Over the years, network traffic has increased exponentially, and will continue to increase in the future. New network technologies are required to deal with the expanding network traffic and infrastructure. A software-defined network (SDN) is one such technology that allows efficient network management and configuration. Unlike traditional network architectures, SDN disassociates the data plane (the part of the network involved with packet forwarding) and the control plane (the part of the network involved with decision making) to attain more flexibility and easy troubleshooting. SDN centralizes network intelligence to the network controller for easy network configuration and management.

The network controller has an overall view of the network. It can track malicious traffic flows and suspicious attempts to gain network access. However, centralized network control also makes the network vulnerable to attacks--all an attacker has to do is attack the network controller to bring down the network. While a SDN architecture helps in tracing network attacks more efficiently when compared to a traditional network architecture, it is also more vulnerable to security attacks due to its centralized architecture.

Investigating security attacks in SDN is a complex task, and this is where SDN forensics plays an important role. This paper discusses the possibility of tracing SDN attacks at different SDN layers. The authors briefly discuss the difference between traditional network forensics and SDN forensics, as well as the need for the latter. Evidence collection at the application, control, and infrastructure layers of SDN is discussed in detail. The paper briefly discusses different stages of evidence collection, analysis, and reporting. The authors also propose a generalized model for SDN forensics.

This paper provides structured insight into SDN forensics. It will be useful for network security researchers and personnel.