Forensic Implications of Localized AI: Artifact Analysis of Ollama, LM Studio, and llama.cpp

Computer Science > Cryptography and Security [Submitted on 25 Mar 2026] Forensic Implications of Localized AI: Artifact Analysis of Ollama, LM Studio, and llama.cpp Shariq Murtuza The proliferation of local Large Language Model (LLM) runners, such as Ollama, LM Studio and this http URL, presents a new challenge for digital forensics investigators. These tools enable users to deploy powerful AI models in an offline manner, creating a potential evidentiary blind spot for investigators. This work presents a systematic, cross platform forensic analysis of these popular local LLM clients. Through controlled experiments on Windows and Linux operating systems, we acquired and analyzed disk and memory artifacts, documenting installation footprints, configuration files, model caches, prompt histories and network activity. Our experiments uncovered a rich set of previously undocumented artifacts for each software, revealing significant differences in evidence persistence and location based on application architecture. Key findings include the recovery of plaintext prompt histories in structured JSON files, detailed model usage logs and unique file signatures suitable for forensic detection. This research provides a foundational corpus of digital evidence for local LLMs, offering forensic investigators reproducible methodologies, practical triage commands and analyse this new class of software. The findings have critical implications for user privacy, the admissibility of AI-related evidence and the development of anti-forensic techniques. Subjects: Cryptography and Security (cs.CR) Cite as: arXiv:2603.23996 [cs.CR]   (or arXiv:2603.23996v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2603.23996 Focus to learn more Submission history From: Shariq Murtuza [view email] [v1] Wed, 25 Mar 2026 06:51:33 UTC (28 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-03 Change to browse by: cs References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)