Patrick Stahlberg
Brian Neil Levine
ABSTRACT
The use of any modern computer system leaves unintended traces of expired data and remnants of users' past activities. In this paper, we investigate the unintended persistence of data stored in database systems. This data can be recovered by forensic analysis, and it poses a threat to privacy.
First, we show how data remnants are preserved in database table storage, the transaction log, indexes, and other system components. Our evaluation of several real database systems reveals that deleted data is not securely removed from database storage and that users have little control over the persistence of deleted data.
Second, we address the problem of unintended data retention by proposing a set of system transparency criteria: data retention should be avoided when possible, evident to users when it cannot be avoided, and bounded in time.
Third, we propose specific techniques for secure record deletion and log expunction that increase the transparency of database systems, making them more resistant to forensic analysis.
- A. Ailamaki, S. Krishnamurthy, S. Papadimitriou, and B. Schroeder. "PostgreSQL", Chapter 26 of Database System Concepts. McGraw-Hill, 5th edition, 2006.Google Scholar
- Berkeley db xml. Available at www.sleepycat.com.Google Scholar
- S. Bauer and N. B. Priyantha. Secure data deletion for linux file systems. In Procedings of the 10th USENIX Security Symposium, pages 153--164, 2001. Google ScholarDigital Library
- P. A. Bernstein and E. Newcomer. Principles of Transaction Processing. Morgan Kaufmann, 1997. Google ScholarDigital Library
- D. Boneh and R. J. Lipton. A revocable backup system. In USENIX Security Symposium, pages 91--96, 1996. Google ScholarDigital Library
- S. Byers. Scalable Exploitation of, and Responses to Information Leakage Through Hidden Data in Published Documents, April 2003.Google Scholar
- R. Card, T. Tso, and S. Tweedie. Design and implementation of the second extended filesystem. In Proc. Dutch International Symposium on Linux, 2004.Google Scholar
- B. Carrier. Sleuth toolkit / Autopsy forensic browser. Available at www.sleuthkit.org.Google Scholar
- B. Carrier. File System Forensic Analysis. Addison-Wesley Professional, 2005. Google ScholarDigital Library
- E. Casey. Digital Evidence and Computer Crime. Elsevier, 2nd edition, 2004. Google ScholarDigital Library
- J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding Data Lifetime via Whole System Simulation. In Proc. USENIX Security Symposium, August 2004. Google ScholarDigital Library
- J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum. Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation. In Proc. USENIX Security Symposium, August 2005. Google ScholarDigital Library
- National Industrial Security Program Operating Manual DoD 5220.22-M. www.dss.mil/isec/nispom_0195.pdf, Jan 1995.Google Scholar
- Encase forensic. Available at www.guidancesoftware.com.Google Scholar
- R. Edmonds. Justice department hid parts of report criticizing diversity effort. Associated Press/USA Today, October 2003.Google Scholar
- U.S. Family Educational Rights and Privacy Act (FERPA). www.ed.gov/offices/OII/fpco/ferpa.Google Scholar
- S. L. Garfinkel. Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable. PhD thesis, M.I.T., 2005. Google ScholarDigital Library
- S. L. Garfinkel and A. Shelat. Remembrance of data passed: A study of disk sanitization practices. IEEE Security and Privacy, Jan/Feb 2003. Google ScholarDigital Library
- T. Garfinkel, B. Pfaff, J. Chow, and M. Rosenblum. Data Lifetime is a Systems Problem. In Proc. ACM SIGOPS European Workshop, September 2004. Google ScholarDigital Library
- M. Geiger and L. Cranor. Scrubbing stubborn data: An evaluation of counter-forensic privacy tools. IEEE Security and Privacy Magazine, 4(5):16--25, 2006. Google ScholarDigital Library
- M. Goodrich, M. Atallah, and R. Tamassia. Indexing information for data forensics. In Applied Cryptography and Network Security Conference (ACNS), pages 206--221, 2005. Google ScholarDigital Library
- T. Grieve. The decline and fall of the enron empire. Salon Magazine, October 2003.Google Scholar
- P. Gutmann. Secure Deletion of Data from Magnetic and Solid-State Memory. In Proc. USENIX Security Symposium, July 1996. Google ScholarDigital Library
- U.S. health insurance portability and accountability act (HIPAA). www.hhs.gov/ocr/hipaa.Google Scholar
- N. M. Haller. The S/Key One-Time Password System. In Proc. ISOC Symposium on Network and Distributed System Security, Feb. 1994.Google Scholar
- B. Klimt and Y. Yang. Introducing the Enron Corpus. In Proc. Conference on Email and Anti-Spam (CEAS), July 2004.Google Scholar
- D. Micciancio. Oblivious data structures: applications to cryptography. In Symposium on Theory of Computing, pages 456--464, 1997. Google ScholarDigital Library
- C. Mohan, D. Haderle, B. Lindsay, H. Pirahesh, and P. Schwarz. Aries: a transaction recovery method supporting fine-granularity locking and partial rollbacks using write-ahead logging. ACM Trans. Database Syst., 17(1):94--162, 1992. Google ScholarDigital Library
- Magnetic storage device procedures. The National Security Agency Central Security Service (NSA/CSS) Policy Manual.Google Scholar
- M. Naor and V. Teague. Anti-persistence: History Independent Data Structures. In Proc. Symposium Theory of Computing, May 2001. Google ScholarDigital Library
- K. Pavlou and R. T. Snodgrass. Forensic analysis of database tampering. In Conference on Management of Data (SIGMOD), pages 109--120, 2006. Google ScholarDigital Library
- R. Perlman. The ephemerizer: Making data disappear. Technical Report TR-2005-140, Sun Microsystems, 2005. Google ScholarDigital Library
- Z. Peterson, R. Burns, J. Herring, A. Stubblefield, and A. Rubin. Secure Deletion for a Versioning File System. In Proc. File And Storage Technologies (FAST), pages 143--154, December 2005. Google ScholarDigital Library
- R. Ramakrishnan and J. Gehrke. Database Management Systems. McGraw-Hill, 2000. Google ScholarDigital Library
- R L. Rivest. The RC4 encryption algorithm, Mar 1992.Google Scholar
- R. L. Rivest and A. Shamir. Payword and micromint: Two simple micropayment schemes. In Proceedings of the International Workshop on Security Protocols, pages 69--87, London, UK, 1997. Springer-Verlag. Google ScholarDigital Library
- J. M. Rosenbaum. In defense of the delete key. The Green Bag, 3, 2000.Google Scholar
- Sqlite. Available at www.sqlite.org.Google Scholar
- Secure hash standard. Federal Information Processing Standards Publication (FIPS PUB), 180(1), April 1995.Google Scholar
- J. Shetty and J. Adibi. The enron email dataset database schema and brief statistical report. Technical report, Information Sciences Institute, 2004.Google Scholar
- A. Silberchatz, H. Korth, and S. Sudarshan. Database System Concepts. McGraw-Hill, 5th edition, 2006. Google ScholarDigital Library
- R. T. Snodgrass, S. S. Yao, and C. Collberg. Tamper detection in audit logs. In VLDB Conference, 2004. Google ScholarDigital Library
- M. Stonebraker and L. A. Rowe. The design of postgres. In SIGMOD Conference, pages 340--355, 1986. Google ScholarDigital Library
Index Terms
- Threats to privacy in the forensic analysis of database systems
Recommendations
Privacy-preserving deletion to generalization-based anonymous database
CUBE '12: Proceedings of the CUBE International Information Technology ConferenceWhile creating an anonymous database it is assumed that all data is available at the time of creation. Once record is added to database, it is not deleted or if a user wants to delete person's record from database, it will be removed from it in its next ...
Security and privacy for database systems
ADC '12: Proceedings of the Twenty-Third Australasian Database Conference - Volume 124Database security is a discipline that seeks methods to protect data stored at DBMSs from intrusions, improper modifications, theft, and unauthorized disclosure of private information. This is realized through a set of security services, which meet the ...
Privacy in the 21st Century: From the "Dark Ages" to "Enlightenment"?
The events of 9/11 along with the bombarding in Madrid and London forced governments to resort to new structures of privacy safeguarding and electronic surveillance under the common denominator of terrorism and transnational crime fighting. Legislation ...
Comments