InnoDB database forensics: Enhanced reconstruction of data manipulation queries from redo logs

Abstract The InnoDB storage engine is one of the most widely used storage engines for MySQL. This paper discusses possibilities of utilizing the redo logs of InnoDB databases for forensic analysis, as well as the extraction of the information needed from the MySQL definition files, in order to carry out this kind of analysis. Since the redo logs are internal log files of the storage engine and thus cannot easily be changed undetected, this forensic method can be very useful against adversaries with administrator privileges, which could otherwise cover their tracks by manipulating traditional log files intended for audit and control purposes. Based on a prototype implementation, we show methods for recovering Insert, Delete and Update statements issued against a database.

[1]  Guillermo A. Francia,et al.  Computer forensics laboratory and tools , 2005 .

[2]  Martin S. Olivier,et al.  On metadata context in Database Forensics , 2009, Digit. Investig..

[3]  Ulf Michael Widenius,et al.  MySQL reference manual - documentation from the source , 2002 .

[4]  Alec Yasinsac,et al.  Software issues in digital forensics , 2008, OPSR.

[5]  Donald Burleson,et al.  Oracle Forensics: Oracle Security Best Practices , 2007 .

[6]  Edgar R. Weippl,et al.  Trees Cannot Lie: Using Data Structures for Forensics Purposes , 2011, 2011 European Intelligence and Security Informatics Conference.

[7]  Guillermo A. Francia,et al.  Visualization and management of digital forensics data , 2006, InfoSecCD '06.

[8]  Hongxia Jin,et al.  Forensic analysis for tamper resistant software , 2003, 14th International Symposium on Software Reliability Engineering, 2003. ISSRE 2003..

[9]  Edgar R. Weippl,et al.  Using the structure of B+-trees for enhancing logging mechanisms of databases , 2011, iiWAS '11.

[10]  Chung-Huang Yang,et al.  Design and implementation of a live-analysis digital forensic system , 2009, ICHIT '09.

[11]  Richard T. Snodgrass,et al.  Forensic analysis of database tampering , 2008, TODS.

[12]  Edgar R. Weippl,et al.  InnoDB Database Forensics: Reconstructing Data Manipulation Queries from Redo Logs , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[13]  Edgar R. Weippl,et al.  InnoDB Database Forensics , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[14]  Gerome Miklau,et al.  Threats to privacy in the forensic analysis of database systems , 2007, SIGMOD '07.