Advertisement

Forensics Investigation of OpenFlow-Based SDN Platforms

  • Mudit Kalpesh Pandya
  • Sajad Homayoun
  • Ali DehghantanhaEmail author
Chapter
Part of the Advances in Information Security book series (ADIS, volume 70)

Abstract

Software Defined Networking (SDN) is an increasingly common implementation for virtualization of networking functionalities. Although security of SDNs has been investigated thoroughly in the literature, forensic acquisition and analysis of data remnants for the purposes of constructing digital evidences for threat intelligence did not have much research attention. This chapter at first proposes a practical framework for forensics investigation in Openflow based SDN platforms. Furthermore, due to the sheer amount of data that flows through networks it is important that the proposed framework also implements data reduction techniques not only for facilitating intelligence creation, but also to help with long term storage and mapping of SDN data. The framework is validated through experimenting two use-cases on a virtual SDN running on Mininet. Analysis and comparison of Southbound PCAP files and the memory images of switches enabled successful acquisition of forensic evidential artefacts pertaining to these use cases.

Keywords

SDN forensics Software defined networks SDN analysis Openflow forensics 

References

  1. 1.
    Alekseev I, Nikitinskiy M (2015) Eventbus module for distributed openflow controllers. In: 2015 17th Conference of Open Innovations Association (FRUCT), Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/fruct.2015.7117963, URL https://doi.org/10.1109%2Ffruct.2015.7117963
  2. 2.
    Bates A, Butler K, Haeberlen A, Sherr M, Zhou W (2014) Let SDN be your eyes: Secure forensics in data center networks. In: Proceedings 2014 Workshop on Security of Emerging Networking Technologies, Internet Society, DOI 10.14722/sent.2014.23002, URL https://doi.org/10.14722%2Fsent.2014.23002
  3. 3.
    Birk D, Wegener C (2011) Technical issues of forensic investigations in cloud computing environments. In: 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/sadfe.2011.17, URL https://doi.org/10.1109%2Fsadfe.2011.17
  4. 4.
    Brady O, Overill R, Keppens J (2015) DESO: Addressing volume and variety in large-scale criminal cases. Digital Investigation 15:72–82, DOI 10.1016/j.diin.2015.10.002, URL https://doi.org/10.1016%2Fj.diin.2015.10.002
  5. 5.
    Chung H, Park J, Lee S, Kang C (2012) Digital forensic investigation of cloud storage services. Digital Investigation 9(2):81–95, DOI 10.1016/j.diin.2012.05.015, URL https://doi.org/10.1016%2Fj.diin.2012.05.015
  6. 6.
    Daryabar F, Dehghantanha A, Udzir NI, Sani NFBM, bin Shamsuddin S (2013) A review on impacts of cloud computing and digital forensics. International Journal of Cyber-Security and Digital Forensics 2(2):77–94Google Scholar
  7. 7.
    Daryabar F, Dehghantanha A, Choo KKR (2016) Cloud storage forensics: Mega as a case study. Australian Journal of Forensic Sciences pp 1–14Google Scholar
  8. 8.
    Daryabar F, Dehghantanha A, Eterovic-Soric B, Choo KKR (2016) Forensic investigation of OneDrive, box, GoogleDrive and dropbox applications on android and iOS devices. Australian Journal of Forensic Sciences 48(6):615–642, DOI 10.1080/00450618.2015.1110620, URL https://doi.org/10.1080%2F00450618.2015.1110620
  9. 9.
    Daryabar F, Dehghantanha A, Eterovic-Soric B, Choo KKR (2016) Forensic investigation of OneDrive, box, GoogleDrive and dropbox applications on android and iOS devices. Australian Journal of Forensic Sciences 48(6):615–642, DOI 10.1080/00450618.2015.1110620, URL https://doi.org/10.1080%2F00450618.2015.1110620
  10. 10.
    Dehghantanha A, Dargahi T (2017) Chapter 14 - residual cloud forensics: Cloudme and 360yunpan as case studies. In: Choo KKR, Dehghantanha A (eds) Contemporary Digital Forensic Investigations of Cloud and Mobile Applications, Syngress, pp 247–283, DOI http://dx.doi.org/10.1016/B978-0-12-805303-4.00014-9, URL http://www.sciencedirect.com/science/article/pii/B9780128053034000149
  11. 11.
    Dezfouli FN, Dehghantanha A, Eterovic-Soric B, Choo KKR (2015) Investigating social networking applications on smartphones detecting facebook, twitter, linkedin and google+ artefacts on android and ios platforms. Australian Journal of Forensic Sciences 48(4):469–488, DOI 10.1080/00450618.2015.1066854, URL https://doi.org/10.1080%2F00450618.2015.1066854
  12. 12.
    Do Q, Martini B, Choo KKR (2015) A forensically sound adversary model for mobile devices. PLOS ONE 10(9):e0138,449, DOI 10.1371/journal.pone.0138449, URL https://doi.org/10.1371%2Fjournal.pone.0138449
  13. 13.
    Do Q, Martini B, Choo KKR (2016) Is the data on your wearable device secure? an android wear smartwatch case study. Software: Practice and Experience 47(3):391–403, DOI 10.1002/spe.2414, URL https://doi.org/10.1002%2Fspe.2414
  14. 14.
    Fahdi MA, Clarke N, Furnell S (2013) Challenges to digital forensics: A survey of researchers: practitioners attitudes and opinions. In: 2013 Information Security for South Africa, Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/issa.2013.6641058, URL https://doi.org/10.1109%2Fissa.2013.6641058
  15. 15.
    Gebhardt T, Reiser HP (2013) Network forensics for cloud computing. In: IFIP International Conference on Distributed Applications and Interoperable Systems, Springer, pp 29–42Google Scholar
  16. 16.
    Jarraya Y, Madi T, Debbabi M (2014) A survey and a layered taxonomy of software-defined networking. IEEE Communications Surveys & Tutorials 16(4):1955–1980, DOI 10.1109/comst.2014.2320094, URL https://doi.org/10.1109%2Fcomst.2014.2320094
  17. 17.
    Josiah D, T SA (2013) Design and implementation of frost: Digital forensic tools for the openstack cloud computing platform. Digital Investigation 10:S87–S95Google Scholar
  18. 18.
    Kaur K, Singh J, Ghumman NS (2014) Mininet as software defined networking testing platform. In: International Conference on Communication, Computing & Systems (ICCCSGoogle Scholar
  19. 19.
    Kent K, Chevalier S, Grance T, Dang H (2006) Guide to integrating forensic techniques into incident response. Tech. rep., DOI 10.6028/nist.sp.800-86, URL https://doi.org/10.6028%2Fnist.sp.800-86
  20. 20.
    Khondoker R, Zaalouk A, Marx R, Bayarou K (2014) Feature-based comparison and selection of software defined networking (SDN) controllers. In: 2014 World Congress on Computer Applications and Information Systems (WCCAIS), Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/wccais.2014.6916572, URL https://doi.org/10.1109%2Fwccais.2014.6916572
  21. 21.
    Kreutz D, Ramos FMV, Verissimo PE, Rothenberg CE, Azodolmolky S, Uhlig S (2015) Software-defined networking: a comprehensive survey. In: Proceedings of the IEEE, 103(1):14–76, DOI 10.1109/JPROC.2014.2371999, URL  https://doi.org/10.1109/JPROC.2014.2371999
  22. 22.
    Martini B, Choo KKR (2012) An integrated conceptual digital forensic framework for cloud computing. Digital Investigation 9(2):71–80, DOI 10.1016/j.diin.2012.07.001, URL https://doi.org/10.1016%2Fj.diin.2012.07.001
  23. 23.
    Martini B, Choo KKR (2013) Cloud storage forensics: ownCloud as a case study. Digital Investigation 10(4):287–299, DOI 10.1016/j.diin.2013.08.005, URL https://doi.org/10.1016%2Fj.diin.2013.08.005
  24. 24.
    Martini B, Choo KKR (2014) Distributed filesystem forensics: XtreemFS as a case study. Digital Investigation 11(4):295–313, DOI 10.1016/j.diin.2014.08.002, URL https://doi.org/10.1016%2Fj.diin.2014.08.002
  25. 25.
    Martini B, Choo KKR (2014) Remote programmatic vCloud forensics: A six-step collection process and a proof of concept. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/trustcom.2014.124, URL https://doi.org/10.1109%2Ftrustcom.2014.124
  26. 26.
    Marty R (2011) Cloud application logging for forensics. In: Proceedings of the 2011 ACM Symposium on Applied Computing, ACM, pp 178–184Google Scholar
  27. 27.
    Mohtasebi S, Dehghantanha A, Choo KK (2017) Chapter 12 - investigating storage as a service cloud platform: pcloud as a case study. In: Choo KKR, Dehghantanha A (eds) Contemporary Digital Forensic Investigations of Cloud and Mobile Applications, Syngress, pp 185–204, DOI http://dx.doi.org/10.1016/B978-0-12-805303-4.00013-7, URL http://www.sciencedirect.com/science/article/pii/B9780128053034000137
  28. 28.
    Mohtasebi S, Dehghantanha A, Choo KK (2017) Chapter 13 - cloud storage forensics: Analysis of data remnants on spideroak, justcloud, and pcloud. In: Choo KKR, Dehghantanha A (eds) Contemporary Digital Forensic Investigations of Cloud and Mobile Applications, Syngress, pp 205–246, DOI http://dx.doi.org/10.1016/B978-0-12-805303-4.00013-7, URL http://www.sciencedirect.com/science/article/pii/B9780128053034000137
  29. 29.
    Nunes BAA, Mendonca M, Nguyen XN, Obraczka K, Turletti T (2014) A survey of software-defined networking: Past, present, and future of programmable networks. IEEE Communications Surveys & Tutorials 16(3):1617–1634, DOI 10.1109/surv.2014.012214.00180, URL https://doi.org/10.1109%2Fsurv.2014.012214.00180
  30. 30.
    Pichan A, Lazarescu M, Soh ST (2015) Cloud forensics: Technical challenges, solutions and comparative analysis. Digital Investigation 13:38–57Google Scholar
  31. 31.
    Qi H, Li K (2016) Software Defined Networking Applications in Distributed Datacenters. Springer International Publishing, DOI 10.1007/978-3-319-33135-5, URL https://doi.org/10.1007%2F978-3-319-33135-5
  32. 32.
    Rahman NHA, Cahyani NDW, Choo KKR (2016) Cloud incident handling and forensic-by-design: cloud storage as a case study. Concurrency and Computation: Practice and Experience DOI 10.1002/cpe.3868, URL https://doi.org/10.1002%2Fcpe.3868
  33. 33.
    Rodney M (1999) What is forensic computing? Australian Institute of Criminology CanberraGoogle Scholar
  34. 34.
    Röpke C, Holz T (2015) SDN rootkits: Subverting network operating systems of software-defined networks. In: Research in Attacks, Intrusions, and Defenses, Springer Nature, pp 339–356, DOI 10.1007/978-3-319-26362-5_16, URL https://doi.org/10.1007%2F978-3-319-26362-5_16
  35. 35.
    Saad S, Traore I (2010) Method ontology for intelligent network forensics analysis. In: 2010 Eighth International Conference on Privacy, Security and Trust, Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/pst.2010.5593235, URL https://doi.org/10.1109%2Fpst.2010.5593235
  36. 36.
    Scanlon M, Farina J, Kechadi MT (2014) BitTorrent sync: Network investigation methodology. In: 2014 Ninth International Conference on Availability, Reliability and Security, Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/ares.2014.11, URL https://doi.org/10.1109%2Fares.2014.11
  37. 37.
    Scanlon M, Farina J, Khac NAL, Kechadi T (2014) Leveraging decentralization to extend the digital evidence acquisition window: Case study on bittorrent sync. Journal of Digital Forensics, Security and Law 9(2):85–99Google Scholar
  38. 38.
    Shariati M, Dehghantanha A, Choo KKR (2015) SugarSync forensic analysis. Australian Journal of Forensic Sciences 48(1):95–117, DOI 10.1080/00450618.2015.1021379, URL https://doi.org/10.1080%2F00450618.2015.1021379
  39. 39.
    Shields C, Frieder O, Maloof M (2011) A system for the proactive, continuous, and efficient collection of digital forensic evidence. Digital Investigation 8:S3–S13, DOI 10.1016/j.diin.2011.05.002, URL https://doi.org/10.1016%2Fj.diin.2011.05.002
  40. 40.
    Sibiya G, Venter HS, Fogwill T (2015) Digital forensics in the cloud: The state of the art. In: 2015 IST-Africa Conference, Institute of Electrical and Electronics Engineers (IEEE), DOI 10.1109/istafrica.2015.7190540, URL https://doi.org/10.1109%2Fistafrica.2015.7190540
  41. 41.
    Simou S, Kalloniatis C, Kavakli E, Gritzalis S (2014) Cloud forensics: identifying the major issues and challenges. In: International Conference on Advanced Information Systems Engineering, Springer, pp 271–284Google Scholar
  42. 42.
    Staab S, Studer R (eds) (2009) Handbook on Ontologies. Springer Nature, DOI 10.1007/978-3-540-92673-3, URL https://doi.org/10.1007%2F978-3-540-92673-3
  43. 43.
    Teing YY, Dehghantanha A, Choo KKR, Dargahi T, Conti M (2016) Forensic investigation of cooperative storage cloud service: Symform as a case study. Journal of Forensic Sciences DOI 10.1111/1556-4029.13271, URL https://doi.org/10.1111%2F1556-4029.13271
  44. 44.
    Teing YY, Dehghantanha A, Choo KKR, Yang LT (2016) Forensic investigation of p2p cloud storage services and backbone for IoT networks: BitTorrent sync as a case study. Computers & Electrical Engineering DOI 10.1016/j.compeleceng.2016.08.020, URL https://doi.org/10.1016%2Fj.compeleceng.2016.08.020
  45. 45.
    Teing YY, Ali D, Choo K, Abdullah MT, Muda Z (2017) Greening cloud-enabled big data storage forensics: Syncany as a case study. IEEE Transactions on Sustainable Computing DOI 10.1109/tsusc.2017.2687103, URL https://doi.org/10.1109%2Ftsusc.2017.2687103
  46. 46.
    Thethi N, Keane A (2014) Digital forensics investigations in the cloud. In: Advance Computing Conference (IACC), 2014 IEEE International, IEEE, pp 1475–1480Google Scholar
  47. 47.
    Turnbull B, Randhawa S (2015) Automated event and social network extraction from digital evidence sources with ontological mapping. Digital Investigation 13:94–106, DOI 10.1016/j.diin.2015.04.004, URL https://doi.org/10.1016%2Fj.diin.2015.04.004
  48. 48.
    Zawoad S, Hasan R (2013) Cloud forensics: a meta-study of challenges, approaches, and open problems. arXiv preprint arXiv:13026312Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Mudit Kalpesh Pandya
    • 1
  • Sajad Homayoun
    • 2
  • Ali Dehghantanha
    • 3
    Email author
  1. 1.Department of Computer ScienceSchool of Computing, Science and Engineering, University of SalfordSalfordUK
  2. 2.Shiraz University of TechnologyShirazIran
  3. 3.Department of Computer ScienceUniversity of SheffieldSheffieldUK

Personalised recommendations