InnoDB Database Forensics: Reconstructing Data Manipulation Queries from Redo Logs

InnoDB is a powerful open-source storage engine for MySQL that gained much popularity during the recent years. This paper proposes methods for forensic analysis of InnoDB databases by analyzing the redo logs, primarily used for crash recovery within the storage engine. This new method can be very useful in forensic investigations where the attacker got admin privileges, or was the admin himself. While such a powerful attacker could cover tracks by manipulating the log files intended for fraud detection, data cannot be changed easily in the redo logs. Based on a prototype implementation, we show methods for recovering Insert, Delete and Update statements issued against a database.

[1]  Alec Yasinsac,et al.  Software issues in digital forensics , 2008, OPSR.

[2]  Martin S. Olivier,et al.  On metadata context in Database Forensics , 2009, Digit. Investig..

[3]  Gerome Miklau,et al.  Threats to privacy in the forensic analysis of database systems , 2007, SIGMOD '07.

[4]  Chung-Huang Yang,et al.  Design and implementation of a live-analysis digital forensic system , 2009, ICHIT '09.

[5]  Edgar R. Weippl,et al.  Trees Cannot Lie: Using Data Structures for Forensics Purposes , 2011, 2011 European Intelligence and Security Informatics Conference.

[6]  Richard T. Snodgrass,et al.  Forensic analysis of database tampering , 2008, TODS.

[7]  Hongxia Jin,et al.  Forensic analysis for tamper resistant software , 2003, 14th International Symposium on Software Reliability Engineering, 2003. ISSRE 2003..

[8]  Guillermo A. Francia,et al.  Computer forensics laboratory and tools , 2005 .

[9]  Edgar R. Weippl,et al.  Using the structure of B+-trees for enhancing logging mechanisms of databases , 2011, iiWAS '11.

[10]  Ulf Michael Widenius,et al.  MySQL reference manual - documentation from the source , 2002 .

[11]  Donald Burleson,et al.  Oracle Forensics: Oracle Security Best Practices , 2007 .

[12]  Edgar R. Weippl,et al.  InnoDB Database Forensics , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[13]  Guillermo A. Francia,et al.  Visualization and management of digital forensics data , 2006, InfoSecCD '06.