Database application schema forensics

Show simple item record Beyers, Hector Quintus Olivier, Martin S. Hancke, Gerhard P. 2015-05-14T05:50:02Z 2015-05-14T05:50:02Z 2014-12
dc.description.abstract The application schema layer of a Database Management System (DBMS) can be modi ed to produce results that do not re ect the data actually stored in the database. For example, table structures may be corrupted by changing the metadata of a database, or operators of the database can be altered to produce incorrect results when used in queries. Such incorrect results may lead to a forensic examination to determine the cause of the problem. Alternatively, such modi cations may be employed as an anti-forensic technique in an attempt to hide the actual data from an investigator when an investigation lead to the examination of a database. In both cases forensic examiners need to be aware of the impact of such metadata on queries and plan their examination of the database accordingly. Di erent versions of a layer of metadata may exist: a version as found on the computer being investigated, the version that was initially designed, versions from backups, and so on. It is possible that these versions are identical, but subtle ad hoc changes are often made over time and someone with access and malicious intent can introduce changes to modify the behaviour of the DBMS to achieve some nefarious goal. This paper initially discusses categories of possibilities that exist to (surreptitiously) change the application schema; practical examples are used to illustrate these possibilities. The paper is based on the premise that a speci c combination of DBMS layers of metadata and data should be assembled to test speci c hypotheses. For example, questions about how a DBMS should have responded to a speci c query and how it does, in fact, respond are both facts that may be important to a forensic investigator. The paper illustrates how such a combination of layers may be of use to examine a speci c facet of the behaviour of the DBMS. The paper refers to such a combination of layers as a con guration. The primary purpose of the paper is to explore methods that may be used to construct a given con guration for testing. A process is proposed on how forensic evidence should be extracted from the application schema layer of a DBMS. en_ZA
dc.description.librarian am2015 en_ZA
dc.description.uri en_ZA
dc.identifier.citation Beyers, HQ, Olivier, MS & Hancke, GP 2014, 'Database application schema forensics', South African Computer Journal, no. 55, pp. 1-11. en_ZA
dc.identifier.issn 1015-7999
dc.language.iso en en_ZA
dc.publisher Computer Society of South Africa en_ZA
dc.rights Computer Society of South Africa en_ZA
dc.subject Database forensics en_ZA
dc.subject Database forensic process en_ZA
dc.subject Database abstract layers en_ZA
dc.subject Application schema forensics en_ZA
dc.subject Database management system (DBMS) en_ZA
dc.title Database application schema forensics en_ZA
dc.type Article en_ZA

Files in this item

This item appears in the following Collection(s)

Show simple item record