forensic analysis of database tampering
DESCRIPTION
Forensic Analysis of Database Tampering. James Byrd. Abstract. Means to examine if a database has been tampered with already exist How do you detect who did it?. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/1.jpg)
Forensic Analysis of Database TamperingJames Byrd
![Page 2: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/2.jpg)
Abstract
• Means to examine if a database has been tampered with already exist
• How do you detect who did it?
![Page 3: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/3.jpg)
Introduction
• File System and Database communities have expressed interest in built in mechanisms that detect and/or prevent tampering of data
• Interest has arisen after laws such as HIPAA, and collusion cases such as Enron and Worldcom companies
![Page 4: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/4.jpg)
Outline of Introduction
• Audit Log Security• Compliant Records• How do these apply to high performance
databases?
![Page 5: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/5.jpg)
Audit Log Security
• a single component of Record Management Systemso RMS’s track documents and their version histories
and ensure that a previous version of a document cannot be altered
o uses notarization keys to track changes
![Page 6: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/6.jpg)
Compliant Records
• records that are required by myriad laws and regulations (roughly 10k in the US)o “to follow certain processes by which they are created,
stored, accessed, maintained and retained”
• usually stored on a WORM disk (Write Once Read Many)
• as the record is modified, all versions are stored along with all of the metadata
![Page 7: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/7.jpg)
High Performance Databases
• the previous approaches cannot be applied to HPD’s because all of the data cannot be stored and notarized after each transaction
• therefore, we must move the Audit Log Capabilities into the DBMSo one way hashing of all of the data and periodic
validation of the audit log database
![Page 8: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/8.jpg)
Thats Great James
• What do I do when I detect an intrusion?• All you know is that at some point in the past
that the data has been alteredo thats dandy
• Cue Forensics Analysis
![Page 9: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/9.jpg)
Forensics Analysis
• needed to determine o WHEN the intrusion occurredo WHAT was alteredo WHO did it
![Page 10: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/10.jpg)
2 - Tamper Detection
1. DBMS can maintain the audit log in the background
2. Data can be modified by a transaction and is then hashed
3. Digitize the hash value with external notarization service
4. Series of implementation optimizations that minimize notaries and speed up DBMS
![Page 11: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/11.jpg)
First Insight - DBMS Maintain Audit Log
• does this by rendering a specified relation as a Transaction-Time Tableo this instructs the database to keep all previous
values as append onlyo easily visible to anyone with the database
![Page 12: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/12.jpg)
Second Insight - Hash the Data
• Take the data modified by the transaction and cryptographically hash it to generate a secure one way hash of the transaction
![Page 13: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/13.jpg)
Third Insight - Digitally Notarize the Hash
• Use an external notarization service to digitally notarize the hash data
• therefore, even if the intruder has access to everything (database, hardware, OS, etc) they cannot change the hash data
![Page 14: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/14.jpg)
Fourth Insight - Series of Implementations
• make optimizations that allow the DBMS to to implement all hashing and notarizing in an efficient manner to not slow down DBMS performance
![Page 15: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/15.jpg)
2 Different Approaches
• normal processingo transactions are run and hash values are digitally
notarized
• validationo hash values are recomputed and compared with
previous hasheso this is where detection is found
![Page 16: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/16.jpg)
3 - Some Definitions
• Corruption Evento any event that corrupts the data or the database
• Validation Evento finding of a CE
Time = time of ve
• Notarization Evento notarization of th documetn by the notary service
![Page 17: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/17.jpg)
Corruption Diagram
• Drawing Time :)
![Page 18: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/18.jpg)
Forensic Analysis
• Ascertain the “Corruption Zone”, that is the area where the corruption took placeo bounds of when and where
![Page 19: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/19.jpg)
Notarization and Validation Intervals
• Validation intervals should be equal to or longer than the notarization interval
• The VI should also be a multiple of the Notation Interval
• The values should be set up that they happen at the same time occasionally
![Page 20: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/20.jpg)
Backdating Issues
• If a value is backdated, then the Corruption Zone is increased in size to accommodate the date of the backdate
![Page 21: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/21.jpg)
RGB Forensic Algorithm
• useful for postdating• 3 chains of hash functions per database
refresho only portions
• no additional disk reads are necessary• useful for forensics analysis
![Page 22: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/22.jpg)
Polychromatic Algorithm
• smaller regions than the RGB alg• uses a lot of math and graph theory• summary:
o gives a more precise region of where the tampering occured
![Page 23: Forensic Analysis of Database Tampering](https://reader035.vdocuments.us/reader035/viewer/2022062316/56813b2f550346895da3fb16/html5/thumbnails/23.jpg)
Comparison1. Trivial
a. the entire triangle is the region2. Monochromatic
a. gives a specific part of the triangle but requires many queries3. RGB
a. area in question reduced to days but requires additional partial hash functions
4. Polychromatica. limits the region to specific date and time