research-article

Forensic analysis of database tampering

Authors:

Kyriacos E. Pavlou,

Richard T. SnodgrassAuthors Info & Claims

ACM Transactions on Database Systems (TODS), Volume 33, Issue 4

Article No.: 30, Pages 1 - 47

https://doi.org/10.1145/1412331.1412342

Published: 12 December 2008 Publication History

Abstract

Regulations and societal expectations have recently expressed the need to mediate access to valuable databases, even by insiders. One approach is tamper detection via cryptographic hashing. This article shows how to determine when the tampering occurred, what data was tampered with, and perhaps, ultimately, who did the tampering, via forensic analysis. We present four successively more sophisticated forensic analysis algorithms: the Monochromatic, RGBY, Tiled Bitmap, and a3D algorithms, and characterize their “forensic cost” under worst-case, best-case, and average-case assumptions on the distribution of corruption sites. A lower bound on forensic cost is derived, with RGBY and a3D being shown optimal for a large number of corruptions. We also provide validated cost formulæ for these algorithms and recommendations for the circumstances in which each algorithm is indicated.

Supplementary Material

Pavlou Appendix (a30-pavlou-apndx.pdf)

Online appendix to forensic analysis of database tampering. The appendix supports the information on article 30.

Download
803.06 KB

References

[1]

Agrawal, R., Grandison, T., Johnson, C., and Kiernan, J. 2007. Enabling the 21^st century healthcare IT revolution. Comm. ACM, 50, 2, 34--42.

Digital Library

[2]

Ahn, I. and Snodgrass, R. T. 1988. Partitioned storage structures for temporal databases. Inform. Syst., 13, 4, 369--391.

Digital Library

[3]

Bair, J., Böhlen, M., Jensen, C. S., and Snodgrass, R. T. 1997. Notions of upward compatibility of temporal query languages. Bus. Inform. 39, 1, 25--34.

[4]

Barbará, D., Goel, R., and Jajodia, S. Using checksums to detect data corruption. In Proceedings of the International Conference on Extending Database Technology, Lecture Notes in Computer Science, vol. 1777, Springer, Berlin, Germany.

Digital Library

[5]

Carvey, H. and Kleiman, D. 2007. Windows Forensics and Incident Recovery, Syngres.

Digital Library

[6]

Chan, C. C., Lam, H., Lee, Y. C., and Zhang, X. 2004. Analytical Method Validation and Instrument Performance Verification, Wiley-IEEE.

[7]

CSI/FBI. 2005. Tenth Annual Computer Crime and Security Survey, http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurvey.pdf (accessed April 25, 2008).

[8]

Department of Defense. 1985. Trusted Computer System Evaluation Criteria. DOD-5200.28-STD, http://www.dynamoo.com/orange (accessed April 25, 2008).

[9]

F.D.A. 2003. Title 21 Code of Federal Regulations (21 CFR Part 11) Electronic records; Electronic Signatures, http://www.fda.gov/ora/compliance_ref/part11/(accessed April 28, 2008).

[10]

Fu, K., Kaashoek, M. F., and Mazières, D. 2000. Fast and secure distributed read-only file system. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Association, Berkeley, CA, 181--196.

Digital Library

[11]

Gerr, P. A., Babineau, B., and Gordon, P. C. 2003. Compliance: The effect on information management and the storage industry. Tech. rep. Enterprise Storage Group. http://www. enterprisestrategygroup.com/ESGPublications/ReportDetail.asp?ReportID=201 (accessed May 4, 2008).

[12]

Goodrich, M. T., Atallah, M. J., and Tamassia, R. 2005. Indexing information for data forensics. In Proceedings of the Conference on Applied Cryptography and Network Security (ACNS). Lecture Notes in Computer Science, vol. 3531, Springer, Berlin, Germany, 206--221.

Digital Library

[13]

Graham, R. L., Knuth, D. E., and Patashnik, O. 2004. Concrete Mathematics, 2nd Ed., Addison--Wesley.

Digital Library

[14]

Haber, S. and Stornetta, W. S. 1991. How to time-stamp a digital document. J. Cryptology, 3, 2, 99--111.

Digital Library

[15]

HIPAA. 1996. The Health Insurance Portability and Accountability Act. U.S. Dept. of Health & Human Services. http://www.cms.hhs.gov/HIPAAGenInfo/(accessed April 25, 2008).

[16]

Hsu, W. W. and Ong, S. 2004. Fossilization: a process for establishing truly trustworthy records. Tech. rep. RJ 10331, IBM.

[17]

Jensen, C. S. and Dyreson, C. E., Eds. 1998. A consensus glossary of temporal database concepts—(February 1998 Version). In Temporal Databases: Research and Practice, Etzion, O., Jajodia, S., and Sripada S., Eds. Springer, 367--405.

[18]

Jensen, C. S. and Snodgrass, R. T. 1994. Temporal specialization and generalization. IEEE Trans. Knowl. Data Eng. 6, 6, 954--974.

Digital Library

[19]

Johnston, R. G. Tamper-indicating seals. 2006. Am. Sci. 94, 6, 515--524.

[20]

Lomet, D., Barga, R., Mokbel, M. F., Shegalov, G., Wang, R., and Zhu, Y. 2005. Immortal DB: transaction time support for SQL server. In Proceedings of the International ACM Conference on Management of Data (SIGMOD), ACM, New York, 939--941. http://research.microsoft.com/research/db/immortaldb/ (accessed April 25, 2008).

Digital Library

[21]

Mazières, D., Kaminsky, M., Kaashoek, M. F., and Witchel, E. 1999. Separating key management from file system security. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP). ACM, New York, NY, 124--139.

Digital Library

[22]

Mena, J. 2003. Investigative Data Mining for Security and Criminal Detection. Butterworth Heinemann.

Digital Library

[23]

Muthitacharoen, A., Morris, R., Gil, T. M., and Chen, B. 2002. Ivy: A read/write peer-to-peer file system. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (SOSDI). ACM, New York, NY, 31--44.

Digital Library

[24]

Oracle Corporation. 2007. Oracle Database 11g Workspace Manager Overview. Oracle White Paper, http://www.oracle.com/technology/products/database/workspace_manager/pdf/twp_AppDev_Workspace_Manager_11gR1.pdf (accessed April 28, 2008).

[25]

Pavlou, K. E. and Snodgrass, R. T. 2006a. Forensic analysis of database tampering. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD). ACM, New York, NY, 109--120.

Digital Library

[26]

Pavlou, K. E. and Snodgrass, R. T. 2006b. The pre-images of bitwise AND functions in forensic analysis. Tech. rep., TimeCenter.

[27]

PIPEDA. 2000. Personal Information Protection and Electronic Documents Act. Bill C-6, Statutes of Canada, http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp.

[28]

Sarbanes-Oxley Act. 2002. U.S. Public Law No. 107--204, 116 Stat. 745, The Public Company Accounting Reform and Investor Protection Act.

[29]

Schneier, B. and Kelsey, J. 1999. Secure audit logs to support computer forensics. ACM Trans. Inform. Syst. Sec. 2, 2, 159--196.

Digital Library

[30]

Snodgrass, R. T., Yao, S. S., and Collberg, C. 2004. Tamper detection in audit logs. In Proceedings of the International Conference on Very Large Databases (VLDB). Toronto, Canada. Morgan Kaufmann, San Francisco, CA, 504--515.

Digital Library

[31]

Stahlberg, P., Miklau, G., and Levine, B. N. 2007. Threats to privacy in the forensic analysis of database systems. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD). Beijing, China. ACM, New York, NY, 91--102.

Digital Library

[32]

Wingate, G., Ed. 2003. Computer Systems Validation: Quality Assurance, Risk Management, and Regulatory Compliance for Pharmaceutical and Healthcare Companies. Informa Healthcare.

Digital Library

[33]

Zhu, Q. and Hsu, W. W. 2005. Fossilized index: The linchpin of trustworthy non-alterable electronic records. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD). Baltimore, Md. ACM, New York, NY, 395--406.

Digital Library

Cited By

Alzahrani AAl-Khasawneh MAlarood AAlsolami E(2024)A Forensic Framework for gathering and analyzing Database Systems using Blockchain TechnologyEngineering, Technology & Applied Science Research10.48084/etasr.714314:3(14079-14087)Online publication date: 1-Jun-2024
https://doi.org/10.48084/etasr.7143
Albugmi A(2024)Digital Forensics Readiness Framework (DFRF) to Secure Database SystemsEngineering, Technology & Applied Science Research10.48084/etasr.711614:2(13732-13740)Online publication date: 2-Apr-2024
https://doi.org/10.48084/etasr.7116
Wang PLin YZhao T(2024)Smart proctoring with automated anomaly detectionEducation and Information Technologies10.1007/s10639-024-13189-7Online publication date: 2-Dec-2024
https://doi.org/10.1007/s10639-024-13189-7
Show More Cited By

Index Terms

Forensic analysis of database tampering
1. Security and privacy
  1. Database and storage security
2. Theory of computation
  1. Theory and algorithms for application domains
    1. Database theory
      1. Theory of database privacy and security

Recommendations

Forensic analysis of database tampering
SIGMOD '06: Proceedings of the 2006 ACM SIGMOD international conference on Management of data

Mechanisms now exist that detect tampering of a database, through the use of cryptographically-strong hash functions. This paper addresses the next problem, that of determining who, when, and what, by providing a systematic means of performing forensic ...
Generalizing database forensics

In this article we present refinements on previously proposed approaches to forensic analysis of database tampering. We significantly generalize the basic structure of these algorithms to admit new characterizations of the “where” axis of the corruption ...
Forensic investigation of cyberstalking cases using Behavioural Evidence Analysis

Behavioural Evidence Analysis (BEA) is, in theory, useful in developing an understanding of the offender, the victim, the crime scene, and the dynamics of the crime. It can add meaning to the evidence obtained through digital forensic techniques and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Database Systems

ACM Transactions on Database Systems Volume 33, Issue 4

November 2008

379 pages

ISSN:0362-5915

EISSN:1557-4644

DOI:10.1145/1412331

Issue’s Table of Contents

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 December 2008

Accepted: 01 August 2008

Revised: 01 June 2008

Received: 01 December 2007

Published in TODS Volume 33, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

46
Total Citations
View Citations
1,702
Total Downloads

Downloads (Last 12 months)34
Downloads (Last 6 weeks)4

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Alzahrani AAl-Khasawneh MAlarood AAlsolami E(2024)A Forensic Framework for gathering and analyzing Database Systems using Blockchain TechnologyEngineering, Technology & Applied Science Research10.48084/etasr.714314:3(14079-14087)Online publication date: 1-Jun-2024
https://doi.org/10.48084/etasr.7143
Albugmi A(2024)Digital Forensics Readiness Framework (DFRF) to Secure Database SystemsEngineering, Technology & Applied Science Research10.48084/etasr.711614:2(13732-13740)Online publication date: 2-Apr-2024
https://doi.org/10.48084/etasr.7116
Wang PLin YZhao T(2024)Smart proctoring with automated anomaly detectionEducation and Information Technologies10.1007/s10639-024-13189-7Online publication date: 2-Dec-2024
https://doi.org/10.1007/s10639-024-13189-7
Boumediene SBoumediene S(2023)Electronic Evidence: A Framework for Applying Digital Forensics to Data BaseJournal of Forensic Accounting Research10.2308/JFAR-2022-0068:1(266-286)Online publication date: 20-Nov-2023
https://doi.org/10.2308/JFAR-2022-006
Nkambule SRuhwanya ZKautondokwa P(2023)Factors Influencing the Success of Database Forensic Investigation in Organisations2023 International Conference on Electrical, Computer and Energy Technologies (ICECET)10.1109/ICECET58911.2023.10389518(1-7)Online publication date: 16-Nov-2023
https://doi.org/10.1109/ICECET58911.2023.10389518
Mardiansyah VMuis ASari R(2023)Multi-State Merkle Patricia Trie (MSMPT): High-Performance Data Structures for Multi-Query Processing Based on Lightweight BlockchainIEEE Access10.1109/ACCESS.2023.332574811(117282-117296)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3325748
Wagner JNissan MRasin A(2023)Database memory forensics: Identifying cache patterns for log verificationForensic Science International: Digital Investigation10.1016/j.fsidi.2023.30156745(301567)Online publication date: Jul-2023
https://doi.org/10.1016/j.fsidi.2023.301567
Rizvi SScanlon MMcgibney JSheppard J(2022)Application of Artificial Intelligence to Network Forensics: Survey, Challenges and Future DirectionsIEEE Access10.1109/ACCESS.2022.321450610(110362-110384)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3214506
Al-Dhaqm ARazak SIkuesan RR. Kebande VHajar Othman S(2021)Face Validation of Database Forensic Investigation MetamodelInfrastructures10.3390/infrastructures60200136:2(13)Online publication date: 20-Jan-2021
https://doi.org/10.3390/infrastructures6020013
Przytarski DStach CGritti CMitschang B(2021)Query Processing in Blockchain Systems: Current State and Future ChallengesFuture Internet10.3390/fi1401000114:1(1)Online publication date: 21-Dec-2021
https://doi.org/10.3390/fi14010001
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents