The use of databases has become an integral part of modern human life. Often the data
contained within databases has substantial value to enterprises and individuals. As
databases become a greater part of people’s daily lives, it becomes increasingly interlinked with human behaviour. Negative aspects of this behaviour might include criminal activity,
negligence and malicious intent. In these scenarios a forensic investigation is required to collect evidence to determine what happened on a crime scene and who is responsible for the crime. A large amount of the research that is available focuses on digital forensics,
database security and databases in general but little research exists on database forensics as such. It is difficult for a forensic investigator to conduct an investigation on a DBMS due to limited information on the subject and an absence of a standard approach to follow during a forensic investigation. Investigators therefore have to reference disparate sources of information on the topic of database forensics in order to compile a self-invented approach to investigating a database. A subsequent effect of this lack of research is that compromised DBMSs (DBMSs that have been attacked and so behave abnormally) are not considered or understood in the database forensics field. The concept of compromised DBMSs was illustrated in an article by Olivier who suggested that the ANSI/SPARC model can be used to assist in a forensic investigation on a compromised DBMS. Based on the ANSI/SPARC model, the DBMS was divided into four layers known as the data model, data dictionary, application schema and application data. The extensional nature of the first three layers can influence the application data layer and ultimately manipulate the results produced on the application data layer. Thus, it becomes problematic to conduct a forensic investigation on a DBMS if the integrity of the extensional layers is in question and hence the results on the application data layer cannot be trusted. In order to recover the integrity of a layer of the DBMS a clean layer (newly installed layer) could be used but clean layers are not easy or always possible to configure on a DBMS depending on the forensic scenario. Therefore a combination of clean and existing layers can be used to do a forensic investigation on a DBMS.
The problem to be addressed is how to construct the appropriate combination of clean and existing layers for a forensic investigation on a compromised DBMS, and ensure the
integrity of the forensic results.
The study divides the relational DBMS into four abstract layers, illustrates how the layers
can be prepared to be either in a found or clean forensic state, and experimentally
combines the prepared layers of the DBMS according to the forensic scenario. The study
commences with background on the subjects of databases, digital forensics and database forensics respectively to give the reader an overview of the literature that already exists in these relevant fields. The study then discusses the four abstract layers of the DBMS and explains how the layers could influence one another. The clean and found environments are introduced due to the fact that the DBMS is different to technologies where digital forensics has already been researched. The study then discusses each of the extensional abstract layers individually, and how and why an abstract layer can be converted to a clean or found state. A discussion of each extensional layer is required to understand how unique each layer of the DBMS is and how these layers could be combined in a way that enables a forensic investigator to conduct a forensic investigation on a compromised DBMS. It is illustrated that each layer is unique and could be corrupted in various ways. Therefore,
each layer must be studied individually in a forensic context before all four layers are
considered collectively. A forensic study is conducted on each abstract layer of the DBMS
that has the potential to influence other layers to deliver incorrect results. Ultimately, the
DBMS will be used as a forensic tool to extract evidence from its own encrypted data and
data structures. Therefore, the last chapter shall illustrate how a forensic investigator can
prepare a trustworthy forensic environment where a forensic investigation could be
conducted on an entire PostgreSQL DBMS by constructing a combination of the
appropriate forensic states of the abstract layers.
The result of this study yields an empirically demonstrated approach on how to deal with a compromised DBMS during a forensic investigation by making use of a combination of
various states of abstract layers in the DBMS. Approaches are suggested on how to deal
with a forensic query on the data model, data dictionary and application schema layer of
the DBMS. A forensic process is suggested on how to prepare the DBMS to extract
evidence from the DBMS. Another function of this study is that it advises forensic
investigators to consider alternative possibilities on how the DBMS could be attacked.
These alternatives might not have been considered during investigations on DBMSs to
date. Our methods have been tested at hand of a practical example and have delivered
Dissertation (MEng)--University of Pretoria, 2014.
Beyers, Hector Quintus; Olivier, Martin S.; Hancke, Gerhard P.(Computer Society of South Africa, 2014-12)
The application schema layer of a Database Management System (DBMS) can be modi ed to produce results that do not
ect the data actually stored in the database. For example, table structures may be corrupted by changing ...
Adedayo, Oluwasola Mary(University of Pretoria, 2015)
The increasing usage of databases in the storage of critical and sensitive information in many organizations has led to an increase in the rate at which databases are exploited in computer crimes. Databases are often ...
Hauger, Werner K.; Olivier, Martin S.(South African Institute of Electrical Engineers, 2015-06)
An aspect of database forensics that has not received much attention in the academic
research community yet is the presence of database triggers. Database triggers and their
implementations have not yet been thoroughly ...