Presentation is loading. Please wait.

Presentation is loading. Please wait.

A UNIVERSAL CARVING APPROACH FOR DATABASE FORENSIC ANALYSIS James Wagner, Alexander Rasin, Jonathan Grier.

Published byNoah Ball Modified over 8 years ago

Similar presentations

Presentation on theme: "A UNIVERSAL CARVING APPROACH FOR DATABASE FORENSIC ANALYSIS James Wagner, Alexander Rasin, Jonathan Grier."— Presentation transcript:

1 A UNIVERSAL CARVING APPROACH FOR DATABASE FORENSIC ANALYSIS James Wagner, Alexander Rasin, Jonathan Grier

2  Background (File System Forensics vs. Database Forensics)  Reconstructing Data and DICE  Reconstructing Deleted Data  Experiments  Conclusion and Future Work Overview

3 File System Forensics Header File Fragment 1 File Fragment 2 Footer gap

4 Database Forensics Challenges  Database specific data models  No file headers  Record reconstruction  Values are encoded with metadata Forensics is Reconstruction, not Recovery  No database intervention  Backups are not available  Corrupted disk, deleted files, read-only

5 Table Customer Table Supplier Index C_Age Materialized View C_Account Database Structures IDNameCity IDName 12341234 Steve Sally Sam Susy San Diego Springfield St. Louis Seattle 12341234 Craig Claire Chris Carol Account $2000 $5000 $1000 $4000 Name Claire Carol Account $5000 $4000 AgePointer Age 40 26 34 33 26 33 34 40 24312431 SELECT Name, Account FROM Customer WHERE Account > 3000;

6 Page Header Row Directory Row Data Other Structures Row 4 : 4, Mark, Boston Row 3 : 3, Mary, Dallas Row 2 : 2, Jane, Chicago Row 1 : 1, John, Boston Row 1 Address Row 2 Address Row 3 Address Row 4 Address Table Data Customer Free space, etc. 20% 80% Database Storage: Pages  Minimum Unit of Storage  Typically 4KB or 8KB

7 Parameter Detector Database Management System Content Parser Iteratively load synthetic data Capture DB storage DB config. files Generate DB config. file DBMS disk image DBMS RAM snapshot Data pages (tables & indexes) Deleted data, etc. Volatile user artifacts DICE: Database Image Content Explorer

8 Parameter Detector Database Management System Content Parser Iteratively load synthetic data Capture DB storage DB config. files Generate DB config. file DBMS disk image DBMS RAM snapshot Data pages (tables & indexes) Deleted data, etc. Volatile user artifacts DICE: Parameter Collector

9 Parameter Detector Database Management System Content Parser Iteratively load synthetic data Capture DB storage DB config. files Generate DB config. file DBMS disk image DBMS RAM snapshot Data pages (tables & indexes) Deleted data, etc. Volatile user artifacts DICE: Content Parser

10 DICE and Python  Adapters for every database  Portable across operating systems  Simple database connections  Constantly changing and creating page parameters

11 Parameter Collection: Row Data Example: MySQL primary key storage

12 Parameter Collection: Datatypes  How do you automate it? Example: Integers PostgreSQL(4 bytes): (256 0 * B 1 ) + (256 1 * B 2 ) + (256 2 * B 3 ) + (256 3 * B 4 ) 1 = 1, 0, 0, 0 256 = 0, 1, 0, 0 257 = 1, 1, 0, 0 Oracle: Uses zero compression. 4 = 3, 192, 5 40 = 3, 192, 41 400 = 3, 193, 5 440 = 4, 193, 5, 41  Datatype Detection. Example: PostgreSQL Integer of String? ASCII Decimal3 J ay 7497121.

13 5 | 10John Smith | 11 | 5Texas 1&3&5&15 || 5 | 11 | John Smith | Texas Generalizing Parameters

14 Parsing Example: PostgreSQL ParameterValue Raw Data Delimiter 2, 9, 24 Raw Data Position 4 Number Storage4 String X String Y 2 3 Number MethodPSQL ASCIIDecimal 0 2 9 24 0 +43 6 0 0 '39 C67 u117 s115 t116 ASCIIDecimal o111 m109 e101 r114 #35 048 0 0 0 0 149 553 755 957 C1 = 1579(Integer) C2 = Customer#000001579(String) Length = (39 – 3)/2 = 18

15 DBMSes Different parameters No Linux Support Hard to get some older DB versions

16 Deleted Data  No longer recoverable  A delete only marks data, not overwrite.  Unallocated storage  Three flavors of deleted data DICE can reconstruct: 1. Rows 2. Pages 3. Values

17 Deleted Data: Rows 1. MySQL or Oracle 2. PostgreSQL 3. SQLite *DB2 and SQL Server mark a deletion in the row directory

18 Deleted Data: Pages

19 Deleted Data: Values

20 Experiment 1: Recovering Deleted Rows Introduction  Lifetime of deleted rows  Representative DBs Oracle - Percent page utilization (39%) SQL Server – Overwrite if there’s space Setup  2 tables: 20K random sized rows  85 rows/page, 236 pages  Random & contiguous deletes  Inserted rows were random size OracleSQLServer ActionT1(Rand)T2(Cont) Delete 1K Rows Insert 1K Rows T1(Rand)T2(Cont) 1000 8 1000 416 394 1000 354 12 Step 1 Step 2 Step 3

21 Experiment 1: Example

22 Experiment 2: Memory Monitoring (Step 1 of 3) Part Synthetic Tables Lineorder EmptyIndexes CustomerOther  1 pixel = 1 page  50K pages total Snapshot 1Snapshot 2

23 Experiment 2: Memory Monitoring (Step 2 of 3) Part Synthetic Tables Lineorder EmptyIndexes CustomerOther  1 pixel = 1 page  50K pages total Snapshot 2Snapshot 3

24 Experiment 2: Memory Monitoring (Step 3 of 3) Part Synthetic Tables Lineorder EmptyIndexes CustomerOther  1 pixel = 1 page  50K pages total Snapshot 3Snapshot 4

25 Experiment 2: Memory Monitoring (Summary)

26 Conclusion  DICE generalizes storage at the page level  Reconstruct data (corrupted, deleted, RAM) Future Work  Detect log file modification with DICE Audit the DBA Disk - Deleted, updated and inserted rows RAM - Read-only queries

27 Questions

Download ppt "A UNIVERSAL CARVING APPROACH FOR DATABASE FORENSIC ANALYSIS James Wagner, Alexander Rasin, Jonathan Grier."

Similar presentations

Module 2: Database Architecture

Module 2: Database Architecture
<Insert Picture Here>

<Insert Picture Here>
5 Copyright © 2005, Oracle. All rights reserved. Managing Database Storage Structures.

5 Copyright © 2005, Oracle. All rights reserved. Managing Database Storage Structures.
Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.

Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.
Page 1JSOC Review – 17 March 2005 Database Maintenance Karen Tian

Page 1JSOC Review – 17 March 2005 Database Maintenance Karen Tian
Chapter 101. 2 Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.

Chapter Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.
DBMS Transactions and Rollback Recovery Helia / Martti Laiho.

DBMS Transactions and Rollback Recovery Helia / Martti Laiho.
CSE 781 – DATABASE MANAGEMENT SYSTEMS Introduction To Oracle 10g Rajika Tandon.

CSE 781 – DATABASE MANAGEMENT SYSTEMS Introduction To Oracle 10g Rajika Tandon.
An introduction to SQL 1/21/2014 – See chapter 2.3 and 6.1 PostgreSQL -

An introduction to SQL 1/21/2014 – See chapter 2.3 and 6.1 PostgreSQL -
Architecture Rajesh. Components of Database Engine.

Architecture Rajesh. Components of Database Engine.
1099 Why Use InterBase? Bill Todd The Database Group, Inc.

1099 Why Use InterBase? Bill Todd The Database Group, Inc.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Guest Lecture September 21, 2009.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Guest Lecture September 21, 2009.
A Brief Documentation.  Provides basic information about connection, server, and client.

A Brief Documentation.  Provides basic information about connection, server, and client.
Database structure and space Management. Database Structure An ORACLE database has both a physical and logical structure. By separating physical and logical.

Database structure and space Management. Database Structure An ORACLE database has both a physical and logical structure. By separating physical and logical.
Database structure and space Management. Segments The level of logical database storage above an extent is called a segment. A segment is a set of extents.

Database structure and space Management. Segments The level of logical database storage above an extent is called a segment. A segment is a set of extents.
6 Copyright © 2007, Oracle. All rights reserved. Managing Database Storage Structures.

6 Copyright © 2007, Oracle. All rights reserved. Managing Database Storage Structures.
Oracle 10g Database Administrator: Implementation and Administration Chapter 5 Basic Storage Concepts and Settings.

Oracle 10g Database Administrator: Implementation and Administration Chapter 5 Basic Storage Concepts and Settings.
Performance. Performance Performance is a critical issue especially in a multi-user environment. Benchmarking is one way of testing this.

Performance. Performance Performance is a critical issue especially in a multi-user environment. Benchmarking is one way of testing this.
ICOM 5016 – Introduction to Database Systems Lecture 13- File Structures Dr. Bienvenido Vélez Electrical and Computer Engineering Department Slides by.

ICOM 5016 – Introduction to Database Systems Lecture 13- File Structures Dr. Bienvenido Vélez Electrical and Computer Engineering Department Slides by.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.

Similar presentations

Ads by Google