Forensic analysis of database tampering

Pavlou, Kyriacos E.; Snodgrass, Richard T.

doi:10.1145/1412331.1412342

Cited by 58 publications

(59 citation statements)

References 15 publications

(2 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Then, during forensic analysis of a subsequent validation that detected tampering, those chains can be rehashed to provide a sequence of truth values (success or failure), which can be used to narrow down "what. " We have elsewhere [7] proposed the Monochromatic, RGB, and Polychromatic forensic analysis algorithms. These algorithms differ in the amount of work necessary during normal processing (computing additional hash chains during periodic validation) and the precision of the when and what estimates produced by forensic analysis.…”

Section: Motivationmentioning

confidence: 99%

“…Avoiding tamper detection comes down to inverting the cryptographically-strong one-way hash function. An extensive presentation of the approach, performance limitations, tamper detection, threat model and other forensic analysis algorithms can be found elsewhere [8], [10].…”

Section: Parties Involved and Threat Modelmentioning

confidence: 99%

“…This funkySort function ( Figure 6) creates the sequence of indices which when used to index into the C t,k array will result in the ordering of the candidate set elements. This is achieved by performing a single pass over the indices array and creating each new index by manipulating appropriately previous ones (lines [8][9][10][11][12][13] within the funkySort function.…”

Section: Computing the Candidate Setmentioning

confidence: 99%

“…Elsewhere we have introduced the Monochromatic, the RGB, and Polychromatic Algorithms [7]. All algorithms employ the same approach of tamper detection and forensic analysis by hashing transaction data and periodically validating the resulting hash chains.…”

Section: Implementation and Evaluationmentioning

confidence: 99%

“…On the other hand it suffers from false positives while the previous three algorithms do not. (More information on the rate of false positives of the Tiled Bitmap Algorithm can be found elsewhere [8].) Table III shows the running time for three of the forensic analysis algorithms (the Polychromatic Algorithm is omitted because it is replaced by the Tiled Bitmap Algorithm).…”

Section: Implementation and Evaluationmentioning

confidence: 99%

See 4 more Smart Citations

The Tiled Bitmap Forensic Analysis Algorithm

Pavlou

Snodgrass

2010

IEEE Trans. Knowl. Data Eng.

View full text Add to dashboard Cite

Abstract-Tampering of a database can be detected through the use of cryptographically-strong hash functions. Subsequently-applied forensic analysis algorithms can help determine when, what, and perhaps ultimately who and why. This paper presents a novel forensic analysis algorithm, the Tiled Bitmap Algorithm, which is more efficient than prior forensic analysis algorithms. It introduces the notion of a candidate set (all possible locations of detected tampering(s)) and provides a complete characterization of the candidate set and its cardinality. An optimal algorithm for computing the candidate set is also presented. Finally, the implementation of the Tiled Bitmap Algorithm is discussed, along with a comparison to other forensic algorithms in terms of space/time complexity and cost. An example of candidate set generation and proofs of the theorems and lemmata and of algorithm correctness can be found in the appendix.

show abstract

Section: Motivationmentioning

confidence: 99%

Section: Parties Involved and Threat Modelmentioning

confidence: 99%

Section: Computing the Candidate Setmentioning

confidence: 99%

Section: Implementation and Evaluationmentioning

confidence: 99%

Section: Implementation and Evaluationmentioning

confidence: 99%

See 3 more Smart Citations

The Tiled Bitmap Forensic Analysis Algorithm

Pavlou

Snodgrass

2010

IEEE Trans. Knowl. Data Eng.

View full text Add to dashboard Cite

show abstract

The effective method of database server forensics on the enterprise environment

Son¹,

Lee²,

Jeon³

et al. 2012

Security Comm Networks

View full text Add to dashboard Cite

When a forensic investigation is carried out in the enterprise environment, most of the important data are stored in database servers, and data stored in them are very important elements for a forensic investigation. As for database servers with such data stored, there are over 10 various kinds, such as SQL Server and Oracle. All the methods of investigating a database system are important, but this study suggests a single methodology likely to investigate all the database systems while considering the unique characteristics of each database system. A method of detecting a server and acquiring and investigating data in the server can be effectively used for such an investigation on the enterprise environment. For the existing investigation on server systems, severs should be shut down, and disc imaging should be conducted first. However, such a method may inflict great losses on the company in some cases. That is why we need a method to acquire data of a server in on‐line state, and this study discusses this method. Besides, on the basis of methodology, this study attempts to determine a possibility that this new forensic investigation method can be practically used by directly applying this method to SQL Server and MySQL databases. Copyright © 2012 John Wiley & Sons, Ltd.

show abstract