Preprint

Digital Forensic Readiness Implementation in SDN: Issues and Challenges

Authors:
Preprints and early-stage research may not have been peer reviewed yet.
To read the file of this research, you can request a copy directly from the authors.

Abstract

The continued evolution in computer network technologies has seen the introduction of new paradigms like Software Defined Networking (SDN) which has altered many traditional networking principles in todays business environments. SDN has brought about unprecedented change to the way organisations plan, develop, and enact their networking technology and infrastructure strategies. However, SDN does not only offer new opportunities and abilities for organisations to redesign their entire network infrastructure but also presents a different set of issues and challenges that need to be resolved. One such challenge is the implementation of Digital Forensic Readiness (DFR) in SDN environments. This paper, therefore, examines existing literature and highlights the different issues and challenges impacting the implementation of DFR in SDN. However, the paper also goes further to offer insights on the different countermeasures that organisations can embrace to enhance their ability to respond to cybersecurity incidents as well as help them in implementing DFR in SDN environments

No file available

Request Full-text Paper PDF

To read the file of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
Internet of Things (IoT) are becoming commonplace in homes, buildings, cities, and nations, and IoT networks are also getting more complex and interconnected. The complexity, interconnectivity, and heterogeneity of IoT systems, however, complicate digital (forensic) investigations. The challenge is compounded due to the lack of holistic and standardized approaches. Hence, building on the ISO/IEC 27043 international standard, we present a holistic digital forensic readiness (DFR) framework. We also qualitatively evaluate the utility of the proposed DFR framework.
Article
Full-text available
Recently, the work environments of organizations have been in the process of transitioning into smart work environments by applying cloud computing technology in the existing work environment. The smart work environment has the characteristic of being able to access information assets inside the company from outside the company through cloud computing technology, share information without restrictions on location by using mobile terminals, and provide a work environment where work can be conducted effectively in various locations and mobile environments. Thus, in the cloud computing-based smart work environment, changes are occurring in terms of security risks, such as an increase in the leakage risk of an organization’s information assets through mobile terminals which have a high risk of loss and theft and increase the hacking risk of wireless networks in mobile environments. According to these changes in security risk, the reactive digital forensic method, which investigates digital evidence after the occurrence of security incidents, appears to have a limit which has led to a rise in the necessity of proactive digital forensic approaches wherein security incidents can be addressed preemptively. Accordingly, in this research, we design a digital forensic readiness model at the level of preemptive prevention by considering changes in the cloud computing-based smart work environment. Firstly, we investigate previous research related to the cloud computing-based smart work environment and digital forensic readiness and analyze a total of 50 components of digital forensic readiness. In addition, through the analysis of the corresponding preceding research, we design seven detailed areas, namely, outside the organization environment, within the organization guideline, system information, terminal information, user information, usage information, and additional function. Then, we design a draft of the digital forensic readiness model in the cloud computing-based smart work environment by mapping the components of digital forensic readiness to each area. To verify the draft of the designed model, we create a survey targeting digital forensic field-related professionals, analyze their validity, and deduce a digital forensic readiness model of the cloud computing-based smart work environment consisting of seven detailed areas and 44 components. Finally, through an analytic hierarchy process analysis, we deduce the areas that should be emphasized compared to the existing work environment to heighten the forensic readiness in the cloud computing-based smart work environment. As a result, the weightings of the terminal information Universal Subscriber Identity Module(USIM) card, collect/gain virtual machine image, etc.), user information (user account information analysis, analysis of user’s used service, etc.), and usage information (mobile OS artifact timeline analysis, action analysis through timeline, etc.) appear to be higher than those of the existing work environment. This is analyzed for each organization to preemptively prepare for the components of digital forensic readiness in the corresponding areas.
Article
Full-text available
The evolution of virtualization techniques is changing operating principles in today's datacenters. Virtualization of servers, networks and storage increases the flexibility and dynamic of the environment by reducing the administrative overhead. Based on a physical underlay network, different logical networks are implemented with new protocols like VXLAN, STT or GENEVE. New paradigms like Software-Defined-Networks or Network Function Virtualization offer new capabilities to redesign the whole network infrastructure. This trend creates new challenges for digital investigations analysing incidents by extracting and interpreting recorded data inside the environment. As a branch of digital investigation, network forensic investigation is used to examine network traffic by capturing the data of a suspicious target system and analysing this data. In this article, we analyse in detail new challenges in investigating virtual networks. We propose a classification in three categories, which might help to develop new methods and possible solutions to simplify further necessary investigations in virtual network environments. The defined challenges are classified according their potential to impede the investigation. Based on this classification we derive a list of basic conditions, describing different necessary requirements to implement a successful, valid and ongoing network forensic investigation in these virtual networks.
Article
Full-text available
Digital forensics (DF) is a relatively new discipline with a lot of technical and non-technical terminologies that can be hard to comprehend. During a timeintensive digital forensic investigation process, for example, investigators may at times encounter several new terminologies. In such a scenario, the time required to unearth and analyse the root cause of a potential security incident might be influenced by the complexity involved in resolving the meaning of new terminologies encountered. The difficulty lies in the lack of an approach in DF that can help investigators in resolving the meaning of terminologies or even how these terminologies are perceived by individuals especially when used in their domain of expertise. If existing digital forensic tools, for example, were to be designed in such a way as to allow investigators to automatically resolve or incorporate the meaning of new terminologies used or encountered during investigations, then the time required to unearth and analyse the root cause of a security incident might be reduced extensively. The main problem addressed in this paper therefore, is that, there exists no approaches in DF that have the ability to help investigators in reasoning with regard to the perceived meaning of different digital forensic terminologies encountered during a digital forensics investigation process. Existing tools thus needs to incorporate new approaches that can help in resolving or clarifying the meaning of new terminologies used during investigation processes. For this reason, this paper examines the concept of building ontologies for digital forensic terminologies and proposes an ontological approach to resolve the meaning of different digital forensic terminologies. Besides, ontologies are known to provide a form of knowledge in a given discipline of interest. In the authors’ opinion, thus, building ontologies for digital forensic terminologies can support the development of future investigative tools as well as new techniques to a degree of certainty.
Article
Full-text available
Modern organizations need to develop ‘digital forensic readiness’ to comply with their legal, contractual, regulatory, security and operational obligations. A review of academic and practitioner literature revealed a lack of comprehensive and coherent guidance on how forensic readiness can be achieved. This is compounded by the lack of maturity in the discourse of digital forensics rooted in the informal definitions of key terms and concepts. In this paper we validate and refine a digital forensic readiness framework through a series of expert focus groups. Drawing on the deliberations of experts in the focus groups, we discuss the critical issues facing practitioners in achieving digital forensic readiness.
Article
Full-text available
Digital forensics (DF) has become important due to a sharp increase in computer crimes and an acute shortage of trained digital forensics personnel. Cyber crimes may involve crimes committed across several states or across international borders and require the cooperation and collaboration of various local, state, federal, and international law enforcement agencies. Many times local and state, law enforcement agencies do not have investigators trained or skilled in investigating cyber crimes due to lack of IT skills. Alaska is one of only two non-contiguous states of U.S.A. Anchorage is the most populous city of Alaska with more than 50% of the state's population. It has eight law enforcement agencies but a severe shortage of law enforcement officers with the necessary technical expertise to investigate computer crimes. In this paper, we present the planning and design of a digital forensics course that meets the needs of local law enforcement agencies, interested students, and members of the local community. The issues involved in offering such a course are presented. The infrastructure needed is explored with concluding observations.
Conference Paper
Full-text available
The ever-growing threats of fraud and security incidents present many challenges to law enforcement and organisations across the globe. This has given rise to the need for organisations to build effective incident management strategies, which will enhance the company's reactive capability to security incidents. The aim of this paper is to propose proactive activities an organisation can undertake in order to increase its ability to respond to security incidents and create a digitally forensic ready workplace environment. The study constitutes exploratory research, with the use of a systematic literature review as a basis to identify activities relating to a digitally forensic ready environment.While much has been written about how organisations can prepare to respond to security incidents, findings show an absence of a digital forensic readiness model. This paper concludes by presenting such a conceptual model. This study contributes to the greater body of knowledge on the design and implementation of a digital forensic readiness programme, aimed at maximising the use of digital evidence in an organisation.
Article
Full-text available
Summary Digital forensics is essential for the successful prosecution of digital criminals which involve diverse digital devices such as computer system devices, network devices, mobile devices and storage devices. The digital forensic investigation must be retrieved to obtain the evidence that will be accepted in the court of law. Therefore, for digital forensic investigation to be performed successfully, there are a number of important steps that have to be taken into consideration. The aim of this paper is to produce the mapping process between the processes/activities and output for each phase in Digital Forensic Investigation Framework (DFIF). Existing digital forensic frameworks will be reviewed and then the mapping is constructed. The result from the mapping process will provide a new framework to optimize the whole investigation process.
Article
Full-text available
The research introduces a structured and consistent approach for digital forensic investigation. Digital forensic science provides tools, techniques and scientifically proven methods that can be used to acquire and analyze digital evidence. The digital forensic investigation must be retrieved to obtain the evidence that will be accepted in the court. This research focuses on a structured and consistent approach to digital forensic investigation. This research aims at identifying activities that facilitate and improves digital forensic investigation process. Existing digital forensic framework will be reviewed and then the analysis will be compiled. The result from the evaluation will produce a new model to improve the whole investigation process.
Conference Paper
Full-text available
Computer Forensics is essential for the successful prosecution of computer criminals. For a forensic investigation to be performed successfully there are a number of important steps that have to be considered and taken. The aim of this paper is to define a clear, step-by-step framework for the collection of evidence suitable for presentation in a court of law. Existing forensic models will be surveyed and then adapted to create a specific application framework for single computer, entry point forensics.
Conference Paper
The gradual migration from a traditional networking platform to a Software-Defined Networks (SDN) paradigm presents potential challenges to digital investigation processes. This is particularly applicable in the identification, extraction, and preservation of potential digital evidence in SDN environments. Several digital forensic investigation processes have been designed for traditional network architecture. A handful of recent studies have attempted to address the challenges of accurately identifying, extracting and preserving reliable potential digital evidence in an SDN. These recent studies are, however, based on continuous data storage and manual scavenging without regard to efficient storage process of potential digital evidence. To address this research gap, this study proposed a proactive digital forensic readiness (DFR) framework with a trigger-based automated collection mechanism which integrates an Intrusion Detection System (IDS) and an SDN controller. The proposed framework was implemented using Ryu SDN controller, OpenvSwitch and Snort as the testing technologies for establishing the SDN configurations. In order to achieve the potential evidence identification and automated extraction process, two implementations between the IDS and SDN were explored; namely inline IDS mode and mirrored traffic mode. These implementations were then compared to determine the approach that maximizes evidence collection and efficiency whilst reducing system overhead. The results of the experimentation showed that inline mode has better results at the expense of network speed, whereas the mirrored traffic mode preserved original network speed but showed less accurate detection capabilities. Therefore, the integration of this framework into an SDN platform can allow an organization to choose between different implementations that suit their needs whilst maximizing their ability to conduct investigations. Furthermore, the result from both approaches can be harnessed for efficient forensic investigation processes.
Article
Software Defined Networking (SDN) decouples the control plane from the data plane of forwarding devices. This separation provides several benefits, including the simplification of network management and control. However, due to a variety reasons, such as budget constraints and fear of downtime, many organizations are reluctant to fully deploy SDN. Partially deploying SDN through the placement of a limited number of SDN devices among legacy (traditional) network devices, forms a so-called hybrid SDN network. While hybrid SDN networks provide many of the benefits of SDN and have a wide range of applications, they also pose several challenges. These challenges have recently been addressed in a growing body of literature on hybrid SDN network structures and protocols. This article presents a comprehensive up-to-date survey of the research and development in the field of hybrid SDN networks. We have organized the survey into five main categories, namely hybrid SDN network deployment strategies, controllers for hybrid SDN networks, protocols for hybrid SDN network management, traffic engineering mechanisms for hybrid SDN networks, as well as testing, verification, and security mechanisms for hybrid SDN networks. We thoroughly survey the existing hybrid SDN network studies according to this taxonomy and identify gaps and limitations in the existing body of research. Based on the outcomes of the existing research studies as well as the identified gaps and limitations, we derive guidelines for future research on hybrid SDN networks.
Article
The separation of the control plane from the data plane of a switch enables abstraction of a network through a logically centralized controller. The controller functions as the “brain” of a software-defined network. However, centralized control draws attackers to exploit different network devices by hijacking the controller. Security was initially not a key characteristic of SDN architecture, which left it vulnerable to various attackers. The investigation of such attacks in the newly emerging SDN architecture is a challenging task. Therefore, a comprehensive forensic mechanism is required to investigate different forms of attacks by determining their root cause. This article discusses an important area in SDN security, SDN forensics, which until now has received minimal focus. We compare traditional network forensics with SDN forensics to highlight the key differences between them. A brief motivation for SDN forensics is presented to emphasize its significance. Moreover, the potential locations with possible evidence against attackers are identified in SDN. Key requirements are highlighted for SDN forensics with respect to baseline investigation procedures. Finally, we identify challenges in SDN forensics by highlighting potential research areas for researchers, investigators, and academicians.
Article
Software-Defined Networking (SDN) has recently gained significant momentum. However, before any large scale deployments, it is important to understand security issues arising from this new technology. This paper discusses two types of Denial-of-Service (DoS) attacks specific to OpenFlow SDN networks. We emulate them on Mininet and provide an analysis on the effect of these attacks. We find that the timeout value of a flow rule, and the control plane bandwidth have a significant impact on the switch's capability. If not configured appropriately, they may allow successful DoS attacks. Finally, we highlight possible mitigation strategies to address such attacks.
Article
Performing a digital forensic investigation (DFI) requires a standardized and formalized process. There is currently neither an international standard nor does a global, harmonized DFI process (DFIP) exist. The authors studied existing state-of-the-art DFIP models and concluded that there are significant disparities pertaining to the number of processes, the scope, the hierarchical levels, and concepts applied. This paper proposes a comprehensive model that harmonizes existing models. An effort was made to incorporate all types of processes proposed by the existing models, including those aimed at achieving digital forensic readiness. The authors introduce a novel class of processes called concurrent processes. This is a novel contribution that should, together with the rest of the model, enable more efficient and effective DFI, while ensuring admissibility of digital evidence. Ultimately, the proposed model is intended to be used for different types of DFI and should lead to standardization. © 2015 American Academy of Forensic Sciences.
Article
Cloud services are exploding, and organizations are converging their data centers in order to take advantage of the predictability, continuity, and quality of service delivered by virtualization technologies. In parallel, energy-efficient and high-security networking is of increasing importance. Network operators, and service and product providers require a new network solution to efficiently tackle the increasing demands of this changing network landscape. Software-defined networking has emerged as an efficient network technology capable of supporting the dynamic nature of future network functions and intelligent applications while lowering operating costs through simplified hardware, software, and management. In this article, the question of how to achieve a successful carrier grade network with software-defined networking is raised. Specific focus is placed on the challenges of network performance, scalability, security, and interoperability with the proposal of potential solution directions.
Article
A digital forensic readiness (DFR) programme consists of a number of activities that should be chosen and managed with respect to cost constraints and risk. Traditional cost systems, however, can not provide the cost of individual activities. This makes it difficult or impossible for organisations to consider cost when making decisions about specific activities. In this paper we show that the relatively new cost system, time-driven activity-based costing (TDABC), can be used to determine the cost of implementing and managing activities required for DFR. We show through analysis and simulation that the cost information from a TDABC model can be used for such decisions. We also discuss some of the factors that ought to be considered when implementing or managing the use of TDABC in a large organisation.
Conference Paper
Digital forensics is concerned with the investigation of any suspected crime or misbehaviour that may be manifested by digital evidence. The digital evidence may be manifest in various forms. It may be manifest on digital electronic devices or computers that are simply passive repositories of evidence that documents the activity, or it may consist of information or meta-information resident on the devices or computers that have been used to actually facilitate the activity, or that have been targeted by the activity. In each of these three cases, we have recorded digital evidence of the activity. This paper examines some recent advances in digital forensics and some important emerging challenges. It considers the following topics: tools and their evolution; the implications of large volumes of data; the impact of embedded and special-purpose computer systems; corporate governance and its implications for 'forensic readiness'; and the role of forensics in securing the Internet.
SDN Network (Software Defined Network OpenFlow Protocol) Overview -The Ultimate Guide!! (What Is SDN And How It Really Works?)
  • T Aric
Aric, T., (2020) SDN Network (Software Defined Network OpenFlow Protocol) Overview -The Ultimate Guide!! (What Is SDN And How It Really Works?). Available at: https://electronicsguide4u.com/sdn-network-softwaredefined-network-openflow-protocol-what-is-sdn/ [Accessed on 29th January 2021]
Softwarization of Future Networks and Services -Programmable Enabled Networks as Next Generation Software Defined Networks
  • A Galis
  • S Clayman
  • L Mamatas
  • Rubio Loyola
  • J Manzalini
  • A Kuklinski
  • S Serrat
  • J Zahariadis
Galis A, Clayman S, Mamatas L, Rubio Loyola J, Manzalini A, Kuklinski S, Serrat J, Zahariadis T. Softwarization of Future Networks and Services -Programmable Enabled Networks as Next Generation Software Defined Networks. IEEE SDN for Future Networks and Services (SDN4FNS) 2013.
Achieving Digital Forensic Readiness
KPMG, (2015). Achieving Digital Forensic Readiness. Available at: https://assets.kpmg/content/dam/kpmg/pdf/2016/03/Achieving-Digital-Forensic-Readiness-12-9-2015.pdf [Accessed on 28th 01, 2021]
A case for a dynamic approach to digital forensic readiness in an SDN platform
  • H Munkhondya
  • A R Ikuesan
  • H S Venter
Munkhondya, H., Ikuesan, A. R., & Venter, H. S. (2020). A case for a dynamic approach to digital forensic readiness in an SDN platform. In International Conference on Cyber Warfare and Security (pp. 584-XVIII). Academic Conferences International Limited.
Digital forensic readiness approach for potential evidence preservation in software-defined networks
  • H Munkhondya
  • A Ikuesan
  • H Venter
Munkhondya, H., Ikuesan, A., & Venter, H. (2019, February). Digital forensic readiness approach for potential evidence preservation in software-defined networks. In ICCWS 2019 14th International Conference on Cyber Warfare and Security: ICCWS (Vol. 268).
SDN Architecture Overview
  • Onf
ONF (2013). SDN Architecture Overview. Version 1.0. Available at: https://opennetworking.org/wpcontent/uploads/2013/02/SDN-architecture-overview-1.0.pdf [Accessed on 29th January 2021]
software-defined networking (SDN)
  • L Rosencrance
  • J English
  • J Burke
Rosencrance, L., English, J., and Burke, J. (2020). software-defined networking (SDN). Available at: https://searchnetworking.techtarget.com/definition/software-defined-networking-SDN# [Accessed on 29th January 2021]
Understanding the SDN Architecture -SDN Control Plane & SDN Data Plane
  • Sdx
SDx, (2015). Understanding the SDN Architecture -SDN Control Plane & SDN Data Plane. Available at: https://www.sdxcentral.com/networking/sdn/definitions/inside-sdn-architecture/# [Accessed on 29th January 2021]