Implementing Chain of Custody Requirements in Database Audit Records for Forensic Purposes

“…Although, such architectures have been already proposed [1] [13] [14][15] [16], none of them considered Chain of Custody (CoC) properties and their implication in the admissibility of audit records as digital evidence. Our current research is focused on the design and deployment of such an architecture, based on previous work developed in [6], where a vector-clock (VC) mechanism [17] was used for tracking DML operations' provenance and causality, producing audit records within a forensically-ready database architecture. Nonetheless, beyond the evident scalability issue between the VC timestamp size and the number of audit tables, this mechanism also introduced precision issues and uncertain causal observations [18] because these are designed to enable operation ordering rather than, in fact, determining the actual physical time of their occurrence.…”

“…To detect malicious insider actions within our proposed architecture, Chain-of-Custody (CoC) must be enforced, requiring the following important properties as defined in [6]: (i) role segregation, (ii) DML operation provenance, (iii) event timelining and (iv) causality. As a result, audit records can be used as digital evidence to attribute malicious insider actions against a transactional database N DB .…”

“…Conversely, when security of such transactions is compromised, database forensics has emerged as a reactive approach to investigate (obtain, analyse and present in court) digital evidence about the attribution of actions to malicious users [4], which may not be fully compatible when dealing with complex database structures [5]. Instead, a proactive approach for the generation, collection and preservation of database audit records seems more suitable for capturing the occurrence of DML operations (events) during the normal operation of a forensically-aware database architecture [6]. Particularly, for making these audit records forensically admissible as digital evidence, this approach enforces Chain of Custody (CoC) properties [8] as (1) role segregation to prevent their modification, (2) capturing provenance of every event performed on transactional data, (3) event ordering in a timeline for explaining their causality and allowing third-party verification, and (4) ensuring these properties remain active during the architecture's normal operation.…”

“…This novel architecture is based on hybrid logical clocks (HLC), first proposed in [9], but implementing CoC properties at its core to support the generation, collection and preservation of audit records, having a transactional and a forensic database residing on separate servers. As opposed to a previous centralised vectorclock (VC) based architecture [6], an experimental deployment of our proposal shows that (i) provenance and causality tracking is indeed more accurate, preventing inconsistent observations since concurrent and sequential events are timelined using synchronised physical clocks (ii) timestamps are node and audit table independent, making it more scalable in terms of system size and (iii) although higher latency is expected due to its distributed deployment, around 70 per cent of user transactions will incur within acceptable latency intervals. The rest of the article is outlined as follows.…”

“…In Section II, research background and related work is provided, followed by an explanation of both system and attack models in Section III. Next, in Section IV, we explain the architecture's formal specification, having role segregation, provenance, timelining and causality as CoC properties [6]. Then, in sections V and VI, we deploy and evaluate the architecture performance.…”

Hybrid Logical Clocks for Database Forensics: Filling the Gap between Chain of Custody and Database Auditing

“…Although, such architectures have been already proposed [1] [13] [14][15] [16], none of them considered Chain of Custody (CoC) properties and their implication in the admissibility of audit records as digital evidence. Our current research is focused on the design and deployment of such an architecture, based on previous work developed in [6], where a vector-clock (VC) mechanism [17] was used for tracking DML operations' provenance and causality, producing audit records within a forensically-ready database architecture. Nonetheless, beyond the evident scalability issue between the VC timestamp size and the number of audit tables, this mechanism also introduced precision issues and uncertain causal observations [18] because these are designed to enable operation ordering rather than, in fact, determining the actual physical time of their occurrence.…”

“…To detect malicious insider actions within our proposed architecture, Chain-of-Custody (CoC) must be enforced, requiring the following important properties as defined in [6]: (i) role segregation, (ii) DML operation provenance, (iii) event timelining and (iv) causality. As a result, audit records can be used as digital evidence to attribute malicious insider actions against a transactional database N DB .…”

“…Conversely, when security of such transactions is compromised, database forensics has emerged as a reactive approach to investigate (obtain, analyse and present in court) digital evidence about the attribution of actions to malicious users [4], which may not be fully compatible when dealing with complex database structures [5]. Instead, a proactive approach for the generation, collection and preservation of database audit records seems more suitable for capturing the occurrence of DML operations (events) during the normal operation of a forensically-aware database architecture [6]. Particularly, for making these audit records forensically admissible as digital evidence, this approach enforces Chain of Custody (CoC) properties [8] as (1) role segregation to prevent their modification, (2) capturing provenance of every event performed on transactional data, (3) event ordering in a timeline for explaining their causality and allowing third-party verification, and (4) ensuring these properties remain active during the architecture's normal operation.…”

“…This novel architecture is based on hybrid logical clocks (HLC), first proposed in [9], but implementing CoC properties at its core to support the generation, collection and preservation of audit records, having a transactional and a forensic database residing on separate servers. As opposed to a previous centralised vectorclock (VC) based architecture [6], an experimental deployment of our proposal shows that (i) provenance and causality tracking is indeed more accurate, preventing inconsistent observations since concurrent and sequential events are timelined using synchronised physical clocks (ii) timestamps are node and audit table independent, making it more scalable in terms of system size and (iii) although higher latency is expected due to its distributed deployment, around 70 per cent of user transactions will incur within acceptable latency intervals. The rest of the article is outlined as follows.…”

“…In Section II, research background and related work is provided, followed by an explanation of both system and attack models in Section III. Next, in Section IV, we explain the architecture's formal specification, having role segregation, provenance, timelining and causality as CoC properties [6]. Then, in sections V and VI, we deploy and evaluate the architecture performance.…”

Hybrid Logical Clocks for Database Forensics: Filling the Gap between Chain of Custody and Database Auditing

Forensic experts' view of forensic‐ready software systems: A qualitative study

An Overview of Proactive Forensic Solutions and its Applicability to 5G