forensic analysis of database tampering n.
Skip this Video
Loading SlideShow in 5 Seconds..
Forensic Analysis of Database Tampering PowerPoint Presentation
Download Presentation
Forensic Analysis of Database Tampering

Loading in 2 Seconds...

play fullscreen
1 / 23

Forensic Analysis of Database Tampering - PowerPoint PPT Presentation

  • Uploaded on

Forensic Analysis of Database Tampering. James Byrd. Abstract. Means to examine if a database has been tampered with already exist How do you detect who did it?. Introduction.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Forensic Analysis of Database Tampering' - lisle

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Means to examine if a database has been tampered with already exist
  • How do you detect who did it?
  • File System and Database communities have expressed interest in built in mechanisms that detect and/or prevent tampering of data
  • Interest has arisen after laws such as HIPAA, and collusion cases such as Enron and Worldcom companies
outline of introduction
Outline of Introduction
  • Audit Log Security
  • Compliant Records
  • How do these apply to high performance databases?
audit log security
Audit Log Security
  • a single component of Record Management Systems
    • RMS’s track documents and their version histories and ensure that a previous version of a document cannot be altered
    • uses notarization keys to track changes
compliant records
Compliant Records
  • records that are required by myriad laws and regulations (roughly 10k in the US)
    • “to follow certain processes by which they are created, stored, accessed, maintained and retained”
  • usually stored on a WORM disk (Write Once Read Many)
  • as the record is modified, all versions are stored along with all of the metadata
high performance databases
High Performance Databases
  • the previous approaches cannot be applied to HPD’s because all of the data cannot be stored and notarized after each transaction
  • therefore, we must move the Audit Log Capabilities into the DBMS
    • one way hashing of all of the data and periodic validation of the audit log database
thats great james
Thats Great James
  • What do I do when I detect an intrusion?
  • All you know is that at some point in the past that the data has been altered
    • thats dandy
  • Cue Forensics Analysis
forensics analysis
Forensics Analysis
  • needed to determine
    • WHEN the intrusion occurred
    • WHAT was altered
    • WHO did it
2 tamper detection
2 - Tamper Detection
  • DBMS can maintain the audit log in the background
  • Data can be modified by a transaction and is then hashed
  • Digitize the hash value with external notarization service
  • Series of implementation optimizations that minimize notaries and speed up DBMS
first insight dbms maintain audit log
First Insight - DBMS Maintain Audit Log
  • does this by rendering a specified relation as a Transaction-Time Table
    • this instructs the database to keep all previous values as append only
    • easily visible to anyone with the database
second insight hash the data
Second Insight - Hash the Data
  • Take the data modified by the transaction and cryptographically hash it to generate a secure one way hash of the transaction
third insight digitally notarize the hash
Third Insight - Digitally Notarize the Hash
  • Use an external notarization service to digitally notarize the hash data
  • therefore, even if the intruder has access to everything (database, hardware, OS, etc) they cannot change the hash data
fourth insight series of implementations
Fourth Insight - Series of Implementations
  • make optimizations that allow the DBMS to to implement all hashing and notarizing in an efficient manner to not slow down DBMS performance
2 different approaches
2 Different Approaches
  • normal processing
    • transactions are run and hash values are digitally notarized
  • validation
    • hash values are recomputed and compared with previous hashes
    • this is where detection is found
3 some definitions
3 - Some Definitions
  • Corruption Event
    • any event that corrupts the data or the database
  • Validation Event
    • finding of a CE
      • Time = time of ve
  • Notarization Event
    • notarization of th documetn by the notary service
corruption diagram
Corruption Diagram
  • Drawing Time :)
forensic analysis
Forensic Analysis
  • Ascertain the “Corruption Zone”, that is the area where the corruption took place
    • bounds of when and where
notarization and validation intervals
Notarization and Validation Intervals
  • Validation intervals should be equal to or longer than the notarization interval
  • The VI should also be a multiple of the Notation Interval
  • The values should be set up that they happen at the same time occasionally
backdating issues
Backdating Issues
  • If a value is backdated, then the Corruption Zone is increased in size to accommodate the date of the backdate
rgb forensic algorithm
RGB Forensic Algorithm
  • useful for postdating
  • 3 chains of hash functions per database refresh
    • only portions
  • no additional disk reads are necessary
  • useful for forensics analysis
polychromatic algorithm
Polychromatic Algorithm
  • smaller regions than the RGB alg
  • uses a lot of math and graph theory
  • summary:
    • gives a more precise region of where the tampering occured
  • Trivial
    • the entire triangle is the region
  • Monochromatic
    • gives a specific part of the triangle but requires many queries
  • RGB
    • area in question reduced to days but requires additional partial hash functions
  • Polychromatic
    • limits the region to specific date and time