Forensic Analysis of Database TamperingJames Byrd

Abstract

• Means to examine if a database has been tampered with already exist

• How do you detect who did it?

Introduction

• File System and Database communities have expressed interest in built in mechanisms that detect and/or prevent tampering of data

• Interest has arisen after laws such as HIPAA, and collusion cases such as Enron and Worldcom companies

Outline of Introduction

• Audit Log Security• Compliant Records• How do these apply to high performance

databases?

Audit Log Security

• a single component of Record Management Systemso RMS’s track documents and their version histories

and ensure that a previous version of a document cannot be altered

o uses notarization keys to track changes

Compliant Records

• records that are required by myriad laws and regulations (roughly 10k in the US)o “to follow certain processes by which they are created,

stored, accessed, maintained and retained”

• usually stored on a WORM disk (Write Once Read Many)

• as the record is modified, all versions are stored along with all of the metadata

High Performance Databases

• the previous approaches cannot be applied to HPD’s because all of the data cannot be stored and notarized after each transaction

• therefore, we must move the Audit Log Capabilities into the DBMSo one way hashing of all of the data and periodic

validation of the audit log database

Thats Great James

• What do I do when I detect an intrusion?• All you know is that at some point in the past

that the data has been alteredo thats dandy

• Cue Forensics Analysis

Forensics Analysis

• needed to determine o WHEN the intrusion occurredo WHAT was alteredo WHO did it

2 - Tamper Detection

1. DBMS can maintain the audit log in the background

2. Data can be modified by a transaction and is then hashed

3. Digitize the hash value with external notarization service

4. Series of implementation optimizations that minimize notaries and speed up DBMS

First Insight - DBMS Maintain Audit Log

• does this by rendering a specified relation as a Transaction-Time Tableo this instructs the database to keep all previous

values as append onlyo easily visible to anyone with the database

Second Insight - Hash the Data

• Take the data modified by the transaction and cryptographically hash it to generate a secure one way hash of the transaction

Third Insight - Digitally Notarize the Hash

• Use an external notarization service to digitally notarize the hash data

• therefore, even if the intruder has access to everything (database, hardware, OS, etc) they cannot change the hash data

Fourth Insight - Series of Implementations

• make optimizations that allow the DBMS to to implement all hashing and notarizing in an efficient manner to not slow down DBMS performance

2 Different Approaches

• normal processingo transactions are run and hash values are digitally

notarized

• validationo hash values are recomputed and compared with

previous hasheso this is where detection is found

3 - Some Definitions

• Corruption Evento any event that corrupts the data or the database

• Validation Evento finding of a CE

Time = time of ve

• Notarization Evento notarization of th documetn by the notary service

Corruption Diagram

• Drawing Time :)

Forensic Analysis

• Ascertain the “Corruption Zone”, that is the area where the corruption took placeo bounds of when and where

Notarization and Validation Intervals

• Validation intervals should be equal to or longer than the notarization interval

• The VI should also be a multiple of the Notation Interval

• The values should be set up that they happen at the same time occasionally

Backdating Issues

• If a value is backdated, then the Corruption Zone is increased in size to accommodate the date of the backdate

RGB Forensic Algorithm

• useful for postdating• 3 chains of hash functions per database

refresho only portions

• no additional disk reads are necessary• useful for forensics analysis

Polychromatic Algorithm

• smaller regions than the RGB alg• uses a lot of math and graph theory• summary:

o gives a more precise region of where the tampering occured

Comparison1. Trivial

a. the entire triangle is the region2. Monochromatic

a. gives a specific part of the triangle but requires many queries3. RGB

a. area in question reduced to days but requires additional partial hash functions

4. Polychromatica. limits the region to specific date and time