Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threats to Privacy in the Forensic Analysis of Database Systems

Published byHanna Johansson Modified over 5 years ago

Similar presentations

Presentation on theme: "Threats to Privacy in the Forensic Analysis of Database Systems"— Presentation transcript:

1 Threats to Privacy in the Forensic Analysis of Database Systems
Andy Michels CSCE 824

2 Overview Introduction How Data Remnants are Preserved
Example - File Carving System Transparency Proposal Specific Techniques for Record Deletion Log Expunction Conclusion

3 Introduction Preserving historical data / records of activities is important Recover after system failures Forensic analysis of past events (hacks, breaches) Audit compliance with security policies (especially with government computer systems) Computer system use will unintentionally leave traces of expired data No precise control over data destruction = remnants of past data can become a problem Introduction Using any kind of computer system will unintentionally leave traces of expired data and remnants of users’ past activities Preserving historical data / records of activities is important Recover after system failures Forensic analysis of past events (hacks, breaches) Audit compliance with security policies (especially with government computer systems) This is good, but retaining history can pose a threat to privacy No precise control over data destruction = remnants of past data can become a problem E.g., table storage, indexes, logs, materialized views, temporary relations These kinds of data are revealed through forensic analysis - the collection and analysis of data recovered from computer systems Good for authorized investigators to use, but not good for unauthorized parties to use Proposition: forensically transparent system. This means that all the data kept by a computer should be accessible through a legitimate interface; hidden data should not able to be recovered through inspection Database storage - embedded in applications for persistence ( , web browsers, Google Desktop, etc.) Essentially a sophisticated replacement for cookies.

4 Introduction Forensic analysis - the collection and analysis of data recovered from computer systems Good for authorized investigators to use, but not good for unauthorized parties to use Proposal: Forensically Transparent System All the data kept by a computer should be accessible through a legitimate interface

5 How Data Remnants are Preserved
Sources: RAM document files web browsers Forensic tools (Sleuth Toolkit, EnCASE Forensic) Files must be overwritten E.g., DBAN (Darik’s Boot and Nuke) How Data Remnants are Preserved Sources - RAM, document files, web browsers. All sorts of data everywhere that are stored. Again, think of it like sophisticated cookies. Forensic tools (Sleuth Toolkit, EnCASE Forensic) used by investigators As computer scientists, we know that files must be overwritten to be truly deleted E.g., wiping computers using programs like DBAN (Darik’s Boot and Nuke, an open source tool used to scramble bytes with zeroes / random sequences)

6 Example - File Carving File Carving - the process of searching for patterns in bits (File Signatures or “Magic Numbers”) E.g., JPEG files the leading bits will always be 0xFFD8FFE3 the trailing bits will always be 0xFFD9 Scalpel - file carving forensics program Can find files specifically related to databases like this as well (.sqlite, .db, etc.) Limitations: Fragmented files Compression Disk encryption Example Given a disk, there are tools out there to interpret common file types (usually in the form of hexadecimal dumps) File carving is the process of searching for patterns in bits (File Signatures or “Magic Numbers”) For JPEG files, the leading bits will always be 0xFFD8FFE3 and the trailing bits will always be 0xFFD9 Scalpel - one such program for file carving used in forensics. You can specify which signature you’d like to find in the configuration file and then run the program on a given disk You can find files specifically related to databases like this as well (.sqlite, .db, etc.) Obviously, this doesn’t really work if you have fragmented files, compression, or disk encryption, but it is a good example of what kind of tools are out there to recover private data from a disk.

7 System Transparency Proposal
Anyone with access to lower layer interfaces can read unintentionally retained data Forensically transparent if the database system is: The impact of each operation on the state of the records (active, inactive) is clear Only active records should be retained by the database Expired records must be removed after a period of time when they become expired System Transparency Proposal Anyone with access to lower layer interfaces can read unintentionally retained data The database system can provide an unreliable view of the actual stored contents of the system Serious impact on privacy Malicious users can access information that is persistent Forensically transparent if the database system is: The impact of each operation on the state of the records (active, inactive) is clear Only active records should be retained by the database Expired records must be removed after a period of time when they become expired

8 Specific Techniques for Record Deletion
Tables are stored in paged files Records share the storage space of one page Deletion bit - data is not fully removed and is still recoverable Vacuum component: Improves storage performance, but time-consuming Size of table storage may be reduced Makes more space within the file system ...but does not completely remove the data Specific Techniques for Record Deletion and Log Expunction In database systems, tables are stored in paged files and a lot of records share the storage space of one page. Deletion of records accomplished by setting a deletion bit - data is not fully removed and is still recoverable There is also a vacuum component - executed by the database administrator Improves storage performance, but time-consuming Size of table storage may be reduced. Makes more space within the file system, but does not completely remove the data. They’re just unallocated and recoverable.

9 Log Expunction Logs - prior states of the database can and will be retained (contains sensitive data) Depends on the... capacity of the log file rate of updates log space required by update frequency of checkpointing Large companies = cycles log files quickly Small companies = cycles log files slowly Logs - prior states of the database can and will be retained (contains sensitive data) Lots of variables with this - depends on the 1) capacity of the log file 2) rate of updates 3) log space required by update 4) frequency of checkpointing This means large companies with a lot of transaction processing may cycle through their log file in a few days or once per day. Contrarily, logs could keep months upon months of data.

10 Log Expunction Transparency with Logs
data should be deleted as soon as it is no longer needed for recovery Parts of the log will never be used by the recovery manager, so those types should be deleted Transparency with Logs - data should be deleted as soon as it is no longer needed for recovery. Parts of the log will never be used by the recovery manager, so those types should be deleted Lots of varying amounts of data retention for expired data

11 Conclusions Data that can be recovered = threat to privacy
Preserving history and logs within databases gives a record of what occurred within applications Databases provide false view of data More analysis of specific databases would be beneficial Data that can be recovered and used to identify users poses a threat to privacy; there is a problem with unintended data retention Preserving history and logs within databases gives a record of what occurred within applications Database systems fail to remove data and provide a false view of said data Having said that, a specific approach does not exist for this solution in addition to the fact that there are several performance trade-offs in determining unintended data retention This means that the experiments are not exhaustive. There still could be more analysis done that targets specific database applications Adding details to determine what specific types of algorithms could; further research is required, especially on database systems that do not include MySQL

12 Works Cited Stahlberg, Patrick, et al. “Threats to Privacy in the Forensic Analysis of Database Systems.” Proceedings of the 2007 ACM SIGMOD International Conference on Management of Data - SIGMOD '07, 2007, doi: /

Download ppt "Threats to Privacy in the Forensic Analysis of Database Systems"

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Improving Transaction-Time DBMS Performance and Functionality David Lomet Microsoft Research Feifei Li Florida State University.

Improving Transaction-Time DBMS Performance and Functionality David Lomet Microsoft Research Feifei Li Florida State University.
CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.

CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.
On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.
Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.

Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.
This presentation will take a look at to prevent your information from being discovered by and investigator.

This presentation will take a look at to prevent your information from being discovered by and investigator.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Unit 18 Data Security 1.

Unit 18 Data Security 1.
Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.

Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Technology for Computer Forensics by Alicia Castro.

Technology for Computer Forensics by Alicia Castro.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Testing - an Overview September 10, 2008 1. What is it, Why do it? Testing is a set of activities aimed at validating that an attribute or capability.

Testing - an Overview September 10, What is it, Why do it? Testing is a set of activities aimed at validating that an attribute or capability.
Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.

Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.
Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.

Recovering and Examining Computer Forensic Evidence Noblett, Pollit, & Presley Forensic Science Communications October 2000 (Cited by 13 according to Google.
Recovery Techniques in Distributed Databases Naveen Jones December 5, 2011.

Recovery Techniques in Distributed Databases Naveen Jones December 5, 2011.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.

Similar presentations

Ads by Google