Malware’s rapid evolution degrades detection accuracy, while judicial requirements demand verifiable, admissible digital evidence. To address these challenges, this paper proposes a reinforcement learning–based automated memory forensics model. It is the first to integrate Q-learning and Markov Decision Processes (MDPs) into the malware analysis workflow, synergizing static feature extraction, dynamic behavioral modeling, and machine learning–driven classification while preserving end-to-end evidentiary chain integrity. Experiments conducted in a Windows simulation environment demonstrate that the model significantly improves detection rates and reduces false negatives compared to baseline methods. Moreover, its performance adaptively scales with environmental complexity and learning rate. This work establishes a novel, judicially oriented forensic paradigm—characterized by interpretability, reproducibility, and formal verifiability—thereby advancing trustworthy, court-admissible cyber-investigation methodologies.

This Research proposes a Novel Reinforcement Learning (RL) model to optimise malware forensics investigation during cyber incident response. It aims to improve forensic investigation efficiency by reducing false negatives and adapting current practices to evolving malware signatures. The proposed RL framework leverages techniques such as Q-learning and the Markov Decision Process (MDP) to train the system to identify malware patterns in live memory dumps, thereby automating forensic tasks. The RL model is based on a detailed malware workflow diagram that guides the analysis of malware artefacts using static and behavioural techniques as well as machine learning algorithms. Furthermore, it seeks to address challenges in the UK justice system by ensuring the accuracy of forensic evidence. We conduct testing and evaluation in controlled environments, using datasets created with Windows operating systems to simulate malware infections. The experimental results demonstrate that RL improves malware detection rates compared to conventional methods, with the RL model's performance varying depending on the complexity and learning rate of the environment. The study concludes that while RL offers promising potential for automating malware forensics, its efficacy across diverse malware types requires ongoing refinement of reward systems and feature extraction methods.