Digital Forensic Readiness Approach for Potential Evidence Preservation in Software-Defined Networks

A software-defined network (SDN), unlike the traditional networking environment, is an emerging network architecture that decouples the control plane from the data plane and creates an open interface between the two planes. SDN enables organizations to design and implement innovative networks in a much simpler and flexible way. These opportunities could, however, expose the network to potentially new security challenges such as scanning, spoofing, and denial-of-service attacks, as well as the single-point-of-failure vulnerability of the network. Digital forensics approach is one way of addressing these challenges. However, with the traditional digital forensics investigation approach, evidence can be lost as a result of digital artifacts contamination or deletion by an attacker if the control plane is compromised. Additionally, the volatility of a software-defined network architecture could result in overwritten event-logs prior to evidence identification and acquisition process. As an approach towards a reliable evidence preservation, this study developed a proactive mechanism for the identification, handling, collection, and preservation of digital artifacts in an SDN. The mechanism integrates digital forensics readiness approach to the acquisition and preservation of volatile potential evidence. Using a series of experimental observation, the mechanism developed in this study was evaluated and the result shows that reliable evidence can be proactively collected in a typical SDN in a forensically sound manner. Furthermore, the result augments the viability of performing forensic investigation in an SDN. The proposed mechanism could be used to effectively preserve and improve the security structure of the SDN without interfering with the SDN operational processes.