1 / 23

Forensic Analysis of Database Tampering

Forensic Analysis of Database Tampering. James Byrd. Abstract. Means to examine if a database has been tampered with already exist How do you detect who did it?. Introduction.

krumph
Download Presentation

Forensic Analysis of Database Tampering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forensic Analysis of Database Tampering James Byrd

  2. Abstract • Means to examine if a database has been tampered with already exist • How do you detect who did it?

  3. Introduction • File System and Database communities have expressed interest in built in mechanisms that detect and/or prevent tampering of data • Interest has arisen after laws such as HIPAA, and collusion cases such as Enron and Worldcom companies

  4. Outline of Introduction • Audit Log Security • Compliant Records • How do these apply to high performance databases?

  5. Audit Log Security • a single component of Record Management Systems • RMS’s track documents and their version histories and ensure that a previous version of a document cannot be altered • uses notarization keys to track changes

  6. Compliant Records • records that are required by myriad laws and regulations (roughly 10k in the US) • “to follow certain processes by which they are created, stored, accessed, maintained and retained” • usually stored on a WORM disk (Write Once Read Many) • as the record is modified, all versions are stored along with all of the metadata

  7. High Performance Databases • the previous approaches cannot be applied to HPD’s because all of the data cannot be stored and notarized after each transaction • therefore, we must move the Audit Log Capabilities into the DBMS • one way hashing of all of the data and periodic validation of the audit log database

  8. Thats Great James • What do I do when I detect an intrusion? • All you know is that at some point in the past that the data has been altered • thats dandy • Cue Forensics Analysis

  9. Forensics Analysis • needed to determine • WHEN the intrusion occurred • WHAT was altered • WHO did it

  10. 2 - Tamper Detection • DBMS can maintain the audit log in the background • Data can be modified by a transaction and is then hashed • Digitize the hash value with external notarization service • Series of implementation optimizations that minimize notaries and speed up DBMS

  11. First Insight - DBMS Maintain Audit Log • does this by rendering a specified relation as a Transaction-Time Table • this instructs the database to keep all previous values as append only • easily visible to anyone with the database

  12. Second Insight - Hash the Data • Take the data modified by the transaction and cryptographically hash it to generate a secure one way hash of the transaction

  13. Third Insight - Digitally Notarize the Hash • Use an external notarization service to digitally notarize the hash data • therefore, even if the intruder has access to everything (database, hardware, OS, etc) they cannot change the hash data

  14. Fourth Insight - Series of Implementations • make optimizations that allow the DBMS to to implement all hashing and notarizing in an efficient manner to not slow down DBMS performance

  15. 2 Different Approaches • normal processing • transactions are run and hash values are digitally notarized • validation • hash values are recomputed and compared with previous hashes • this is where detection is found

  16. 3 - Some Definitions • Corruption Event • any event that corrupts the data or the database • Validation Event • finding of a CE • Time = time of ve • Notarization Event • notarization of th documetn by the notary service

  17. Corruption Diagram • Drawing Time :)

  18. Forensic Analysis • Ascertain the “Corruption Zone”, that is the area where the corruption took place • bounds of when and where

  19. Notarization and Validation Intervals • Validation intervals should be equal to or longer than the notarization interval • The VI should also be a multiple of the Notation Interval • The values should be set up that they happen at the same time occasionally

  20. Backdating Issues • If a value is backdated, then the Corruption Zone is increased in size to accommodate the date of the backdate

  21. RGB Forensic Algorithm • useful for postdating • 3 chains of hash functions per database refresh • only portions • no additional disk reads are necessary • useful for forensics analysis

  22. Polychromatic Algorithm • smaller regions than the RGB alg • uses a lot of math and graph theory • summary: • gives a more precise region of where the tampering occured

  23. Comparison • Trivial • the entire triangle is the region • Monochromatic • gives a specific part of the triangle but requires many queries • RGB • area in question reduced to days but requires additional partial hash functions • Polychromatic • limits the region to specific date and time

More Related