Auditability in Digital Forensic AI: Ensuring Transparency in Legal Evidence Analysis

Auditability in Digital Forensic AI: Ensuring
 Transparency in Legal Evidence Analysis




            G.U of Computer Science and Software Engineering
                              P. Bellisan
               https//orcid.org/0009-0007-5798-1152
                   DOI:10.5281/zenodo.20011707
                                2023

                                                               1/8/ 2023
Abstract
The accelerating integration of artificial intelligence into digital forensics workflows precipitates a fundamental epistemological
tension: the forensic mandate for deterministic, reproducible, and legally defensible evidence chains collides directly with the
stochastic, opaque, and probabilistically governed nature of modern machine learning architectures. This paper examines Audit
AI for Digital Forensics the systematic application of algorithmic transparency mechanisms, interpretability frameworks, and
formal verification protocols to AI-assisted evidence analysis          as a critical emerging discipline situated at the tripartite
intersection of computer science, jurisprudence, and information epistemology.
Taxonomy--The taxonomy of this domain bifurcates along two principal axes. The first is functional scope: encompassing artifact
recovery, timeline reconstruction, network traffic analysis, malware attribution, and multimedia authentication each domain
presenting distinct computational challenges to auditability. The second axis is transparency modality: ranging from ante hoc
transparency (architectures designed with interpretability as a first-class constraint) to post hoc explainability (retrospective
interrogation of black-box model decisions via surrogate methods). Within this framework, three structural pillars are identified
as the foundational load-bearing elements of this analysis: (I) the formal architecture of audit trails and chain-of-custody
preservation in AI pipelines, (II) the mathematical underpinnings of explainability methods and their forensic validity thresholds,
and (III) the adversarial robustness of AI forensic tools against deliberate obfuscation and model-poisoning attacks. These three
pillars are examined with vertical precision rather than horizontal breadth, as the forensic stakes demand architectural rigor over
taxonomic comprehensiveness.
Keywords: Audit AI, Digital Forensics, Explainable AI (XAI), Chain of Custody, Formal Verification, Epistemology of
Technology, Legal Evidence Analysis

I. INTRODUCTION
A. Pre-Algorithmic Forensics and the Evidentiary Doctrine (Pre-1990)
Digital forensics as a formal discipline did not emerge ex nihilo; it inherited its epistemological framework from
classical forensic science, whose foundational axiom Edmond Locard's Exchange Principle (1910) posits that every
contact between entities leaves a bilateral trace. This principle, when transposed into digital environments, mandates
that every computational interaction produces recoverable artifacts: log entries, memory residues, file system metadata,
and registry modifications. The legal infrastructure governing the admissibility of such evidence was codified in the
United States through the Federal Rules of Evidence (FRE), particularly Rule 702, which subjects expert testimony to
the Daubert standard (established in Daubert v. Merrell Dow Pharmaceuticals, 1993): scientific methods must be
empirically testable, peer-reviewed, possess known error rates, and be generally accepted within the relevant scientific
community [1]. This standard would later become the judicial yardstick against which AI-generated forensic outputs
would be measured a measurement that proves deeply problematic.
B. The Emergence of Computational Forensics (1990–2010)
The proliferation of personal computing in the 1990s catalyzed the formalization of digital forensics as a discipline
distinct from physical evidence analysis. Early toolkits EnCase (1998), The Sleuth Kit (2001), FTK (Forensic Toolkit,
2000)      operated on deterministic, rule-based logic: file carving through known header/footer signatures, hash
verification via MD5 and SHA-1, and keyword indexing through Boolean search [2]. The auditability of these tools was
structurally uncomplicated: each operation could be logged, each result reproduced on identical input, and each decision
traced to an explicit, human-readable rule. The chain-of-custody documentation protocols developed during this era
particularly the ACPO (Association of Chief Police Officers) Good Practice Guide for Digital Evidence (2012, UK)
presupposed this deterministic architecture. These frameworks had no conceptual apparatus for handling probabilistic or
latent-variable-driven outputs.
The critical inflection point arrived with the United States v. Llera Plaza (2002) ruling, in which a federal court initially
and controversially excluded fingerprint evidence on Daubert grounds before reversing the decision. This case
illustrated the judiciary's nascent struggle with quantifying the error rates of pattern-recognition methodologies, a
struggle that would intensify catastrophically with the introduction of neural-network-based pattern recognizers two
decades later.
C. The Machine Learning Incursion and the Transparency Crisis (2010–2023)
Post-2012, the deep learning revolution canonically marked by AlexNet's dominance of the ImageNet Large Scale
Visual Recognition Challenge began infiltrating forensic toolchains. Applications proliferated: convolutional neural
networks (CNNs) for image authentication and deepfake detection, recurrent neural networks (RNNs) and transformer
architectures for log sequence anomaly detection, graph neural networks (GNNs) for network provenance tracing, and
large language models (LLMs) for automated report generation from raw artifact data [3]. The forensic utility was
demonstrable; the auditability was catastrophic.
The core problem is structural. A deep neural network with, for example, 175 billion parameters (the approximate scale
of GPT-3) produces outputs through a computational pathway of such dimensional complexity that no human analyst
and no existing automated tool can reconstruct a complete, step-by-step causal account of why a specific input
produced a specific output. In forensic terms, this means that when an AI system classifies a file as malware, identifies
an image as synthetically generated, or flags a network session as anomalous, the evidentiary basis for that classification


                                                                                                                                2/8
cannot be rendered into the explicit, traceable form that Daubert, ACPO, or ISO/IEC 27037:2012 (digital evidence
guidelines) require [4]. The discipline of Audit AI emerged precisely in response to this structural incompatibility.




II. FORMAL ARCHITECTURE                       OF AI       AUDIT       TRAILS       AND      CHAIN-OF-CUSTODY
PRESERVATION
The classical chain-of-custody (CoC) in digital forensics is a temporally ordered, cryptographically verifiable record
that documents every interaction with a piece of evidence from its initial acquisition to its courtroom presentation. Its
formal structure can be represented as a directed acyclic graph (DAG):
CoC = (N, E, H)
Where N represents the set of custody nodes (each a tuple of {actor, timestamp, action, location}), E represents directed
edges encoding the sequential transfer of custody, and H represents a hash-chain anchoring each node to its predecessor
via a cryptographic digest (SHA-256 or higher) such that tampering at any node invalidates all subsequent hashes [5].
When an AI pipeline is interpolated into this structure, the CoC problem becomes multidimensional. The pipeline
introduces intermediate transformation stages data preprocessing, feature extraction, model inference, post-processing
thresholding      each of which can alter the evidentiary representation without a corresponding human-readable
justification. A forensically compliant AI audit trail must therefore extend the CoC DAG to capture not only what
transformations were applied, but the parameterization state of the model at inference time.
This requires the implementation of Model State Snapshots (MSS): at each inference event, the audit system must
record:
     •   The model architecture identifier and version hash
     •   The complete weight tensor checksums (not merely version numbers, which can be spoofed)
     •   The input feature vector presented to the model
     •   The softmax probability distribution across all output classes (not merely the argmax prediction)
     •   The operating environment metadata (hardware, driver versions, random seed states for any stochastic
         operations)
The preservation of the full probability distribution rather than merely the binary or categorical prediction is of
particular forensic significance. In legal proceedings, the difference between a model outputting P(malware) = 0.51
versus P(malware) = 0.99 is not merely quantitative; it is qualitatively determinative of evidentiary weight.
Jurisdictions applying Daubert scrutiny require that known error rates be disclosed; the probability distribution is the
computational substrate from which such error rates are derived.
The edge case of model versioning drift presents a particularly insidious auditability problem. When a forensic AI tool
updates its underlying model weights between the time of initial analysis and the time of courtroom presentation a
commonplace occurrence in commercially deployed tools that receive continuous learning updates the reproducibility
guarantee of the CoC is structurally violated. The input data, run through the updated model, may produce a different
classification, thereby creating an irreconcilable evidentiary contradiction. This necessitates the architectural
enforcement of inference-time model freezing: a protocol under which the model weights used for any forensically
significant analysis are cryptographically committed via a Merkle tree root hash stored in an immutable ledger, ensuring
that the identical computational artifact can be re-instantiated for independent verification [6].
The legacy constraint most resistant to resolution in this domain is the proprietary enclosure of commercial forensic AI
tools. Vendors including Cellebrite, Oxygen Forensics, and Magnet Axiom deploy machine learning components whose
internal architectures are protected as trade secrets, rendering independent weight verification and therefore rigorous
CoC compliance        structurally impossible under current intellectual property regimes. This creates a direct and
unresolved conflict between commercial confidentiality and the constitutional due-process rights of defendants to
challenge the methodological foundations of evidence presented against them.

III. ADVANCED ALGORITHMS, PSEUDOCODE LOGIC, AND SCALABILITY ANALYSIS
A. Mathematical Underpinnings of Explainability and Forensic Validity Thresholds
The post hoc explainability literature has converged upon several dominant methodological frameworks, each carrying
distinct mathematical architectures and critically distinct forensic validity profiles. Three methods warrant deep
architectural examination: SHAP (SHapley Additive exPlanations), LIME (Local Interpretable Model-Agnostic
Explanations), and attention-weight visualization in transformer-based forensic models. Each is examined not merely as
a technical instrument but as a forensic artifact subject to evidentiary scrutiny.




                                                                                                                      3/8
1.) SHAP: Cooperative Game Theory as Evidentiary Calculus
SHAP, formalized by Lundberg and Lee (2017), grounds feature attribution in the Shapley value a solution concept
from cooperative game theory introduced by Lloyd Shapley (1953). The Shapley value φᵢ for feature i is defined as the
weighted average marginal contribution of feature i across all possible feature coalition orderings [7]:




Where F is the complete feature set, S ranges over all subsets of F not containing feature i, and f(S) denotes the model's
expected output when only the features in subset S are observable. The term [f(S ∪ {i}) - f(S)] captures the marginal
contribution of feature i to the prediction when added to coalition S.
The forensic significance of SHAP over simpler gradient-based attribution methods lies in its axiomatic foundation.
SHAP satisfies three properties that carry direct jurisprudential relevance: local accuracy (the sum of SHAP values
equals the model output minus the baseline, ensuring internal consistency), missingness (features absent from the input
receive zero attribution, preventing phantom evidence), and consistency (if a model is modified such that a feature's
marginal contribution increases, its SHAP value cannot decrease a monotonicity guarantee) [7]. These axiomatic
properties provide a mathematical scaffold upon which forensic experts can construct reproducible, logically consistent
attributions defensible under cross-examination.
However, the computational complexity of exact SHAP calculation is O(2ⁿ) in the number of features n exponential and
therefore intractable for high-dimensional forensic inputs such as full memory dumps or packet capture files with
thousands of derived features. Practical implementations employ KernelSHAP (sampling-based approximation) or
TreeSHAP (exact computation in polynomial time for tree-ensemble models). The approximation introduces a forensic
validity threshold problem: sampled SHAP values carry a variance term proportional to the inverse square root of the
sample size, meaning that with insufficient sampling, attributions presented as evidentiary explanations carry non-trivial
uncertainty bounds that are rarely disclosed in forensic reports. A minimum sample budget of n ≥ 2,048 coalition
evaluations is recommended for feature spaces exceeding 50 dimensions to maintain variance below 5% of the mean
attribution magnitude [8].
2.) LIME: Local Fidelity and Its Epistemological Limitations
LIME constructs an interpretable surrogate model g in the local neighborhood of an input instance x by minimizing a
fidelity-complexity objective:




Where L is a locality-weighted loss measuring divergence between the original model f and surrogate g over a
neighborhood defined by proximity kernel πₓ, and Ω(g) penalizes model complexity [9]. The surrogate g is typically a
sparse linear model, rendering its coefficients directly interpretable as feature weights.
The critical epistemological limitation of LIME for forensic applications is its locality instability: the explanations
generated are sensitive to the random perturbation process used to sample the neighborhood, producing non-
deterministic outputs across repeated executions on identical inputs. Alvarez-Melis and Jaakkola (2018) demonstrated
that LIME explanations can exhibit Lipschitz instability small perturbations in the input x yield disproportionately large
changes in the explanation g with instability coefficients exceeding 3.0 in high-dimensional sparse feature spaces [10].
This instability constitutes a fundamental Daubert violation: an explanatory method that does not produce consistent
outputs under identical conditions cannot satisfy the reproducibility criterion required for scientific validity in legal
proceedings.




                                                                                                                      4/8
Pseudocode: Forensic SHAP Audit Pipeline:
 PROCEDURE ForensicSHAPAudit(model M, evidence_input X, feature_set F):

   // Phase 1: Model State Commitment
   weight_hash ← SHA256(serialize(M.weights))
   input_hash ← SHA256(serialize(X))
   APPEND TO immutable_ledger: {weight_hash, input_hash, timestamp}

   // Phase 2: Baseline Establishment
   baseline ← compute_expected_output(M, distribution=training_data)

   // Phase 3: SHAP Computation with Variance Logging
   IF |F | > 50 THEN
      sample_budget ← max(2048, 40 * |F|)
      {φ, variance} ← KernelSHAP(M, X, baseline, n_samples=sample_budget)
   ELSE
      {φ, variance} ← ExactSHAP(M, X, baseline)

   // Phase 4: Validity Threshold Enforcement
   FOR each feature fᵢ IN F:
      IF variance[fᵢ] / |φ[fᵢ]| > 0.05 THEN
        FLAG fᵢ AS "attribution_uncertain"
        LOG warning: "Feature attribution exceeds 5% variance threshold"

   // Phase 5: Evidentiary Report Generation
   report ← {
      model_hash:      weight_hash,
      input_hash:     input_hash,
      attributions: φ,
      variances:      variance,
      flagged:        uncertain_features,
      baseline:       baseline,
      full_prob_dist: M.predict_proba(X)
   }
   SIGN report WITH forensic_analyst_private_key
   RETURN report

 END PROCEDURE

This pipeline enforces the MSS protocol established in Pillar I, appending explainability artifacts to the chain-of-
custody DAG as cryptographically signed, variance-annotated records rather than bare classification outputs.

3.) Scalability Analysis: Computational Trade-offs Under Forensic Load
In operational forensic environments, the scalability demands of audit pipelines impose severe computational trade-offs.
Consider a scenario involving a 1TB storage image: automated triage systems may generate tens of thousands of
individual AI inference events per analysis session. At a conservative estimate of 2,048 coalition evaluations per
KernelSHAP call each requiring a full forward pass through a neural network of depth L and width W the total
computational overhead is:
T_total = N_inferences × 2048 × O(L × W²)
For a moderately complex CNN (L=20, W=512) processing 50,000 inference events, this yields approximately 5.24 ×
10¹² floating-point operations per complete audit a load requiring dedicated GPU infrastructure and rendering real-time
forensic analysis computationally prohibitive without architectural optimization.
Mitigation strategies include lazy explanation generation (computing SHAP only for high-confidence or legally
escalated classifications), explanation caching (storing attribution vectors for recurring artifact signatures), and model
distillation into inherently interpretable architectures (gradient-boosted trees with TreeSHAP) at the cost of predictive
accuracy. The accuracy-auditability trade-off is not merely technical it is jurisprudential: a more accurate but less
auditable model may be forensically inadmissible, while a less accurate but fully transparent model may produce more
legally defensible if epistemically inferior conclusions.

IV. ADVERSARIAL ROBUSTNESS AGAINST FORENSIC OBFUSCATION
The adversarial threat surface of AI forensic systems is structurally distinct from that of general-purpose classifiers,
because the adversary a sophisticated threat actor seeking to evade forensic detection has both the motivation and,
increasingly, the technical capability to craft adversarial examples specifically designed to deceive AI forensic tools
while preserving the functional payload of malicious artifacts.

                                                                                                                      5/8
Formally, an adversarial perturbation δ against a forensic classifier f is constructed to satisfy:



Where the Lp-norm constraint ensures the perturbation remains below a perceptual or functional detection threshold ε
[11]. In the malware domain, Kolosnjaji et al. (2018) demonstrated that appending carefully crafted byte sequences to
the non-functional sections of PE (Portable Executable) files preserving full execution functionality could reduce the
detection rate of neural-network-based malware classifiers from 94% to below 20% using gradient-guided perturbation
with ‖δ‖₀ ≤ 1% of file size [12].
The audit implication is recursive and deeply problematic: if an AI forensic tool has been successfully deceived by an
adversarial artifact, the audit trail faithfully records the erroneous classification as a legitimate forensic finding. The
chain-of-custody DAG preserves the integrity of the process while being wholly blind to the validity of the underlying
inference a distinction that courts applying Daubert scrutiny must be equipped to recognize but currently lack the
technical frameworks to assess systematically.
V. SOCIO-TECHNICAL SYNTHESIS: THE HUMAN-MACHINE INTERFACE AND SOCIETAL
IMPACT
A. The Deskilling Paradox in Forensic Practice
The deployment of AI forensic tools precipitates what Autor, Levy, and Murnane (2003) termed routine-task
displacement the progressive automation of structured, rule-governed cognitive labor but in the forensic domain, this
displacement carries consequences exceeding economic reorganization [13]. As AI systems absorb the analytical burden
of artifact classification, pattern recognition, and timeline reconstruction, the human forensic examiner's role is
progressively reduced to one of output validation: reviewing AI-generated reports rather than performing primary
analysis. This structural shift induces a deskilling paradox: the examiner's capacity to critically evaluate AI outputs to
recognize when a classification is anomalous, when an explanation is internally inconsistent, or when an adversarial
manipulation has occurred degrades precisely as the complexity of the systems being evaluated increases.
The forensic implications are systemic. An examiner who cannot independently reconstruct the analytical pathway that
produced an AI finding cannot competently testify to its validity under adversarial cross-examination. The Melendez-
Diaz v. Massachusetts (2009) Supreme Court ruling, which affirmed the Confrontation Clause right of defendants to
cross-examine forensic analysts, implicitly requires that analysts possess substantive understanding of the methods they
attest to a requirement that becomes structurally untenable when those methods are encapsulated in opaque neural
architectures [14].
B. Differential Justice and Algorithmic Bias Propagation
The societal impact of AI forensic tools extends beyond individual case outcomes into the structural reproduction of
systemic bias. Training datasets for forensic AI systems are necessarily constructed from historical case data data that
encodes the enforcement priorities, investigative biases, and demographic disparities of prior forensic practice. A
malware attribution model trained on historical samples may overrepresent threat actors from certain geopolitical
regions due to historical attribution patterns, embedding geopolitical inference into ostensibly technical classifications.
A network anomaly detector trained on enterprise network traffic may systematically underperform on network
topologies characteristic of lower-resource environments, producing disparate false-positive rates across institutional
contexts.
These bias propagation mechanisms operate below the threshold of routine forensic audit because they manifest not as
individual classification errors but as distributional disparities across case populations a statistical phenomenon
invisible to chain-of-custody documentation focused on individual evidence items. Addressing this requires the
integration of algorithmic fairness audits systematic measurement of classification error rates across demographically
and institutionally stratified subpopulations into the forensic AI certification process, a practice not currently mandated
by any major forensic standards body as of 2023.
VI. CONCLUSION
The discipline of Audit AI for Digital Forensics does not merely constitute a technical subspecialty within computer
science; it represents a fundamental renegotiation of what societies are willing to accept as epistemic warrant for the
deprivation of liberty. The classical forensic ideal the Sherlock Holmesian fantasy of deterministic inference from
physical traces to singular, incontrovertible conclusions was always philosophically overstated. Fingerprint analysis,
bite-mark comparison, and hair microscopy have each undergone catastrophic reappraisals of their claimed certainty
[15]. What the AI incursion into forensic practice introduces is not a new category of epistemic risk, but rather an
exponential amplification of existing ones, concealed beneath a veneer of computational authority that courts, juries,
and policy makers are structurally ill-equipped to penetrate.
The strategic forecast proceeds along three vectors of anticipatory analysis.


                                                                                                                       6/8
The trajectory of regulatory pressure in high-stakes AI deployment evidenced by the EU AI Act (2023), which
classifies AI systems used in law enforcement as high-risk and mandates transparency, human oversight, and technical
robustness requirements indicates that voluntary industry compliance frameworks will prove insufficient [16]. The
forensic AI domain will converge, within the next decade, upon mandatory formal verification requirements:
mathematical proofs that AI forensic tools satisfy specified behavioral properties across their entire input domain, not
merely on benchmark test sets.
Formal verification methods model checking, theorem proving, abstract interpretation currently scale only to relatively
shallow neural architectures (networks of fewer than approximately 10,000 neurons for complete verification). The
computational frontier of scalable neural network verification, represented by tools such as Reluplex (Katz et al., 2017)
and α,β-CROWN (Zhang et al., 2022), must be advanced to encompass the architectural complexity of operationally
deployed forensic AI systems before formal certification becomes practically achievable [17]. This represents a research
imperative of the highest urgency, occupying the intersection of formal methods, machine learning theory, and legal
epistemology.
The architectural solution to the chain-of-custody integrity problem will not emerge from within the forensic software
industry alone; it will be imposed by evidentiary necessity. Distributed ledger technologies specifically permissioned
blockchain architectures such as Hyperledger Fabric, which provide immutability, auditability, and cryptographic non-
repudiation without the energy expenditure and governance ambiguities of public chains represent the most technically
viable substrate for forensic AI audit trail preservation [18]. The integration of model state snapshots, SHAP attribution
vectors, adversarial robustness certificates, and chain-of-custody DAG entries into a unified, tamper-evident ledger
infrastructure constitutes the architectural north star toward which the discipline must navigate.
The critical governance question who operates the ledger, under what jurisdictional authority, and with what access
controls remains unresolved and is fundamentally political rather than technical. The answer will determine whether
immutable forensic ledgers function as instruments of accountability or as instruments of state power insulated from
meaningful oversight.
Against the techno-deterministic impulse to solve the forensic AI transparency problem through purely architectural
means, this analysis asserts an irreducible anthropocentric thesis: no audit trail, however cryptographically robust; no
explanation, however mathematically grounded; no verification certificate, however formally complete, can substitute
for the presence of a forensic practitioner possessing sufficient technical literacy to interpret, challenge, and
contextualize AI-generated findings within the adversarial environment of legal proceedings. The deskilling paradox
identified in the Socio-Technical Synthesis is not merely a workforce development problem it is a constitutional one.
The Confrontation Clause, the right to a fair trial, and the foundational presumption of innocence collectively demand
that the human link in the evidentiary chain remain substantively not merely nominally competent.
The strategic imperative, therefore, is the institutionalization of forensic AI literacy as a core certification requirement
for digital forensic examiners, legal professionals, and judicial officers a curriculum spanning model architecture
fundamentals, explainability method limitations, adversarial threat landscapes, and statistical reasoning under
uncertainty. The alternative a legal system in which opaque algorithmic outputs are routinely converted into
incarcerations through the procedural theater of expert testimony that neither the witness nor the court substantively
comprehends represents a jurisprudential failure of civilizational magnitude.
REFERENCES
[1] E. J. Imwinkelried, "The Daubert Decision and the Future of Forensic Science," Jurimetrics, vol. 33, no. 4, pp. 471–490, 1993.
[2] B. Carrier, "Open Source Digital Forensics Tools: The Legal Argument," @stake Research Report, 2002.
[3] Chen, Y., Lin, Z., Zhao, X., Wang, G., & Gu, Y.(2019). CRIMENET: A deep learning framework for crime prediction using
spatial-temporal representation. Neurocomputing, 324, 34-44.
[4] ISO/IEC 27037:2012, Information Technology — Security Techniques — Guidelines for Identification, Collection, Acquisition
and Preservation of Digital Evidence, International Organization for Standardization, Geneva, 2012. Online. [Avaiable]:
https://www.iso.org/standard/44381.html
[5] G. Horsman, "Framework for Reliable Experimental Design (FRED): A Research Framework to Ensure the Dependable
Interpretation of Digital Data for Digital Forensics," Digital Investigation, vol. 26, pp. 48–58, 2018.
[6] M. Grajeda, F. Breitinger, and I. Baggili, "Availability of Datasets for Digital Forensics and What is Missing," Digital
Investigation, vol. 22, pp. S94–S105, 2017.
[7] S. M. Lundberg and S.-I. Lee, "A Unified Approach to Interpreting Model Predictions," Advances in Neural Information
Processing Systems, vol. 30, pp. 4765–4774, 2017.
[8] C. Molnar, Interpretable Machine Learning: A Guide for Making Black Box Models Explainable, 2nd ed. Munich: Christoph
Molnar, 2022.
[9] M. T. Ribeiro, S. Singh, and C. Guestrin, "'Why Should I Trust You?': Explaining the Predictions of Any Classifier," in Proc.
22nd ACM SIGKDD Int. Conf. Knowledge Discovery and Data Mining, San Francisco, CA, 2016, pp. 1135–1144.
[10] D. Alvarez-Melis and T. S. Jaakkola, "On the Robustness of Interpretability Methods," ICML Workshop on Human
Interpretability in Machine Learning, 2018.
[11] C. Szegedy et al., "Intriguing Properties of Neural Networks," in Proc. Int. Conf. Learning Representations (ICLR), Banff,
Canada, 2014.


                                                                                                                                 7/8
[12] B. Kolosnjaji et al., "Adversarial Malware Binaries: Evading Deep Learning for Malware Detection in Executables," in Proc.
26th European Signal Processing Conf. (EUSIPCO), Rome, Italy, 2018, pp. 533–537.
[13] D. H. Autor, F. Levy, and R. J. Murnane, "The Skill Content of Recent Technological Change: An Empirical Exploration,"
Quarterly Journal of Economics, vol. 118, no. 4, pp. 1279–1333, 2003.
[14] Melendez-Diaz v. Massachusetts, 557 U.S. 305, Supreme Court of the United States, 2009. Online. [Avaiable]:
https://supreme.justia.com/cases/federal/us/557/305/?__cf_chl_rt_tk=sIoTz5GE4sRvRmbSUc.zRBDxwxAuZaRT8OVDm_qW3L4-
1777837726-1.0.1.1-HcUuneRLS6ixHzD9XMaaHvqzb..aZbtcGvHQlk0OE9A
[15] President's Council of Advisors on Science and Technology (PCAST), Forensic Science in Criminal Courts: Ensuring Scientific
Validity of Feature-Comparison Methods, Executive Office of the President, Washington, DC, 2016. Online. [Avaiable]:
https://obamawhitehouse.archives.gov/sites/default/files/microsites/ostp/PCAST/pcast_forensic_science_report_final.pdf
[16] European Parliament, Regulation on Artificial Intelligence (AI Act), PE 759.784, Brussels: European Parliament, 2023. Online.
[Avaiable]: https://www.europarl.europa.eu/doceo/document/TA-9-2023-0236_EN.html
[17] G. Katz, C. Barrett, D. L. Dill, K. Julian, and M. J. Kochenderfer, "Reluplex: An Efficient SMT Solver for Verifying Deep
Neural Networks," in Proc. Int. Conf. Computer Aided Verification (CAV), Heidelberg, 2017, pp. 97–117. Online. [Avaiable]:
https://arxiv.org/abs/1702.01135
[18] M., Niranjanamurthy & Bn, Nithya & St, Jagannatha. (2019). Analysis of Blockchain technology: pros, cons and SWOT. Cluster
Computing. 22. 10.1007/s10586-018-2387-5.




                                                                                                                              8/8