Bruno W. P. Hoelz

A Cooperative Multi-agent Approach to Computer Forensics

This article proposes the use of a collaborative multi-agent approach to develop a toolkit to assist the experts during the forensic examination process: MADIK - a Multi-Agent Digital Investigation ToolKit. The use of a multi-agent approach has been proved adequate, specially regarding the cooperative action of the autonomous specialized agents: HashSetAgent, FilePathAgent, TimelineAgent, FileSignatureAgent. Also the distributed nature of the multi-agent approach allows for better usage of computational resources, since agents can operate autonomously in different machines and environments. As part of our work, we have defined a four layer multi-agent architecture, as a metaphor to the organizational hierarchy levels, which is divided in strategic, tactical, perational and specialist levels. The proposed architecture was the base to the development of the toolkit, which was developed with a blackboard approach, implemented over the Java Agent DEvelopment Framework - JADE, using Java Expert System Shell - JESS. We have done some experiments with MADIK using real data and the results are encouraging. This paper focuses on the benefits of using the multi-agent approach to aid in the forensic examination process, specially regarding the cooperative action of the autonomous specialized agents, which we deem as a flexible and promising possibility that should be further explored in the computer forensics scenario.

Towards a Cognitive Meta-Model for Adaptive Trust and Reputation in Open Multi-Agent Systems

Computational trust and reputation models are key elements in the design of open multi-agent systems. They offer means of evaluating and reducing risks of cooperation in the presence of uncertainty. However, the models proposed in the literature do not consider the costs they introduce and how they are affected by environmental aspects. In this paper, a cognitive meta-model for adaptive trust and reputation in open multi-agent systems is presented. It acts as a complement to a non-adaptive model by allowing the agent to reason about it and react to changes in the environment. We demonstrate how the meta-model can be applied to existent models proposed in the literature, by adjusting the model’s parameters. Finally, we propose evaluation criteria to drive meta-level reasoning considering the costs involved when employing trust and reputation models in dynamic environments.

A New Approach for Creating Forensic Hashsets

The large amounts of data that have to be processed and analyzed by forensic investigators is a growing challenge. Using hashsets of known files to identify and filter irrelevant files in forensic investigations is not as effective as it could be, especially in non-English speaking countries. This paper describes the application of data mining techniques to identify irrelevant files from a sample of computers from a country or geographical region. The hashsets corresponding to these files are augmented with an optimized subset of effective hash values chosen from a conventional hash database. Experiments using real evidence demonstrate that the resulting augmented hashset yields 30.69% better filtering results than a conventional hashset although it has approximately half as many (51.83%) hash values.

Case-Based Reasoning in Live Forensics

The traditional forensic search and seizure process employed by law enforcement is not always appropriate given large data volumes and the potential of hard drive encryption. This paper proposes a framework built on case-based reasoning to support a live forensic response during the search and seizure process. The framework assists a first responder by identifying the risks and the procedures to ensure the optimal collection of evidence based on prior cases. Test results demonstrate that the framework provides valuable assistance to first responders, reducing the time taken to complete a response and increasing the likelihood of a successful conclusion.

MADIK: A Collaborative Multi-agent ToolKit to Computer Forensics

In this article, we present MADIK, a Multi-Agent Digital Investigation ToolKit to help experts during the forensic examination process. MADIK uses a four layer multi-agent architecture, as a metaphor to the organizational hierarchy levels: strategic, tactical, operational and specialist. The proposed architecture and tool was developed under a blackboard approach, implemented with Java Agent DEvelopment Framework - JADE, using Java Expert System Shell - JESS as an inference engine. We have done some experiments with MADIK using real data, on stand alone and distributed environments with encouraging results.

Anti-Forensic Threat Modeling

The role of a digital forensic professional is to collect and analyze digital evidence. However, anti-forensic techniques can reduce the availability or usefulness of the evidence. They threaten the digital forensic examination process and may compromise its conclusions. This chapter proposes the use of threat modeling to manage the risks associated with anti-forensic threats. Risk management is introduced in the early stages of the digital forensic process to assist a digital forensic professional in determining the resources to be invested in detecting and mitigating the risk. The proposed threat model complements the incident response and digital forensic processes by providing a means for assessing the impact and likelihood of anti-forensic threats, evaluating the cost of risk mitigation and selecting tools and techniques that can be used as countermeasures. This renders the digital forensic process more robust and less susceptible to the consequences of anti-forensic actions.

A framework for semantic annotation of digital evidence

Most tools used during the forensic examination process emphasize data and metadata extraction without a formal definition of the concepts used in their outputs. These vary not only in the terminology used, but also in the way values are represented. These differences hinder the adoption of computer-assisted analysis, since the elements to be analyzed are not well-defined, requiring ad hoc parsers to process and interpret the output of each tool. A framework for semantic annotation of digital evidence is presented in this work. Semantic annotations use concepts that are defined in an ontology to describe the annotated object. They can replace raw metadata, user-defined labels and tool-specific analysis results with computer-readable, formally defined terms that can be used in semantically advanced queries. The frameworks components provide means to extract, analyze and index the contents of the digital evidence. The framework allows the augmentation of a base ontology, by adding domain and case-specific concepts to it. A prototype implementation is described and a case study is conducted to illustrate its potential uses and improvements to the forensic examination process.