Abstract
Software Defined Networking (SDN) is an increasingly common implementation for virtualization of networking functionalities. Although security of SDNs has been investigated thoroughly in the literature, forensic acquisition and analysis of data remnants for the purposes of constructing digital evidences for threat intelligence did not have much research attention. This chapter at first proposes a practical framework for forensics investigation in Openflow based SDN platforms. Furthermore, due to the sheer amount of data that flows through networks it is important that the proposed framework also implements data reduction techniques not only for facilitating intelligence creation, but also to help with long term storage and mapping of SDN data. The framework is validated through experimenting two use-cases on a virtual SDN running on Mininet. Analysis and comparison of Southbound PCAP files and the memory images of switches enabled successful acquisition of forensic evidential artefacts pertaining to these use cases.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Alekseev I, Nikitinskiy M (2015) Eventbus module for distributed openflow controllers. In: 2015 17th Conference of Open Innovations Association (FRUCT), Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/fruct.2015.7117963, URL https://doi.org/10.1109%2Ffruct.2015.7117963
Bates A, Butler K, Haeberlen A, Sherr M, Zhou W (2014) Let SDN be your eyes: Secure forensics in data center networks. In: Proceedings 2014 Workshop on Security of Emerging Networking Technologies, Internet Society, DOI 10.14722/sent.2014.23002, URL https://doi.org/10.14722%2Fsent.2014.23002
Birk D, Wegener C (2011) Technical issues of forensic investigations in cloud computing environments. In: 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/sadfe.2011.17, URL https://doi.org/10.1109%2Fsadfe.2011.17
Brady O, Overill R, Keppens J (2015) DESO: Addressing volume and variety in large-scale criminal cases. Digital Investigation 15:72–82, DOI 10.1016/j.diin.2015.10.002, URL https://doi.org/10.1016%2Fj.diin.2015.10.002
Chung H, Park J, Lee S, Kang C (2012) Digital forensic investigation of cloud storage services. Digital Investigation 9(2):81–95, DOI 10.1016/j.diin.2012.05.015, URL https://doi.org/10.1016%2Fj.diin.2012.05.015
Daryabar F, Dehghantanha A, Udzir NI, Sani NFBM, bin Shamsuddin S (2013) A review on impacts of cloud computing and digital forensics. International Journal of Cyber-Security and Digital Forensics 2(2):77–94
Daryabar F, Dehghantanha A, Choo KKR (2016) Cloud storage forensics: Mega as a case study. Australian Journal of Forensic Sciences pp 1–14
Daryabar F, Dehghantanha A, Eterovic-Soric B, Choo KKR (2016) Forensic investigation of OneDrive, box, GoogleDrive and dropbox applications on android and iOS devices. Australian Journal of Forensic Sciences 48(6):615–642, DOI 10.1080/00450618.2015.1110620, URL https://doi.org/10.1080%2F00450618.2015.1110620
Daryabar F, Dehghantanha A, Eterovic-Soric B, Choo KKR (2016) Forensic investigation of OneDrive, box, GoogleDrive and dropbox applications on android and iOS devices. Australian Journal of Forensic Sciences 48(6):615–642, DOI 10.1080/00450618.2015.1110620, URL https://doi.org/10.1080%2F00450618.2015.1110620
Dehghantanha A, Dargahi T (2017) Chapter 14 - residual cloud forensics: Cloudme and 360yunpan as case studies. In: Choo KKR, Dehghantanha A (eds) Contemporary Digital Forensic Investigations of Cloud and Mobile Applications, Syngress, pp 247–283, DOI http://dx.doi.org/10.1016/B978-0-12-805303-4.00014-9, URL http://www.sciencedirect.com/science/article/pii/B9780128053034000149
Dezfouli FN, Dehghantanha A, Eterovic-Soric B, Choo KKR (2015) Investigating social networking applications on smartphones detecting facebook, twitter, linkedin and google+ artefacts on android and ios platforms. Australian Journal of Forensic Sciences 48(4):469–488, DOI 10.1080/00450618.2015.1066854, URL https://doi.org/10.1080%2F00450618.2015.1066854
Do Q, Martini B, Choo KKR (2015) A forensically sound adversary model for mobile devices. PLOS ONE 10(9):e0138,449, DOI 10.1371/journal.pone.0138449, URL https://doi.org/10.1371%2Fjournal.pone.0138449
Do Q, Martini B, Choo KKR (2016) Is the data on your wearable device secure? an android wear smartwatch case study. Software: Practice and Experience 47(3):391–403, DOI 10.1002/spe.2414, URL https://doi.org/10.1002%2Fspe.2414
Fahdi MA, Clarke N, Furnell S (2013) Challenges to digital forensics: A survey of researchers: practitioners attitudes and opinions. In: 2013 Information Security for South Africa, Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/issa.2013.6641058, URL https://doi.org/10.1109%2Fissa.2013.6641058
Gebhardt T, Reiser HP (2013) Network forensics for cloud computing. In: IFIP International Conference on Distributed Applications and Interoperable Systems, Springer, pp 29–42
Jarraya Y, Madi T, Debbabi M (2014) A survey and a layered taxonomy of software-defined networking. IEEE Communications Surveys & Tutorials 16(4):1955–1980, DOI 10.1109/comst.2014.2320094, URL https://doi.org/10.1109%2Fcomst.2014.2320094
Josiah D, T SA (2013) Design and implementation of frost: Digital forensic tools for the openstack cloud computing platform. Digital Investigation 10:S87–S95
Kaur K, Singh J, Ghumman NS (2014) Mininet as software defined networking testing platform. In: International Conference on Communication, Computing & Systems (ICCCS
Kent K, Chevalier S, Grance T, Dang H (2006) Guide to integrating forensic techniques into incident response. Tech. rep., DOI 10.6028/nist.sp.800-86, URL https://doi.org/10.6028%2Fnist.sp.800-86
Khondoker R, Zaalouk A, Marx R, Bayarou K (2014) Feature-based comparison and selection of software defined networking (SDN) controllers. In: 2014 World Congress on Computer Applications and Information Systems (WCCAIS), Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/wccais.2014.6916572, URL https://doi.org/10.1109%2Fwccais.2014.6916572
Kreutz D, Ramos FMV, Verissimo PE, Rothenberg CE, Azodolmolky S, Uhlig S (2015) Software-defined networking: a comprehensive survey. In: Proceedings of the IEEE, 103(1):14–76, DOI 10.1109/JPROC.2014.2371999, URL https://doi.org/10.1109/JPROC.2014.2371999
Martini B, Choo KKR (2012) An integrated conceptual digital forensic framework for cloud computing. Digital Investigation 9(2):71–80, DOI 10.1016/j.diin.2012.07.001, URL https://doi.org/10.1016%2Fj.diin.2012.07.001
Martini B, Choo KKR (2013) Cloud storage forensics: ownCloud as a case study. Digital Investigation 10(4):287–299, DOI 10.1016/j.diin.2013.08.005, URL https://doi.org/10.1016%2Fj.diin.2013.08.005
Martini B, Choo KKR (2014) Distributed filesystem forensics: XtreemFS as a case study. Digital Investigation 11(4):295–313, DOI 10.1016/j.diin.2014.08.002, URL https://doi.org/10.1016%2Fj.diin.2014.08.002
Martini B, Choo KKR (2014) Remote programmatic vCloud forensics: A six-step collection process and a proof of concept. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/trustcom.2014.124, URL https://doi.org/10.1109%2Ftrustcom.2014.124
Marty R (2011) Cloud application logging for forensics. In: Proceedings of the 2011 ACM Symposium on Applied Computing, ACM, pp 178–184
Mohtasebi S, Dehghantanha A, Choo KK (2017) Chapter 12 - investigating storage as a service cloud platform: pcloud as a case study. In: Choo KKR, Dehghantanha A (eds) Contemporary Digital Forensic Investigations of Cloud and Mobile Applications, Syngress, pp 185–204, DOI http://dx.doi.org/10.1016/B978-0-12-805303-4.00013-7, URL http://www.sciencedirect.com/science/article/pii/B9780128053034000137
Mohtasebi S, Dehghantanha A, Choo KK (2017) Chapter 13 - cloud storage forensics: Analysis of data remnants on spideroak, justcloud, and pcloud. In: Choo KKR, Dehghantanha A (eds) Contemporary Digital Forensic Investigations of Cloud and Mobile Applications, Syngress, pp 205–246, DOI http://dx.doi.org/10.1016/B978-0-12-805303-4.00013-7, URL http://www.sciencedirect.com/science/article/pii/B9780128053034000137
Nunes BAA, Mendonca M, Nguyen XN, Obraczka K, Turletti T (2014) A survey of software-defined networking: Past, present, and future of programmable networks. IEEE Communications Surveys & Tutorials 16(3):1617–1634, DOI 10.1109/surv.2014.012214.00180, URL https://doi.org/10.1109%2Fsurv.2014.012214.00180
Pichan A, Lazarescu M, Soh ST (2015) Cloud forensics: Technical challenges, solutions and comparative analysis. Digital Investigation 13:38–57
Qi H, Li K (2016) Software Defined Networking Applications in Distributed Datacenters. Springer International Publishing, DOI 10.1007/978-3-319-33135-5, URL https://doi.org/10.1007%2F978-3-319-33135-5
Rahman NHA, Cahyani NDW, Choo KKR (2016) Cloud incident handling and forensic-by-design: cloud storage as a case study. Concurrency and Computation: Practice and Experience DOI 10.1002/cpe.3868, URL https://doi.org/10.1002%2Fcpe.3868
Rodney M (1999) What is forensic computing? Australian Institute of Criminology Canberra
Röpke C, Holz T (2015) SDN rootkits: Subverting network operating systems of software-defined networks. In: Research in Attacks, Intrusions, and Defenses, Springer Nature, pp 339–356, DOI 10.1007/978-3-319-26362-5_16, URL https://doi.org/10.1007%2F978-3-319-26362-5_16
Saad S, Traore I (2010) Method ontology for intelligent network forensics analysis. In: 2010 Eighth International Conference on Privacy, Security and Trust, Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/pst.2010.5593235, URL https://doi.org/10.1109%2Fpst.2010.5593235
Scanlon M, Farina J, Kechadi MT (2014) BitTorrent sync: Network investigation methodology. In: 2014 Ninth International Conference on Availability, Reliability and Security, Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/ares.2014.11, URL https://doi.org/10.1109%2Fares.2014.11
Scanlon M, Farina J, Khac NAL, Kechadi T (2014) Leveraging decentralization to extend the digital evidence acquisition window: Case study on bittorrent sync. Journal of Digital Forensics, Security and Law 9(2):85–99
Shariati M, Dehghantanha A, Choo KKR (2015) SugarSync forensic analysis. Australian Journal of Forensic Sciences 48(1):95–117, DOI 10.1080/00450618.2015.1021379, URL https://doi.org/10.1080%2F00450618.2015.1021379
Shields C, Frieder O, Maloof M (2011) A system for the proactive, continuous, and efficient collection of digital forensic evidence. Digital Investigation 8:S3–S13, DOI 10.1016/j.diin.2011.05.002, URL https://doi.org/10.1016%2Fj.diin.2011.05.002
Sibiya G, Venter HS, Fogwill T (2015) Digital forensics in the cloud: The state of the art. In: 2015 IST-Africa Conference, Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/istafrica.2015.7190540, URL https://doi.org/10.1109%2Fistafrica.2015.7190540
Simou S, Kalloniatis C, Kavakli E, Gritzalis S (2014) Cloud forensics: identifying the major issues and challenges. In: International Conference on Advanced Information Systems Engineering, Springer, pp 271–284
Staab S, Studer R (eds) (2009) Handbook on Ontologies. Springer Nature, DOI 10.1007/978-3-540-92673-3, URL https://doi.org/10.1007%2F978-3-540-92673-3
Teing YY, Dehghantanha A, Choo KKR, Dargahi T, Conti M (2016) Forensic investigation of cooperative storage cloud service: Symform as a case study. Journal of Forensic Sciences DOI 10.1111/1556-4029.13271, URL https://doi.org/10.1111%2F1556-4029.13271
Teing YY, Dehghantanha A, Choo KKR, Yang LT (2016) Forensic investigation of p2p cloud storage services and backbone for IoT networks: BitTorrent sync as a case study. Computers & Electrical Engineering DOI 10.1016/j.compeleceng.2016.08.020, URL https://doi.org/10.1016%2Fj.compeleceng.2016.08.020
Teing YY, Ali D, Choo K, Abdullah MT, Muda Z (2017) Greening cloud-enabled big data storage forensics: Syncany as a case study. IEEE Transactions on Sustainable Computing DOI 10.1109/tsusc.2017.2687103, URL https://doi.org/10.1109%2Ftsusc.2017.2687103
Thethi N, Keane A (2014) Digital forensics investigations in the cloud. In: Advance Computing Conference (IACC), 2014 IEEE International, IEEE, pp 1475–1480
Turnbull B, Randhawa S (2015) Automated event and social network extraction from digital evidence sources with ontological mapping. Digital Investigation 13:94–106, DOI 10.1016/j.diin.2015.04.004, URL https://doi.org/10.1016%2Fj.diin.2015.04.004
Zawoad S, Hasan R (2013) Cloud forensics: a meta-study of challenges, approaches, and open problems. arXiv preprint arXiv:13026312
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Pandya, M.K., Homayoun, S., Dehghantanha, A. (2018). Forensics Investigation of OpenFlow-Based SDN Platforms. In: Dehghantanha, A., Conti, M., Dargahi, T. (eds) Cyber Threat Intelligence. Advances in Information Security, vol 70. Springer, Cham. https://doi.org/10.1007/978-3-319-73951-9_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-73951-9_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-73950-2
Online ISBN: 978-3-319-73951-9
eBook Packages: Computer ScienceComputer Science (R0)