Technical Tuesday – 28 March 2017 – Software Defined Networking (SDN) Forensics by Mr. Joseph Bull and Mr. Michael McAlister of Booz Allen Hamilton

Posted by on Mar 28, 2017 in Events Archive | No Comments

Volatility and Tshark were critical components in Booz Allen Hamilton winning the 2016 Digital Forensics Research Work Shop (DFRWS) international Software Defined Networking (SDN) digital forensics challenge. This was achieved by creating a prototype solution for the extraction of forensics artifacts from SSL/TLS encrypted packets between a software defined networking (SDN) switch and controller as well as a memory dump from the SDN switch. Volatility facilitated the recovery of the crypto keys and other relevant network and system attributes. Tshark then provided a mechanism to consume the recovered encryption keys and automate the analysis of the Openflow protocol. This led to the complete enumeration of the network (e.g., devices present, device details) and SDN network flow rules (both static and dynamic). Mr. Bull and Mr. McAlister will articulate the steps which enabled the team to forensically enumerate the SDN network using only open source tools.

Presented by: Mr. Joseph Bull and Mr. Michael McAlister of Booz Allen Hamilton

Mr. Bull is a system security engineer with 15 years of experience supporting DoD, Civil, and Commercial clients holding his CISSP and CSEP certifications, and Mr. McAlister is a US Navy Veteran who earned his GCIH, and CSM with over 10 years of experience in Protocol Analyst. Recently Booz Allen Hamilton won the DFRWS SDN digital forensics challenge with the support of Joseph Bull, Chris Christou, Tyler Duquette, Emre Ertekin, Michael Lundberg, Michael McAlister and Greg Starkey. Booz Allen Hamilton advocates for open source solutions such as Wireshark and Volatility to further advance SDN and the associated forensics tradecraft.