Towards a forensic-aware database solution: Using a secured database replication protocol and transaction management for digital investigations

Databases contain an enormous amount of structured data. While the use of forensic analysis on the file system level for creating (partial) timelines, recovering deleted data and revealing concealed activities is very popular and multiple forensic toolsets exist, the systematic analysis of database...

Full description

Saved in:
Bibliographic Details
Published in:Digital investigation 2014-12, Vol.11 (4), p.336-348
Main Authors: Frühwirt, Peter, Kieseberg, Peter, Krombholz, Katharina, Weippl, Edgar
Format: Article
Language:English
Subjects:
Computer forensics
Cybersecurity
Data base management systems
Data tempering
Digital forensics
InnoDB
Metadata
MySQL
Prototypes
Replication
Structured Query Language-SQL
Transaction management
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Databases contain an enormous amount of structured data. While the use of forensic analysis on the file system level for creating (partial) timelines, recovering deleted data and revealing concealed activities is very popular and multiple forensic toolsets exist, the systematic analysis of database management systems has only recently begun. Databases contain a large amount of temporary data files and metadata which are used by internal mechanisms. These data structures are maintained in order to ensure transaction authenticity, to perform rollbacks, or to set back the database to a predefined earlier state in case of e.g. an inconsistent state or a hardware failure. However, these data structures are intended to be used by the internal system methods only and are in general not human-readable. In this work we present a novel approach for a forensic-aware database management system using transaction- and replication sources. We use these internal data structures as a vital baseline to reconstruct evidence during a forensic investigation. The overall benefit of our method is that no additional logs (such as administrator logs) are needed. Furthermore, our approach is invariant to retroactive malicious modifications by an attacker. This assures the authenticity of the evidence and strengthens the chain of custody. To evaluate our approach, we present a formal description, a prototype implementation in MySQL alongside and a comprehensive security evaluation with respect to the most relevant attack scenarios.
ISSN:1742-2876
1873-202X
DOI:10.1016/j.diin.2014.09.003