Network Forensic Investigation in OpenContrail Environments

The requirements of today's data center networks include scalability, multi-tenancy and isolation from the underlying infrastructure, which are primarily achieved through the use of network virtualization. As a downside, the overall complexity increases with the number of technologies involved, which has a significant impact upon network forensic investigation. In this context we investigated OpenContrail, an open source framework for network virtualization that provides built-in methods for collecting network traffic. In our research, we concluded that these methods work in principle, but are not suitable to capture network traffic that can be used in court. The packet mirroring turned out to be incomplete and the capture process can be detected by the virtual machine under investigation. Based on these findings, we developed a more flexible agent that especially ensures the transparency of the capture process for the suspicious virtual machine.

[1]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[2]  Rajdeep Niyogi,et al.  A Generic Framework for Network Forensics , 2010 .

[3]  P. Mell,et al.  SP 800-145. The NIST Definition of Cloud Computing , 2011 .

[4]  Tobias Eggendorfer,et al.  Using network data to improve digital investigation in cloud computing environments , 2015, 2015 International Conference on High Performance Computing & Simulation (HPCS).

[5]  Sieteng Soh,et al.  Cloud forensics: Technical challenges, solutions and comparative analysis , 2015, Digit. Investig..

[6]  Mohand Tahar Kechadi,et al.  Cloud Forensics , 2011, IFIP Int. Conf. Digital Forensics.

[7]  Tim Storer,et al.  Calm Before the Storm: The Challenges of Cloud Computing in Digital Forensics , 2014, Int. J. Digit. Crime Forensics.

[8]  Ragib Hasan,et al.  Cloud Forensics: A Meta-Study of Challenges, Approaches, and Open Problems , 2013, ArXiv.

[9]  Tobias Eggendorfer,et al.  Towards Digital Investigation in Virtual Networks: A Study of Challenges and Open Problems , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[10]  Tobias Eggendorfer,et al.  Using Open Source Based Distributed Agents to Perform Digital Investigation in Virtual Environments , 2017, GI-Jahrestagung.

[11]  Tobias Eggendorfer,et al.  Challenges of Network Forensic Investigation in Virtual Networks , 2016, J. Cyber Secur. Mobil..

[12]  Stefanos Gritzalis,et al.  Cloud Forensics: Identifying the Major Issues and Challenges , 2014, CAiSE.

[13]  Tahar Kechadi,et al.  Survey on Cloud Forensics and Critical Criteria for Cloud Forensic Capability: A Preliminary Analysis , 2011 .

[14]  Nick Feamster,et al.  The road to SDN: an intellectual history of programmable networks , 2014, CCRV.

[15]  Manisha Bharti,et al.  FraaS: A Framework for Digital Forensic Services in a Cloud-based Environment , 2016 .

[16]  Jürgen Schönwälder,et al.  Network Configuration Protocol (NETCONF) , 2011, RFC.

[17]  Peter Saint-Andre,et al.  Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence , 2004, RFC.

[18]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[19]  Zainuddin Hassan,et al.  COMMON PHASES OF COMPUTER FORENSICS INVESTIGATION MODELS , 2011 .

[20]  Tobias Eggendorfer,et al.  Network forensic investigation in OpenFlow networks with ForCon , 2017 .

[21]  Daniel Spiekermann Netzwerkforensik in virtuellen Umgebungen , 2017 .

[22]  Peter Saint-Andre,et al.  Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence , 2004, RFC.