Database application schema forensics

Abstract

The application schema layer of a Database Management System (DBMS) can be modi ed to produce results that do not re ect the data actually stored in the database. For example, table structures may be corrupted by changing the metadata of a database, or operators of the database can be altered to produce incorrect results when used in queries. Such incorrect results may lead to a forensic examination to determine the cause of the problem. Alternatively, such modi cations may be employed as an anti-forensic technique in an attempt to hide the actual data from an investigator when an investigation lead to the examination of a database. In both cases forensic examiners need to be aware of the impact of such metadata on queries and plan their examination of the database accordingly. Di erent versions of a layer of metadata may exist: a version as found on the computer being investigated, the version that was initially designed, versions from backups, and so on. It is possible that these versions are identical, but subtle ad hoc changes are often made over time and someone with access and malicious intent can introduce changes to modify the behaviour of the DBMS to achieve some nefarious goal. This paper initially discusses categories of possibilities that exist to (surreptitiously) change the application schema; practical examples are used to illustrate these possibilities. The paper is based on the premise that a speci c combination of DBMS layers of metadata and data should be assembled to test speci c hypotheses. For example, questions about how a DBMS should have responded to a speci c query and how it does, in fact, respond are both facts that may be important to a forensic investigator. The paper illustrates how such a combination of layers may be of use to examine a speci c facet of the behaviour of the DBMS. The paper refers to such a combination of layers as a con guration. The primary purpose of the paper is to explore methods that may be used to construct a given con guration for testing. A process is proposed on how forensic evidence should be extracted from the application schema layer of a DBMS.