# ML & Data-Driven Forensic Automation Demo

This notebook demonstrates the capabilities of the ML & Data-Driven Forensic Automation toolkit.

In [None]:
# Import required libraries
import sys
import os
import pandas as pd
import numpy as np

# Add src directory to Python path
sys.path.insert(0, os.path.join(os.getcwd(), 'src'))

## 1. Network Traffic Analysis

Demonstrate the network traffic analyzer capabilities.

In [None]:
# Create sample dataset for demonstration
from examples.create_sample_data import create_sample_dataset

print("Creating sample network traffic dataset...")
df = create_sample_dataset()
print(f"Dataset created with {len(df)} samples")
print(f"Benign: {len(df[df['label'] == 0])}, Malicious: {len(df[df['label'] == 1])}")

# Display first few rows
df.head()

In [None]:
# Train the network traffic analyzer
from src.tools.network_traffic_analyzer import NetworkTrafficAnalyzer

analyzer = NetworkTrafficAnalyzer()

# Prepare data for training
X = df.drop('label', axis=1)
y = df['label']

# Train the model
model = analyzer.train_model(X, y)
print("Model training completed!")

## 2. CASE Data Pipeline

Demonstrate the CASE-compliant forensic data handling.

In [None]:
from src.data.case_pipeline import CASEDataPipeline

# Initialize the pipeline
pipeline = CASEDataPipeline()

# Add an investigation
inv_id = pipeline.add_investigation(
    "demo_inv_001", 
    "Demo Network Investigation", 
    "Demonstration of forensic automation capabilities"
)
print(f"Created investigation: {inv_id}")

# In a real scenario, we would add actual evidence files
# For demo purposes, we'll show the structure
print("\nCASE data structure created successfully!")

## 3. Volatility 3 Integration

Example of how to integrate with Volatility 3 for memory forensics.

In [None]:
from src.utils.volatility_integration import VolatilityIntegration

# Initialize the integration
# Note: This requires Volatility 3 to be installed and a memory image
vol = VolatilityIntegration()

print("Volatility integration initialized")
print("To use this component, you need a memory image file and Volatility 3 installed")

## Conclusion

This toolkit provides a foundation for ML-driven forensic automation with:

1. Network traffic analysis capabilities
2. Memory forensic integration
3. Standardized data handling (CASE compliant)

For more information, check the documentation and examples in the repository.