Generalizing database forensics

Abstract: In this article we present refinements on previously proposed approaches to forensic analysis of database tampering. We significantly generalize the basic structure of these algorithms to admit new characterizations of the "where" axis of the corruption diagram. Specifically, we introduce page-based partitioning as well as attribute-based partitioning along with their associated corruption diagrams. We compare the structure of all the forensic analysis algorithms and discuss the various design choices availabl… Show more

“…Some works (Hu and Panda, 2005;Pavlou and Snodgrass, 2013) have approached recovering the database consistency after detecting that some data were corrupted due to a malicious activity (e.g., an intrusion). Hu and Panda (2005) have proposed a method for detecting malicious activities in a DBMS by using data dependency relationships, i.e., data items which must be read or written before a data item is updated and others which must be written after the update.…”

“…Indeed, we consider the retroactively updated datum and all data depending on it (extracted from the transaction log) as inconsistent data. Besides, Pavlou and Snodgrass (2013) have proposed an approach for: 1 detecting falsifications in the database 2 generalising forensic analysis of these falsifications to prevent them from silently corrupting the database log.…”

“…As for forensic analysis, they define a set of analysis algorithms which allow building a schema of corruption that provides the following information: the location of each alteration, its realisation time and the user who has performed it. Similarly to the approach of Pavlou and Snodgrass (2013), we use the transaction log to detect inconsistencies. However, contrarily to this approach, which neither proposes nor performs any repair task, we also repair in an automatic way the detected inconsistencies (based on both the specified temporal XML update and the transaction log).…”

“…However, contrarily to this approach, which neither proposes nor performs any repair task, we also repair in an automatic way the detected inconsistencies (based on both the specified temporal XML update and the transaction log). Moreover, our proposed log is richer than the one defined in Pavlou and Snodgrass (2013) since it stores not only written data but also read data. Further, since our approach is defined for a multi-temporal setting, where data of different temporal formats coexist, it is therefore more general than the above described approach which can be applied only in a transaction-time environment.…”

A systematic approach to efficiently managing the effects of retroactive updates of time-varying data in multiversion XML databases

“…Some works (Hu and Panda, 2005;Pavlou and Snodgrass, 2013) have approached recovering the database consistency after detecting that some data were corrupted due to a malicious activity (e.g., an intrusion). Hu and Panda (2005) have proposed a method for detecting malicious activities in a DBMS by using data dependency relationships, i.e., data items which must be read or written before a data item is updated and others which must be written after the update.…”

“…Indeed, we consider the retroactively updated datum and all data depending on it (extracted from the transaction log) as inconsistent data. Besides, Pavlou and Snodgrass (2013) have proposed an approach for: 1 detecting falsifications in the database 2 generalising forensic analysis of these falsifications to prevent them from silently corrupting the database log.…”

“…As for forensic analysis, they define a set of analysis algorithms which allow building a schema of corruption that provides the following information: the location of each alteration, its realisation time and the user who has performed it. Similarly to the approach of Pavlou and Snodgrass (2013), we use the transaction log to detect inconsistencies. However, contrarily to this approach, which neither proposes nor performs any repair task, we also repair in an automatic way the detected inconsistencies (based on both the specified temporal XML update and the transaction log).…”

“…However, contrarily to this approach, which neither proposes nor performs any repair task, we also repair in an automatic way the detected inconsistencies (based on both the specified temporal XML update and the transaction log). Moreover, our proposed log is richer than the one defined in Pavlou and Snodgrass (2013) since it stores not only written data but also read data. Further, since our approach is defined for a multi-temporal setting, where data of different temporal formats coexist, it is therefore more general than the above described approach which can be applied only in a transaction-time environment.…”

A systematic approach to efficiently managing the effects of retroactive updates of time-varying data in multiversion XML databases

“…Examples of these methods are table-relationship analysis [8] and data file carving [9]. However, these methods either lack formalisation and scientific background [10], or may not be suitable for investigating databases [11]. As a consequence, ad hoc database investigations over rely on the practitioner's knowledge and expertise, leading to conjectures about insider behaviour since the only available evidence to fully explain such actions may be partially recovered or unavailable.…”

Implementing Chain of Custody Requirements in Database Audit Records for Forensic Purposes

An Efficient Approach for Detecting and Repairing Data Inconsistencies Resulting from Retroactive Updates in Multi-temporal and Multi-version XML Databases