2Informatics Institute, Gazi University, Ankara, Turkiye; Department of Computer Engineering, Faculty of Engineering, Gazi University, Ankara, Turkiye.
The proliferation of software-defined networks (SDN) increases the necessity of security and forensic research in this field. Network forensics is of particular importance considering the ever-increasing traffic density and variety of devices, and SDN has great potential for improved forensic processes thanks to its ability to provide a centralized view and control of the network. This article's motivation is the lack of a standard forensic process in SDN. The main objective of this study is to examine the differences in the forensic processes of different SDN controllers, whether the southbound interface data is sufficient for the forensic processes, and whether it is possible to choose the best controller in terms of forensics. Four of the most widely used controllers have been selected and tested under seven different scenarios to observe how the results were obtained in terms of forensics. During the tests, in addition to the routine data accesses, attack preparation tools and denial-of-service attack tools were used to expand the scope. Experiments in which each scenario was applied for four different controllers demonstrated that different controllers have different characteristics in network forensics parameters, such as attack type detection, attacker information, service interruptions, packet size, and the number of packets. Experiments proved that southbound interface data is sufficient for forensic processes, different controllers have different characteristics in forensic processes, none of the most used controllers is the best to cover all forensic processes, and a standard forensic method is required for software-defined network forensics.