes), or as a field of scientific knowledge reflecting the applied aspects of working with digital information, including in large volumes [2]. Digital logistics can be considered part of the latter group, the development of which is largely the result of digitalization and the increase in the computing power of modern computer technology. Digital logistics is closely related to such areas of computer science as data science (machine science, deep learning, computer vision, etc.) The methods and technological solutions of digital logistics can be used in all areas of daily life, including in the specific tasks of solving and investigating crimes. Forensics, by setting objectives and criteria for approaches to information processing to solve legal problems, is simply a segment of this area, which allows us to speak about a subspecies of digital logistics-digital forensic logistics.
In a narrow sense, digital forensic logistics is a system of methods for collecting, processing, storing, and investigating electronic information relevant to solving and investigating crimes during criminal investigations based on logical rules and algorithms of a single digital environment.

Digital Forensic Logistics as Part of Digital Forensics
Digital forensic logistics is seen as a sub-branch of digital forensics, which in turn represents the process of collecting, identifying, storing, verifying, and analyzing data or information to be presented in court as evidence. In digital forensics, it is necessary: 1) provide investigators with the means to easily and completely specify the data flow of a forensic inquiry from data source to final results; 2) allow the fully automatic (and optimized) execution of the forensic computation; 3) provide a complete, formal, and auditable log of the inquiry [3]. The form in which such methods are implemented is determined by criminal procedure legislation, and the content is based on the forensic concepts of recognition, classification, the mechanism of traceability, and the theory of forensic identification.
In digital forensics, all traces of a crime (both materialthat which is left on objects and documents, and testimonial-reflected in the minds of individuals) are information that forms the corresponding flows coming into a single digital environment (usually in the form of a network or network cluster in the form of a message, publication, logs, etc.). Logistic operations performed by the investigator or software allow for the selection of optimal means of identifying the person who committed the crime, as well as achieving other goals of the criminal process. Automated identification of suspects is typical, for example, of a digital system called SISC, which is based on the categorization of attributes of ordinary criminals stored in a database, a decision tree, logistic regression, and chi-square analysis methods [4]. Another example of such software is the UKdeveloped VALCRI (Visual Analytics for Sensemaking in Criminal Intelligence) project, which allows for the optimization of search, finding and evidence-based activities in a graphical (relatively easy to understand) form [5].
The modeling method plays a large role in digital forensics. There are various models of logistic regression, including binary, proportional, ordered, partially ordered, and disordered regression procedures for categorical answers, which are also used in social science [6].
Modeling includes a description of typical and specific criminalistic characteristics of crimes, a set of tools and methods of proof, forecasting decisions in criminal cases, identifying investigative errors, etc.
Digital forensic logistics is closely related to the process of organizing criminal investigations, building forensic versions of events and deriving logical consequences from them, planning investigative actions, and intelligence-gathering operations. For example, during a search of a suspect's home, an empty hard drive is found. When recovering deleted information, several hundred thousand text files (documents, network and system logs, etc.) are detected, the manual processing of which is either impossible or impractical from the point of view of saving time. In this case, digital forensic logistics methods may be applied.
As a rule, all such methods are based on dichotomous division as the operation of dividing the class of objects of forensic knowledge into subclasses, subclasses into groups, etc. The typical work with trace information is constructed in a similar way: it can be represented as a sequence of closed questions, for instance: "Is this person involved in the event being investigated?", "Does this trace relate to the crime event", "Could a change in digital information have occurred at the indicated time", and the responses to them. Answers to such questions can be obtained by investigative means, or by operational and expert means.
In the process of establishing a criminal event and proving the guilt of a suspect, the investigator receives information and, managing the information flow, employs the most acceptable (optimal) set of procedural (investigative actions) and non-procedural means (intelligence-gathering operations) of establishing the truth in a criminal case. Logistic operations permeate the entire digital communications system, relying on existing and newly-received data. The criminal justice evidence information system itself is the result of such operations.
Digital forensic logistics, by modeling typical forms of criminal investigations, determines not only the possible means of obtaining information (information flows), but also determines the course of the investigation, and provides access to wide electronic departmental control through certain information resources. Its application should be based on a systematic approach, including the use of forensic records, the electronic interaction of the investigator with other units and services of law enforcement agencies, as well as with state institutions and officials, and a system for working with citizens.

Subject of Digital Forensic Logistics
The subject of digital forensic logistics is any forensicallysignificant information recorded in electronic form, including data obtained as a result of investigative and intelligencegathering activities for the detection and investigation of crimes, both structured and unstructured.
Digital forensic logistics includes several areas: logistics of evidence in criminal cases; logistics of the general organization of crime investigation; logistics planning (selection of tools and methods of investigation); logistics of putting forward versions of events; logistics of decisions in criminal matters.
Per the logistics of evidence, when collecting and examining electronic evidence, the investigator builds a system-forming aggregate of information about the crime event and the guilt of the person who committed it. This involves the collection of information through a series of logistic techniques and operations and the formation of a set of evidence-based arguments (levers) that allow the investigator to change the direction (state) of the entire system, offer optimal solutions, and a set of tools and methods to achieve truth in a criminal case. The accumulation of digital information minimizes uncertainty, that is, eliminates information entropy.
The actions of the investigator in a criminal investigations should be based on the principle of logical algorithms, that is, they should be natural, carried out according to a predetermined standard, and should be economical in terms of the use of resources. This might involve the verification of operational electronic information about a crime which has been committed, is being committed, or is being planned; conducting joint investigative and operational measures (electronic surveillance, detention of a suspect, etc.). The effectiveness of the entire system will largely depend on the establishment of information flows and determining priorities in solving problems. The applied digital technologies, which can provide the necessary algorithmization of the proof process, must be improved to ensure quality work of investigators.
Over the past few years, the total number and variety of digital footprints found at crime scenes and during other investigative operations has grown significantly. In addition, there is an increased need for accurate results in a set period of time. The main challenges that coincide with these aforementioned tasks are to investigate the correct set of evidence and set aside an appropriate time to investigate it [7].
For example, the algorithmization of evidence for bribery can be carried out by filling certain template clusters (models) with digital information and taking into account the most common patterns of evidence obtained. By distributing their significance for this category of cases, further work on the criminal case is carried out. There may be several such models.
This process, sometimes referred to as the chain of custody (CoC), should ensure that evidence is not changed during the investigation, despite the fact that the evidence passed through several organizations, in order to be admissible in the courts. Currently, digital evidence is controlled entirely by CoC, and entities involved in the chain are required to fill out documents accompanying the evidence. The chain of custody can be based on the blockchain, which guarantees the verifiability of the evidence collected and provides the possibility of establishing the owners of evidence. In this case, digital evidence (or electronic evidence) refers to any evidence that is stored in memory or transmitted in digital form, which a party can use in court. Of particular importance is a reliable cryptographic hash function [8].
Access to evidence (its study and verification) should be available to all parties, depending on the transaction used, taking into account the interests of the investigation (secrecy of the pre-trial investigations). Authorized users must be able to submit (create) a new piece of digital evidence.

Blockchain Technologies in Digital Forensic Logistics
Blockchain technologies provide the functionality of the entire digital platform. All transactions are cryptographically signed by the sender (creator), which can easily become known to all participants of the blockchain network. This creates a certain protection of access to the data available in the system 2 .
The forensic significance of advancing versions of events is that during the initial stage of investigations, investigators use electronic information that allows them to obtain, with a certain degree of probability, assumptions about the circumstances to be proved in the criminal case. The logistics of advancing forensic versions of events involves adding information included in logical consequences, dynamic planning, and determining the priority of verification of investigative versions of events. Circumstances may change, and this fact is registered in the system through the corresponding information flow, changing the course and direction of the investigation.
The logistics of advancing forensic versions of events at the stage of the investigation of crimes consists of the following logistic operations (algorithms): 1. the entry of primary information into the system in electronic form; 2. determination of possible information flows of information accumulation; 3. distribution of information according to specified criteria (channels); 4. processing and analysis of digital information; 5. formation of assumptions about the individual who committed the crime, their profile; 6. continuous collection of information during the investigation; 7. proposals on areas of actual verification of investigative versions of events in the form of logical consequences and investigative actions to establish their compliance with the version; 8. correction of forensic versions of events taking into account newly received information in the system. Thus, the logistics of advancing forensic versions of events is a system of the programmed accumulation, processing, analysis, and further use of information about a crime that comes to the investigator to form a reasonable assumption about the person who committed the crime in order to detect and detain them.
Hypothesis testing and elimination of redundant versions of events can be carried out by a system similar to DFP [9]. Any hypothesis should be based on available information. Based on the results of his study, concluded that using a pen and paper to evaluate evidence for two competing hypotheses can lead to tunnel vision, i.e., opportunities to analyze more information are lost. Successfully this task can be handled by a special computer program [10].
Large amounts of data may require reliable cloud space as well as a unified algorithm for checking the integrity of streaming data, which allows authorized users to verify the integrity of forensic data and identify and localize any malicious information changes [11].
Ideally, the logistics of decisions made in criminal matters would involve an electronic assistant endowed with artificial intelligence or special software capable of proposing solutions to the investigator. These solutions could change the course of the investigation, and the assistant (or software) would transfer the entire information system to the investigator based on the determination of the forensic significance of newly-received digital information (electronic evidence). Evaluation criteria are set in advance and may vary depending on the model of the crime, the set of factual circumstances, and the emerging investigative practice. The system is configured with consideration of scientifically based expected indicators. The system's proposals provide guidance (recommendations) to investigators and are not required. At the same time, investigators should be ready to explain why they are not acting according to the behavior proposed by the computer. That is, they should be prepared to propose an alternative algorithm of actions or an explanatory model of the evidence available.
Of interest are studies of systems in which decision trees are studied depending on such categories as the value of the selected attribute, confidence level, forecast accuracy, etc. The emphasis is on the use of artificial intelligence [12].
From the point of view of modern forensics, the elements of the forensic characteristics of crimes can act as branches of these trees.
Currently, digital reporting support and decision support systems (e.g. DERDS) are being actively developed to help professionals assess the reliability of inferences and assumptions about conclusions regarding any potentially evidence-based results [13].
However, it should be noted that there is a certain unfoundedness of many studies that focus on the fact that artificial intelligence systems can provide transparency in decision making and support. With the right mathematical modeling, the most successful technological solutions in this area-artificial neural networks and methods based on deep learning-can produce solutions that are effective both in terms of the accuracy of a single solution and the stability of the results, but they are often characterized as "black boxes". This is due to the presence of a hidden layer in the structure of such systems, within which the system is being trained. This factor prevents the transparency of such decisions and therefore the decisions of such systems cannot have probative value.
The most useful implementation of the presented forms is achieved by using a single digital logistics platform, which includes the algorithmization of actions and decisions in a criminal case. The work of this digital platform is based on the circulation of information flows according to predetermined models of crimes committed, taking into account the information available on a specifically identified illegal act.
Such information flows will be: 1. Digital forensic records; 2. Digital tracks; 3. Electronic inquiries and instructions; 4. Digital video library, audio recordings, and photographs; 5. Electronic assistant of the investigator (interrogator); 6. Digital examinations; 7. Electronic forensic recommendations for the investigation of criminal cases, preferably in mobile and offline form. Digital forensic records are a legally regulated information system that is necessary to concentrate and present information relevant to the investigation of criminal cases and crime prevention to the preliminary investigation bodies and the court. Accounting is achieved through files containing information about the accounting entity (traces of handprints, etc.).
Digital footprints are the result of the actions of an individual or an automated system, embodied, as a rule, in text or multimedia form, and suitable for transformation into evidence in criminal cases. The "digital footprint" is the ability of information recorded in digital form, to leave special "marks" on the route from subscriber to subscriber, the ability to track such marks, receive information about its movement and transformation in order to collect, process and analyze these data [14]. For example, it has been noted that when investigating the receipt of a bribe, investigators often record electronic traces indicating the preparatory actions of the offender (preliminary agreement on meetings of the briber with the bribe taker, consent to participate as an intermediary in the transfer or receipt of the bribe). Criminal communication between the briber and the bribe taker was not through in-person contact, but occurred through the use of computers or mobile devices via SMS, instant messengers, or emails, and the fact of transfer-receipt of a bribe was also recorded on electronic information media.
Electronic inquiries and instructions are standard templates of the investigator's requests to various organizations and record orders sent to operational officers to obtain the necessary information during the investigation of criminal cases as part of the ongoing electronic document management system.
Digital video, audio recordings, and photographs can accumulate in cloud storage. There are various proposals for the application of software, modeling, and process algorithms to such data [15,14].
In addition, the relationship between crimes can be viewed by using markers (electronic tags) which indicate the most significant circumstances. This will greatly simplify the establishment of group crimes.
An electronic assistant for investigators can be used to keep records of information relevant to the investigator (legal information consisting of laws and other regulatory legal acts; materials of preliminary reviews; templates of procedural documents) or methodological recommendations.
The reconstruction of criminal acts plays a key role in investigatory procedures. A digital investigator assistant, using mathematical methods, modeling, and automatic verification of information, could be of great help in this [165]. For example, conducting forensic examinations in relation to digital information carriers, on the basis of which investigators can complete analyses of electronic document management, research of digital images, or research of material objects using their digitalized images. This would help automate investigatory experts' desks.
Electronic forensic recommendations for investigating criminal cases contain elements of private forensic techniques for investigating certain types of crimes and recommendations for organizing and conducting investigations in criminal cases (forensic characteristics, typical investigative situations, typical investigative versions of events, algorithm for investigating criminal cases).

Conclusions
Digital forensic logistics acts as a system of forensic and computerized methods used in solving and investigating crimes, providing for an interdisciplinary synthesis of scientific achievements and the joint functioning of knowledge of the law, natural science, and technology.
The actions of investigators in criminal investigations should be based on the principle of logical algorithms, that is, they should be natural, fit a predetermined standard, and should be resource-efficient.
The effectiveness of the entire system will largely depend on the establishment of information flows and determining priorities in solving problems. The applied digital technologies must be improved to achieve a higher quality of investigation. These technologies can provide the necessary algorithmization of the proof process. The use of special software, including the application of artificial intelligence systems, is becoming increasingly relevant.