Memory Forensics of the OpenDaylight Software-Defined Networking (SDN) Controller

Software-Defined Networking (SDN) abstracts the underlying networking hardware by keeping the control plane and the data separated. SDNs use the control plane to direct network traffic, while OpenFlow switches and routers play a passive role in the system by forwarding packets. The centralization of the control plane on virtualized systems provide Digital Forensics (DF) an opportunity at acquiring and analyzing the memory of a controller. This provides forensically relevant data regarding the SDN’s operation. In our work, we examined the OpenDaylight (ODL) SDN controller to determine what forensically relevant information may be extracted from the controller’s memory. This was accomplished by creating controller memory samples with different networking configurations, and analyzing the memory samples, then constructing an SDN-Controller-Network-Discovery-Tool (SCoNDT). SCoNDT searches a memory dump for the ODL controller’s host tracker service. This service holds information on each host connected to the network, such as its internal IP address, MAC address, and the dates and times of its first and last network connections. It then generates an HTML report. SCoNDT was evaluated on memory samples with various network configurations and showed high efficacy in reconstructing the host IPs, the usernames, and hashed passwords.