Traditional digital forensics methods suffer from high manual dependency and struggle to scale with data explosion and increasing evidentiary complexity. Method: This paper systematically investigates the enabling mechanisms and practical boundaries of large language models (LLMs) in digital forensics, integrating prompt engineering, case-driven analysis, and critical evaluation across core workflows—including log parsing, evidence correlation, and forensic report generation—to construct the first comprehensive LLM application framework tailored for frontline practitioners. Contributions: (1) A refined capability map of LLMs in digital forensics, alongside identification of four fundamental limitations—hallucination, lack of explainability, bias, and legal admissibility; (2) Four key research directions: explainability enhancement, hallucination mitigation, ethical compliance, and standardization; (3) A judicially credible LLM deployment guideline that bridges theoretical insights and operational practice.

Digital forensics plays a pivotal role in modern investigative processes, utilizing specialized methods to systematically collect, analyze, and interpret digital evidence for judicial proceedings. However, traditional digital forensic techniques are primarily based on manual labor-intensive processes, which become increasingly insufficient with the rapid growth and complexity of digital data. To this end, Large Language Models (LLMs) have emerged as powerful tools capable of automating and enhancing various digital forensic tasks, significantly transforming the field. Despite the strides made, general practitioners and forensic experts often lack a comprehensive understanding of the capabilities, principles, and limitations of LLM, which limits the full potential of LLM in forensic applications. To fill this gap, this paper aims to provide an accessible and systematic overview of how LLM has revolutionized the digital forensics approach. Specifically, it takes a look at the basic concepts of digital forensics, as well as the evolution of LLM, and emphasizes the superior capabilities of LLM. To connect theory and practice, relevant examples and real-world scenarios are discussed. We also critically analyze the current limitations of applying LLMs to digital forensics, including issues related to illusion, interpretability, bias, and ethical considerations. In addition, this paper outlines the prospects for future research, highlighting the need for effective use of LLMs for transparency, accountability, and robust standardization in the forensic process.