Forensic Analysis of Database Tampering
description
Transcript of Forensic Analysis of Database Tampering
Raul QuinonezCS 4398 Digital Forensics10/25/13
How to detect tampering?
What data has been tampered?
Who did it via forensic analysis?
Cryptographic Hashing functions
Normal Processing Phase
Digital Normalization Service
Each transaction is hashed
Identify corrupted stored data transactions
Focus on original time of transaction and time of corrupted transaction
Several corrupted tuples- Multi-locus
Single corrupted tuple- Single-locus
MonochromaticCumulative hash chains (black)
RGBYThree types of chains (Red, green, blue)
Tiled BitmapTiles of chains over continous data segments
a3D AlgorithmPartial hash chanis changes with transaction time
Tiled bitmap is the cheapest
Monochromatic is the easiest to implement
RGBY is the best option for larger corruption cases
a3D Algorithm has a constant cost
How, what and who?
Forensic Algorithms
Comparison of algorithms
Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering," in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109-120, Chicago, June, 2006.