Multi-agent Based Forensic Analysis Framework for Infrastructures Involving Storage Networks

  • Muhammad Naeem Ahmed Khan
Research Article


In this paper, we present a framework based on collaborative multi-agent approach for performing real-time forensic analysis on those infrastructures which involve storage networks such as storage area network, storage servers or network attached storage. For this activity is logged surrounding the file accesses made on the servers, storage devices and other components by deploying independent agents at different components, including storage networks and servers. The agents keep on collecting event logs and collaborate with each other to identify malicious accesses and generate alerts accordingly. The framework offers a consolidated view of the sequence of different activities happened on storage network infrastructure and allied servers at any point in time.


Digital forensics Real-time forensic analysis Live forensic analysis Storage server forensics Computer security Event log analysis Incident response 


  1. 1.
    Kent K, Souppaya M (2006) Guide to computer security log management. NIST Special Publication 800–92Google Scholar
  2. 2.
    Verizon (2012) 2012 data breach investigations report. Technical report prepared by V. B. R. TeamGoogle Scholar
  3. 3.
    McDougal M (2006) Live forensics on a windows system: using windows forensic toolchest (WFT).
  4. 4.
    Greenemeier L (2011) Seeking address: why cyber attacks are so difficult to trace back to hackers. Scientific American.
  5. 5.
    Adelstein F (2006) Live forensics: diagnosing your system without killing it first. Commun ACM 49(2):63–66CrossRefGoogle Scholar
  6. 6.
    Tate J, Beck P, Ibarra HH, Kumaravel S, Miklas L (2016) Introduction to storage area networks. International Technical Support Organization, USA, pp 278 (IBM Redbooks Number SG24-5470-07, ISBN 073844233X)Google Scholar
  7. 7.
    Dharma R, Venugopal V, Sake S, Dinh V, Lane D (2011) Building secure SANs. EMC Corporation, Massachusetts, USA, pp 310Google Scholar
  8. 8.
    Nwana HS (1996) Software agents and overview. Knowl Eng Rev 11(3):1–40CrossRefGoogle Scholar
  9. 9.
    Wooldridge M (2009) An introduction to multi agent systems, 2nd edn. Wiley, Hoboken. ISBN 978-0-470-51946-2Google Scholar
  10. 10.
    Vaseashta A, Susmann P, Braman E (eds) (2014) Cyber security and resiliency policy framework, vol 38. IOS Press, AmsterdamGoogle Scholar
  11. 11.
    Waits C, Akinyele J A, Nolan R, Rogers L (2008) Computer forensics: results of live response inquiry vs memory image analysis. Technical note CMU/SEI-2008-TN-017, Carnegie Mellon University, USAGoogle Scholar
  12. 12.
    Farmer D, Venema W (2005) Forensic discovery, vol 6. Addison-Wesley, Upper Saddle RiverGoogle Scholar
  13. 13.
    Andrew MW (2007) Defining a process model for forensic analysis of digital devices and storage media. In: IEEE second international workshop on systematic approaches to digital forensic engineering (SADFE’07), pp 16–30Google Scholar
  14. 14.
    Carrier BD, Grand JA (2004) Hardware-based memory acquisition procedure for digital investigations. Digit Investig 1(1):50–60CrossRefGoogle Scholar
  15. 15.
    Palmer G (2001) A road map for digital forensic research report from the first digital forensic research workshop (DFRWS). Utica, New YorkGoogle Scholar
  16. 16.
    Khan MNA (2012) Performance analysis of Bayesian networks and neural networks in classification of file system activities. Comput Secur 31(4):391–401CrossRefGoogle Scholar
  17. 17.
    Casey E (2002) Error, Uncertainty and loss in digital evidence. Int J Digit Evid 1(2):1–45ADSMathSciNetGoogle Scholar
  18. 18.
    Carrier BD (2002) Open source digital forensics tools: the legal argument. @stake research report October 2002, pp 1–11Google Scholar
  19. 19.
    Forte DV (2004) The art of log correlation: tools and techniques for correlating events and log files. Comput Fraud Secur 8:15–17Google Scholar
  20. 20.
    Koch R (2011) Towards next-generation intrusion detection. In: IEEE 3rd international conference on cyber conflict (ICCC), Tallinn, Estonia, pp 1–18Google Scholar
  21. 21.
    Axelsson S (1998) Research in intrusion-detection systems: a survey, vol 120. Technical report 98–17, Department of Computer Engineering, Chalmers University of Technology, Gothenburg, SwedenGoogle Scholar
  22. 22.
    Brocade (2007) The growing need for security in storage area networks. Brocade communications systems, SAN white paper 01/07 GA-WP-862-01Google Scholar
  23. 23.
    Abad C, Taylor J, Sengul C, Yurcik W, Zhou Y, Rowe K (2003) Log correlation for intrusion detection: a proof of concept. In: Proceedings of the IEEE 19th annual computer security applications conference, pp 255–264Google Scholar
  24. 24.
    Li Z, Taylor J, Partridge E, Zhou Y, Yurcik W, Abad C, Barlow JJ, Rosendale J (2004) UCLog: a unified, correlated logging architecture for intrusion detection. In: Proceedings of the 12th international conference on telecommunication systems-modeling and analysis (ICTSM), Reading, PA, USAGoogle Scholar
  25. 25.
    Marty R (2008) Applied security visualization. Pearson Education Inc., BostonGoogle Scholar
  26. 26.
    Marko C (2010) EMC storage area network forensics. EMC SAN forensics, pp 1–47Google Scholar
  27. 27.
    Zhu S, Abraham J, Paul S, Reddy M, Yen J, Pfaff M, DeFlitch C (2007) R-CAST-MED: applying intelligent agents to support emergency medical decision-making teams. In: Conference on artificial intelligence in medicine in Europe. Springer, Heidelberg, pp 24–33Google Scholar
  28. 28.
    Hargreaves C, Patterson J (2012) An automated timeline reconstruction approach for digital forensic investigations. Digit Investig 9:69–79CrossRefGoogle Scholar
  29. 29.
    Chabot Y, Bertaux A, Nicolle C, Kechadi MT (2014) A complete formalized knowledge representation model for advanced digital forensics timeline analysis. Digit Investig 11(2):95–105CrossRefGoogle Scholar
  30. 30.
    Cohen WW (1995) Fast effective rule induction. In: Proceedings of the twelfth international conference on machine learning, pp 115–123Google Scholar
  31. 31.
    Adedayo OM, Olivier MS (2015) Ideal log setting for database forensics reconstruction. Digit Investig 12:27–40CrossRefGoogle Scholar
  32. 32.
    Mohay G (2005) Technical challenges and directions for digital forensics. In: First international workshop on systematic approaches to digital forensic engineering, pp 155–161Google Scholar
  33. 33.
    Nance K, Hay B, Bishop M (2009) Digital forensics: defining a research agenda. In: Proceedings of the 42nd Hawaii international conference on system sciences, pp 1–6Google Scholar
  34. 34.
    Sinha S, Tokas S (2014) Study on agents based meta-heuristic approach for cyber security defense mechanism. IITM J Manag IT 5(1):63–66Google Scholar
  35. 35.
    Peisert S, Templeton S (2013) The hive mind: applying a distributed security sensor network to GENI. GENI spiral 2 final project report. Department of Computer Science, University of California, Davis, USAGoogle Scholar
  36. 36.
    Bryce C (2000) A security framework for a mobile agent system. In: Proceedings of the 2000 European symposium on research in computer security, New York, USA, October 15–19 2000. SpringerGoogle Scholar
  37. 37.
    Salah K (2006) Two analytical models for evaluating performance of Gigabit Ethernet hosts. Arab J Sci Eng 31(2B):245–263Google Scholar
  38. 38.
    Carrier BD (2006) Risks of live digital forensic analysis. Commun ACM 49(2):56–61CrossRefGoogle Scholar
  39. 39.
    Saleh M, Arasteh A, Sakha A, Debbabi M (2007) Forensic analysis of logs: modeling and verification. Knowl Based Syst 20(7):671–682CrossRefGoogle Scholar
  40. 40.
    Jahanbin A, Ghafarian A, Seno SA, Nikookar S (2013) Computer forensics approach based on autonomous intelligent multi-agent system. Int J Database Theory Appl 6(5):1–12CrossRefGoogle Scholar
  41. 41.
    Bensefia H, Ghoualmi N (2011) A multi-agent system for firewall forensics analysis. Int J New Comput Archit Appl 1(1):25–33Google Scholar
  42. 42.
    Hoelz BW, Ralha CG, Geeverghese R, Junior HC (2008) A cooperative multi-agent approach to computer forensics. In: Proceedings of the international conference on web intelligence and intelligent agent technology, pp 477–483Google Scholar
  43. 43.
    Patel A, Qassim Q, Shukor Z, Nogueira J, Júnior J, Wills C, Federal P (2010) Autonomic agent-based self-managed intrusion detection and prevention system. In: Proceedings of the South African information security multi-conference, pp 223–224Google Scholar
  44. 44.
    Wang D, Li T, Liu S, Zhang J, Liu C (2007) Dynamical network forensics based on immune agent. In: Third international conference on natural computation, vol 3, pp 651–656Google Scholar
  45. 45.
    Saari E, Jantan A (2013) Framework to increase the accuracy of collected evidences in network forensic by integrating IDS and firewall mechanisms. In: Proceedings of the international conference on systems, control and informatics, pp 341–344Google Scholar
  46. 46.
    Sharma D, Ma W, Tran D, Liu S, Anderson M (2007) MAITS: a multi-agent based IT security approach. In: Architectural design of multi-agent systems: technologies and techniques, pp 189–208. IGI GlobalGoogle Scholar
  47. 47.
    Nogueira JHM (2006) Mobile intelligent agents to fight cyber intrusions. Int J Forensic Comput Sci, e-forensic Press, Brasília, Brazil, pp 28–32Google Scholar

Copyright information

© The National Academy of Sciences, India 2018

Authors and Affiliations

  1. 1.Shaheed Zulfikar Ali Bhutto Institute of Science and Technology (SZABIST) IslamabadIslamabadPakistan

Personalised recommendations