Towards a forensic-aware database solution: Using a secured database replication protocol and transaction management for digital investigations

Databases contain an enormous amount of structured data. While the use of forensic analysis on the file system level for creating (partial) timelines, recovering deleted data and revealing concealed activities is very popular and multiple forensic toolsets exist, the systematic analysis of database management systems has only recently begun. Databases contain a large amount of temporary data files and metadata which are used by internal mechanisms. These data structures are maintained in order to ensure transaction authenticity, to perform rollbacks, or to set back the database to a predefined earlier state in case of e.g. an inconsistent state or a hardware failure. However, these data structures are intended to be used by the internal system methods only and are in general not human-readable.In this work we present a novel approach for a forensic-aware database management system using transaction- and replication sources. We use these internal data structures as a vital baseline to reconstruct evidence during a forensic investigation. The overall benefit of our method is that no additional logs (such as administrator logs) are needed. Furthermore, our approach is invariant to retroactive malicious modifications by an attacker. This assures the authenticity of the evidence and strengthens the chain of custody. To evaluate our approach, we present a formal description, a prototype implementation in MySQL alongside and a comprehensive security evaluation with respect to the most relevant attack scenarios.

[1]  Edgar R. Weippl,et al.  InnoDB database forensics: Enhanced reconstruction of data manipulation queries from redo logs , 2013, Inf. Secur. Tech. Rep..

[2]  Edgar R. Weippl,et al.  InnoDB Database Forensics , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[3]  Katharina Wagner,et al.  Digital Evidence And Computer Crime Forensic Science Computers And The Internet , 2016 .

[4]  Eugene H. Spafford,et al.  An Event-Based Digital Forensic Investigation Framework , 2004 .

[5]  Robert Griesemer Oracle Warehouse Builder 11g: Getting Started , 2009 .

[6]  Gerhard P. Hancke,et al.  Assembling Metadata for Database Forensics , 2011, IFIP Int. Conf. Digital Forensics.

[7]  Edgar R. Weippl,et al.  InnoDB Database Forensics: Reconstructing Data Manipulation Queries from Redo Logs , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[8]  Surajit Chaudhuri,et al.  An overview of data warehousing and OLAP technology , 1997, SGMD.

[9]  Pieter H. Hartel,et al.  Secure Audit Logging with Tamper-Resistant Hardware , 2003, SEC.

[10]  Tal Rabin,et al.  Designing a Side Channel Resistant Random Number Generator , 2010, CARDIS.

[11]  Stephen Flowerday,et al.  A Log File Digital Forensic Model , 2012, IFIP Int. Conf. Digital Forensics.

[12]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[13]  Sasha Pachev Understanding Mysql Internals , 2007 .

[14]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[15]  Mohamed F. Mokbel,et al.  Transaction Time Support Inside a Database Engine , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[16]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[17]  Martin S. Olivier,et al.  On metadata context in Database Forensics , 2009, Digit. Investig..

[18]  Edgar R. Weippl,et al.  Trees Cannot Lie: Using Data Structures for Forensics Purposes , 2011, 2011 European Intelligence and Security Informatics Conference.

[19]  Kevvie Fowler SQL Server Forensic Analysis , 2008 .

[20]  Edgar R. Weippl,et al.  Using the structure of B+-trees for enhancing logging mechanisms of databases , 2011, iiWAS '11.

[21]  Jan H. P. Eloff,et al.  Framework for a Digital Forensic Investigation , 2006, ISSA.

[22]  Lars Thalmann,et al.  MySQL High Availability - Tools for Building Robust Data Centers, 2nd Edition , 2010 .

[23]  Heloise Pieterse,et al.  Data Hiding Techniques for Database Environments , 2012, IFIP Int. Conf. Digital Forensics.

[24]  Richard T. Snodgrass,et al.  Extending the relational algebra to support transaction time , 1987, SIGMOD '87.

[25]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[26]  Eoghan Casey,et al.  Digital Evidence and Computer Crime , 2000 .

[27]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[28]  Peng Ning,et al.  BAF: An Efficient Publicly Verifiable Secure Audit Logging Scheme for Distributed Systems , 2009, 2009 Annual Computer Security Applications Conference.

[29]  Jovanka Adzic,et al.  Data Warehouse Population Platform , 2001, DMDW.

[30]  Bertram Poettering,et al.  Practical Secure Logging: Seekable Sequential Key Generators , 2013, ESORICS.

[31]  Gerome Miklau,et al.  Securing history: Privacy and accountability in database systems , 2007, CIDR.

[32]  Ran Canetti,et al.  A Forward-Secure Public-Key Encryption Scheme , 2003, Journal of Cryptology.

[33]  Vinod Vaikuntanathan,et al.  Simultaneous Hardcore Bits and Cryptography against Memory Attacks , 2009, TCC.

[34]  Aman Sharma,et al.  Oracle Database 12c Backup and Recovery Survival Guide , 2013 .

[35]  Gerome Miklau,et al.  Threats to privacy in the forensic analysis of database systems , 2007, SIGMOD '07.

[36]  Gultekin Özsoyoglu,et al.  Temporal and Real-Time Databases: A Survey , 1995, IEEE Trans. Knowl. Data Eng..

[37]  Tom Coffing,et al.  Teradata SQL , 2002 .

[38]  Adrian Neagu,et al.  IBM DB2 9.7 Advanced Administration Cookbook , 2012 .

[39]  Martin S. Olivier,et al.  Correctness proof for database reconstruction algorithm , 2012, Digit. Investig..

[40]  Harmeet Kaur Khanuja,et al.  Database Security Threats and Challenges in Database Forensic: A Survey , 2011 .

[41]  Gene Tsudik,et al.  A new approach to secure logging , 2008, TOS.

[42]  Kalen Delaney Inside microsoft® sql server™ 2005: query tuning and optimization , 2007 .

[43]  Martin S. Olivier,et al.  Reconstruction in Database Forensics , 2012, IFIP Int. Conf. Digital Forensics.

[44]  Kalen Delaney Inside Microsoft SQL Server 2005: The Storage Engine , 2006 .

[45]  Martin S. Olivier,et al.  On the Completeness of Reconstructed Data for Database Forensics , 2012, ICDF2C.