A Cooperative Multi-agent Approach to Computer Forensics

This article proposes the use of a collaborative multi-agent approach to develop a toolkit to assist the experts during the forensic examination process: MADIK - a Multi-Agent Digital Investigation ToolKit. The use of a multi-agent approach has been proved adequate, specially regarding the cooperative action of the autonomous specialized agents: HashSetAgent, FilePathAgent, TimelineAgent, FileSignatureAgent. Also the distributed nature of the multi-agent approach allows for better usage of computational resources, since agents can operate autonomously in different machines and environments. As part of our work, we have defined a four layer multi-agent architecture, as a metaphor to the organizational hierarchy levels, which is divided in strategic, tactical, perational and specialist levels. The proposed architecture was the base to the development of the toolkit, which was developed with a blackboard approach, implemented over the Java Agent DEvelopment Framework - JADE, using Java Expert System Shell - JESS. We have done some experiments with MADIK using real data and the results are encouraging. This paper focuses on the benefits of using the multi-agent approach to aid in the forensic examination process, specially regarding the cooperative action of the autonomous specialized agents, which we deem as a flexible and promising possibility that should be further explored in the computer forensics scenario.