Research On Multiple Agent-based Distributed Network Dynamic Forensics System

Network security becomes more and more important with the rapid development of Internet. In the battle between network crime and network security defense technology, using network security technology to crack down on Internet criminals is not very effective, we need social and legal power to deal with network crime. Under this circumstance, computer forensics emerges and develops. The study of computer forensics has very important realistic meanings in the maintenance of social stability and the combating of computer crime.This paper discusses the characteristics of agent and advantage of using multi-agent, and analyses typical static forensics models and typical dynamic forensics models, and also summarizes problems of static forensics and dynamic forensics. Aimed at the requirement of specific application, a distributed dynamic forensics model named MADNDFS is designed on the basis of multi-agent and forensics models. This paper describes design requirements of MADNDFS, completes the overall structure, entities involved, the coordination mechanism among entities and coordination flow.On the basis of overall design of MADNDFS, some key technologies involved in the system implement are described. According to the basic need of collecting network evidence efficiently, MADNDFS uses API provided by winpcap development kits to collect network evidence, and uses a cycle buffer queue model to improve performance of network evidence collection agents. Then the detailed design of network evidence analyzing agent is expanded, including protocol analysis module, data-flow reorganization module and application-level evidence extraction module. In addition, security access control module uses a role-based access control method to ensure security of electronic data effectively.It is shown by the results of experiment that MADNDFS can collect network evidence efficiently, and extract web evidence and email evidence, and also guarantee the security of electronic data, and collect evidence from several local area networks simultaneously. As a forensics system, MADNDFS can meet the need of distributed forensics.