Network Forensic Investigation in OpenContrail Environments

Abstract

The requirements of today's data center networks include scalability, multi-tenancy and isolation from the underlying infrastructure, which are primarily achieved through the use of network virtualization. As a downside, the overall complexity increases with the number of technologies involved, which has a significant impact upon network forensic investigation. In this context we investigated OpenContrail, an open source framework for network virtualization that provides built-in methods for collecting network traffic. In our research, we concluded that these methods work in principle, but are not suitable to capture network traffic that can be used in court. The packet mirroring turned out to be incomplete and the capture process can be detected by the virtual machine under investigation. Based on these findings, we developed a more flexible agent that especially ensures the transparency of the capture process for the suspicious virtual machine.