Digital Forensic Readiness Framework For Software-Defined Networks Using A Trigger-Based Collection Mechanism

The gradual migration from a traditional networking platform to a Software-Defined Networks (SDN) paradigm presents potential challenges to digital investigation processes. This is particularly applicable in the identification, extraction, and preservation of potential digital evidence in SDN environments. Several digital forensic investigation processes have been designed for traditional network architecture. A handful of recent studies have attempted to address the challenges of accurately identifying, extracting and preserving reliable potential digital evidence in an SDN. These recent studies are, however, based on continuous data storage and manual scavenging without regard to efficient storage process of potential digital evidence. To address this research gap, this study proposed a proactive digital forensic readiness (DFR) framework with a trigger-based automated collection mechanism which integrates an Intrusion Detection System (IDS) and an SDN controller. The proposed framework was implemented using Ryu SDN controller, OpenvSwitch and Snort as the testing technologies for establishing the SDN configurations. In order to achieve the potential evidence identification and automated extraction process, two implementations between the IDS and SDN were explored; namely inline IDS mode and mirrored traffic mode. These implementations were then compared to determine the approach that maximizes evidence collection and efficiency whilst reducing system overhead. The results of the experimentation showed that inline mode has better results at the expense of network speed, whereas the mirrored traffic mode preserved original network speed but showed less accurate detection capabilities. Therefore, the integration of this framework into an SDN platform can allow an organization to choose between different implementations that suit their needs whilst maximizing their ability to conduct investigations. Furthermore, the result from both approaches can be harnessed for efficient forensic investigation processes.