A Mutli-Agent System for Firewall Forensics Analysis

Computer Forensics applies law to fight against unlawful and illegitimate use of computers and networks. It employs investigation methods to solve computer crimes. Knowing that the firewall is the unique input and output in a network, it is considered as the ideal location for recording network activities. The firewall log files trace all incoming and outgoing events in a network. Its content can include details about attacks and penetration attempts in the network. For this reason firewall forensics becomes a principal branch in computer forensics field. It uses the firewall log files content so as a source of evidence to lead an investigation in the aim to identify computer attacks. The investigation in firewall forensics consists of analyzing and interpreting the relevant information related to computer attacks which is contained in firewall log files. But the log files content is generally mysterious and difficult to decode. Its interpretation requires a qualified expertise. This paper proposes an intelligent system that automates the firewall forensics process and helps the security administrator to manage, exploit and interpret the firewall log files content. This system will assist the security administrator to make suitable decisions and judgments during the investigation step.