Forensic Analysis of Database Tampering Raul Quinonez CS 4398 Digital Forensics 10/25/13 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Introduction How to detect tampering? What data has been tampered? Who did it via forensic analysis?
Tamper Detection Cryptographic Hashing functions Normal Processing Phase Digital Normalization Service
Temporal Detection Each transaction is hashed Identify corrupted stored data transactions Focus on original time of transaction and time of corrupted transaction Several corrupted tuples- Multi-locus Single corrupted tuple- Single-locus
Corruption Diagram
Forensic Analysis Monochromatic RGBY Tiled Bitmap a3D Algorithm Cumulative hash chains (black) RGBY Three types of chains (Red, green, blue) Tiled Bitmap Tiles of chains over continous data segments a3D Algorithm Partial hash chanis changes with transaction time
Monochromatic Corruption Diagram
RGBY Corruption Diagram
Tiled Bitmap Corruption Diagram
a3D Algorithm
Forensic Algorithm Comparison Tiled bitmap is the cheapest Monochromatic is the easiest to implement RGBY is the best option for larger corruption cases a3D Algorithm has a constant cost
Conclusion How, what and who? Forensic Algorithms Comparison of algorithms
References Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering," in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109-120, Chicago, June, 2006.