forensic analysis of database tampering
DESCRIPTION
Forensic Analysis of Database Tampering. James Byrd. Abstract. Means to examine if a database has been tampered with already exist How do you detect who did it?. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
Forensic Analysis of Database TamperingJames Byrd
Abstract
• Means to examine if a database has been tampered with already exist
• How do you detect who did it?
Introduction
• File System and Database communities have expressed interest in built in mechanisms that detect and/or prevent tampering of data
• Interest has arisen after laws such as HIPAA, and collusion cases such as Enron and Worldcom companies
Outline of Introduction
• Audit Log Security• Compliant Records• How do these apply to high performance
databases?
Audit Log Security
• a single component of Record Management Systemso RMS’s track documents and their version histories
and ensure that a previous version of a document cannot be altered
o uses notarization keys to track changes
Compliant Records
• records that are required by myriad laws and regulations (roughly 10k in the US)o “to follow certain processes by which they are created,
stored, accessed, maintained and retained”
• usually stored on a WORM disk (Write Once Read Many)
• as the record is modified, all versions are stored along with all of the metadata
High Performance Databases
• the previous approaches cannot be applied to HPD’s because all of the data cannot be stored and notarized after each transaction
• therefore, we must move the Audit Log Capabilities into the DBMSo one way hashing of all of the data and periodic
validation of the audit log database
Thats Great James
• What do I do when I detect an intrusion?• All you know is that at some point in the past
that the data has been alteredo thats dandy
• Cue Forensics Analysis
Forensics Analysis
• needed to determine o WHEN the intrusion occurredo WHAT was alteredo WHO did it
2 - Tamper Detection
1. DBMS can maintain the audit log in the background
2. Data can be modified by a transaction and is then hashed
3. Digitize the hash value with external notarization service
4. Series of implementation optimizations that minimize notaries and speed up DBMS
First Insight - DBMS Maintain Audit Log
• does this by rendering a specified relation as a Transaction-Time Tableo this instructs the database to keep all previous
values as append onlyo easily visible to anyone with the database
Second Insight - Hash the Data
• Take the data modified by the transaction and cryptographically hash it to generate a secure one way hash of the transaction
Third Insight - Digitally Notarize the Hash
• Use an external notarization service to digitally notarize the hash data
• therefore, even if the intruder has access to everything (database, hardware, OS, etc) they cannot change the hash data
Fourth Insight - Series of Implementations
• make optimizations that allow the DBMS to to implement all hashing and notarizing in an efficient manner to not slow down DBMS performance
2 Different Approaches
• normal processingo transactions are run and hash values are digitally
notarized
• validationo hash values are recomputed and compared with
previous hasheso this is where detection is found
3 - Some Definitions
• Corruption Evento any event that corrupts the data or the database
• Validation Evento finding of a CE
Time = time of ve
• Notarization Evento notarization of th documetn by the notary service
Corruption Diagram
• Drawing Time :)
Forensic Analysis
• Ascertain the “Corruption Zone”, that is the area where the corruption took placeo bounds of when and where
Notarization and Validation Intervals
• Validation intervals should be equal to or longer than the notarization interval
• The VI should also be a multiple of the Notation Interval
• The values should be set up that they happen at the same time occasionally
Backdating Issues
• If a value is backdated, then the Corruption Zone is increased in size to accommodate the date of the backdate
RGB Forensic Algorithm
• useful for postdating• 3 chains of hash functions per database
refresho only portions
• no additional disk reads are necessary• useful for forensics analysis
Polychromatic Algorithm
• smaller regions than the RGB alg• uses a lot of math and graph theory• summary:
o gives a more precise region of where the tampering occured
Comparison1. Trivial
a. the entire triangle is the region2. Monochromatic
a. gives a specific part of the triangle but requires many queries3. RGB
a. area in question reduced to days but requires additional partial hash functions
4. Polychromatica. limits the region to specific date and time