Network forensic investigation in OpenFlow networks with ForCon

To resolve the challenges of forensic investigation in virtual networks, we present a new forensic framework called “Virtual Network Forensic Process”. Based on this framework we present the design, implementation and workflow of ForCon - a forensic controller to implement network investigation in OpenFlow controlled networks using Open vSwitch. Current trends bear out that virtualization techniques are no longer limited to computers as virtual machines. Thus cloud service providers try to offer greater value to their customers by implementing virtual networks and storage. Virtual environments have the same requirements for forensic investigation, however to fulfil these new tools and workflows to resolve new challenges like virtual machine migration or user customization are needed. ForCon uses dislocated agents in the network to monitor the virtual environment for changes and adapt the installed capture process without the need for any further interaction by an investigator. Thus, the network forensic investigation in virtual networks becomes flexible and valid evidence of the network data is gathered.