Challenges of Network Forensic Investigation in Virtual Networks


  • Daniel Spiekermann FernUniversit¨at Hagen, Germany
  • Tobias Eggendorfer Hochschule Ravensburg-Weingarten, Germany



Virtual networks, network forensic, digital investigation


The evolution of virtualization techniques is changing operating principles in today’s datacenters. Virtualization of servers, networks and storage increases the flexibility and dynamic of the environment by reducing the administrative overhead. Based on a physical underlay network, different logical networks are implemented with new protocols like VXLAN, STT or GENEVE. New paradigms like Software-Defined-Networks or Network Function Virtualization offer new capabilities to redesign the whole network infrastructure. This trend creates new challenges for digital investigations analysing incidents by extracting and interpreting recorded data inside the environment. As a branch of digital investigation, network forensic investigation is used to examine network traffic by capturing the data of a suspicious target system and analysing this data. In this article, we analyse in detail new challenges in investigating virtual networks.We propose a classification in three categories, which might help to develop new methods and possible solutions to simplify further necessary investigations in virtual network environments. The defined challenges are classified according their potential to impede the investigation. Based on this classification we derive a list of basic conditions, describing different necessary requirements to implement a successful, valid and ongoing network forensic investigation in these virtual networks.



Download data is not yet available.

Author Biographies

Daniel Spiekermann, FernUniversit¨at Hagen, Germany

D. Spiekermann received his B.Sc. degree in Computer Science in 2009 and his M.Sc. degree in Electronic and Computer Engineering from FernUniversität in Hagen, Germany in 2014. He is currently working towards his Ph.D. degree in Computer Science at FernUnivestiät Hagen, Germany. He works as a forensic investigator at North-Rhine Westphalia Police, Dortmund, Germany. His research interests are network forensics, virtual networks and it security.

Tobias Eggendorfer, Hochschule Ravensburg-Weingarten, Germany

T. Eggendorfer is a professor for IT security at Hochschule Ravensburg-Weingarten, before he was a professor for IT forensics in Hamburg. He received his Ph.D. on email security at FernUnivestiät Hagen in 2007. He holds lecturing positions at multiple universities. Besides his duties at the university, he is a freelance IT security and forensics specialist as well as a privacy advocate.


Davie, B. and Gross, J. (2016). A Stateless Transport Tunneling Protocol for Network Virtualization. Internet Draft, Informational: New York, NY.

Faizul, M., Boutaba, B. R., Esteves, R., Granville, L. Z., Podlesny, M. D., Rabbani, G., et al. (2013). Data center network virtualization: A survey. Commun. Surv. Tut. IEEE 15, 909–928.

Chaabane, A., Manils, P., and Ali Kaafar, M. (2010). Digging into anonymous traffic: A deep analysis of the tor anonymizing network. In Proceedings of the Network and System Security (NSS), 2010 4th International Conference on IEEE 167–174.

Mosharaf Kabir Chowdhury, N. M., and Boutaba, R. (2009). Network virtualization: state of the art and research challenges. IEEE Commun. Mag. 47, 20–26.

Mosharaf Kabir Chowdhury, N. M., and Boutaba, R. (2010). A survey of network virtualization. Comput. Netw. 54, 862–876.

Cisco Systems Inc. (2016). Ip Overlapping Address Pools. Available at: [accessed by November 03, 2016].

Clark, C., Fraser, K., Hand, S., Hansen, J. G., Jul, E., Limpach, C., et al. (2005). Live migration of virtual machines. In Proceedings of the 2nd Conference on Symposium on Networked Systems Design & Implementation, Berkeley, CA, 2273–2286.

Combs, G., et al. (2016). Wireshark. Available at:

Corey, V., Peterman, C., Shearin, S., Greenberg, M. S., and Van Bokkelen, J. (2002). Network forensics analysis. IEEE Int. Comput. 6, 60–66.

Dingledine, R., Mathewson, N., and Syverson, P. (2004). Tor: The Second-Generation Onion Router. Technical Report, DTIC Document.

Dua, A., Raja, A. R., and Kakadia, D. (2014). Virtualization vs containerization to support paas. in Proceedings of the Cloud Engineering (IC2E), 2014 IEEE International Conference on IEEE, 610–614.

Dykstra, J., and Sherman, A. T. (2013). Design and implementation of frost: Digital forensic tools for the openstack cloud computing platform. Digital Investig. 10, S87–S95.

ETSI (2012). Network Functions Virtualisation – Introductory White Paper. SDN and OpenFlow World Congress, 1.

Gross, J., Sridhar, T., Garg, P., Wright, C., and Ganga, I. (2016). Geneve: Generic network virtualization encapsulation. Internet-Draft.

Han, B., Gopalakrishnan, V., Ji, L., and Lee, S. (2015). Network function virtualization: challenges and opportunities for innovations. IEEE Commun. Mag. 53(2), 90–97.

Hunt, R., and Zeadally, S. (2012). Network forensics: an analysis of techniques, tools, and trends. IEEE Comput. 45, 36–43.

IEEE Computer Society (2005). Virtual Bridged Local Area Networks Amendment 4: Provider Bridges. Technical Report, IEEE Standard for Local and metropolitan area networks.

Jain, R., and Paul, S. (2013). Network virtualization and software defined networking for cloud computing: a survey. IEEE Commun. Mag. 51, 24–31.

Jarschel, M., Zinner, T., Hoßfeld, T., Tran-Gia, P., and Kellerer, W. (2014). Interfaces, attributes, and use cases: a compass for sdn. IEEE Commun. Mag. 52, 210–217.

Delgadillo, K. (2015). Netflow services and applications. Cisco Whitepaper, 1996 (accessed November 5, 2015).

Khan, S., Gani, A., Abdul Wahab, A. W., Shiraz, M., and Ahmad, I. (2015). Network forensics: review, taxonomy, and open challenges. J. Netw. Comput. Appl. 66, 214–235.

Khondoker, R, Zaalouk, A., Marx, R., and Bayarou, K. (2014). “Feature-based comparison and selection of software defined networking (sdn) controllers,” in Computer Applications and Information Systems (WCCAIS), 2014 World Congress (Rome: IEEE), 1–7.

Koch, R. (2011). Systemarchitektur zur Ein-und Ausbruchserkennung in verschluüsselten Umgebungen. Ph.D. thesis, Universit at der Bundeswehr Mu nchen, Neubiberg.

Kreutz, D., Ramos, F. M. V., Verissimo, P. E. Rothen-berg, C. E., Azodolmolky, S., and Uhlig, S. (2015). Software-defined networking: a comprehensive survey. Proc. IEEE, 103, 14–76.

Lazzez, A. (2013). A survey about network forensics tools. Int. J. Comput. Inf. Technol. 2, 74–81.

Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, L., Sridhar, T. et al. (2014). Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks. RFC 7348 (Informational).

McCanne, S., and Jacobson, V. (1993). “The bsd packet filter: A new architecture for user-level packet capture,” in USENIX Winter (Berkeley, CA: USENIX Association), 259–270.

McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L. (2008). Jennifer Rexford, Scott Shenker, and Jonathan Turner. Openflow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38, 69–74.

Meghanathan, N., Allam, S. R., and Moore, L. A. (2009). Tools and techniques for network forensics. Int. J. Netw. Secur. Appl. 1.

Mell, P., and Grance, T. (2011). The nist definition of cloud computing. Natl. Inst. Stand. Technol. 800–145.

Merkel, D. (2014). Docker: lightweight linux containers for consistent development and deployment. Linux J. 2014:2.

Nurmi, D., Wolski, R., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, L., and Zagorodnov, D. (2009). “The eucalyptus open-source cloud-computing system,” in Proceedings of the 9th IEEE/ACM International Symposium on Cluster Computing and the Grid, 2009. CCGRID’09, (Rome: IEEE), 124–131.

Palmer, G., and Corporation, M. (2001). A Road Map for Digital Forensic Research. Technical Report 1. Digital Forensic Research Workshop, Utica, NY.

Paxson, V. (1999). Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463.

Pfaff, B., Pettit, J., Koponen, T., Jackson, E., Zhou, A., Rajahalme, J., et al. (2015). “The design and implementation of open vswitch,” in Proceedings of the 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15), 117–130.

Pilli, E. S., Joshi, R. C., and Niyogi, R. (2010). Network forensic frameworks: survey and research challenges. Digit. Invest. 7, 14–27.

Rekhter, Y., Moskowitz, B., Karrenberg, D. G., de Groot, J., and Lear, E. (1996). Address Allocation for Private Internets. Technial Report RFC 1918.

Ruan, K., and Carthy, J. (2012). “Cloud forensic maturity model,” in ICDF2C of Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Eds, K. Ruan and J. Carthy (Berlin: Springer), 22–41.

Ruan, K., Carthy, J., Kechadi, T., and Crosbie, M. (2011). Cloud Forensics: An Overview. Dublin: Centre for Cybercrime Investigation.

Shalimov, A., Zuikov, D., Zimarina, D., Pashkov, V., and Smeliansky, R. (2013). “Advanced study of sdn/openflow controllers,” in Proceedings of the 9th Central & Eastern European Software Engineering Conference Russia, (New York, NY: ACM).

Shanmugasundaram, K., Brönnimann, H., and Memon, N. (2006). “Integrating digital forensics in network infrastructures,” in Advances in Digital Forensics, volume 194 of IFIP — The International Federation for Information Processing (Boston, MA: Kluwer Academic Publishers), 127–140.

Spiekermann, D., Eggendorfer, T., and Keller, J. (2015). “Using network data to improve digital investigation in cloud computing environments,” in High Performance Computing & Simulation (HPCS), 2015 International Conference (Rome: IEEE), 98–105.

Stallings, W. (1993). SNMP, SNMPv2, and CMIP: The Practical Guide to Network-Management Standards. (Reading, MA: Addison-Wesley Pub. Co.,).

Vilalta, R., Muñoz, R., Mayoral, A., Casellas, R., Martínez, R., López, V., and López, D. (2015). Transport network function virtualization. J. Lightwave Technol. 33, 1557–1564.

Wick, A., and Miller, E. (2016). Moloch. Available at: (accessed November 3, 2016).

Zantout, B and Haraty, R. (2011). “I2p data communication system,” in Proceedings of ICN, 401–409.

Zawoad, S., and Hasan, R. (2013). Cloud forensics: a meta-study of challenges, approaches, and open problems. CoRR.







Most read articles by the same author(s)