Visible to the public Establishing Independent Audit Mechanisms for Database Management Systems

TitleEstablishing Independent Audit Mechanisms for Database Management Systems
Publication TypeConference Paper
Year of Publication2018
AuthorsRasin, A., Wagner, J., Heart, K., Grier, J.
Conference Name2018 IEEE International Symposium on Technologies for Homeland Security (HST)
ISBN Number978-1-5386-3443-1
Keywordsapriori database preparation, auditing, comprehensive audit framework, Computer crime, computer crimes, database forensic analysis, database forensics, database forensics methods, database management systems, Databases, digital forensics, evidence gathering, file system metadata, forensic audit tools, Forensics, Human Behavior, human factors, Image reconstruction, independent audit framework, independent audit mechanisms, logging, malicious hacking, meta data, metadata, Organizations, pubcrawl, Random access memory, resilience, Resiliency, Scalability, security, security audit, security audit tools, Security Audits, security breaches, security threat, storage image, tamper-detection software, Tools

The pervasive use of databases for the storage of critical and sensitive information in many organizations has led to an increase in the rate at which databases are exploited in computer crimes. While there are several techniques and tools available for database forensic analysis, such tools usually assume an apriori database preparation, such as relying on tamper-detection software to already be in place and the use of detailed logging. Further, such tools are built-in and thus can be compromised or corrupted along with the database itself. In practice, investigators need forensic and security audit tools that work on poorlyconfigured systems and make no assumptions about the extent of damage or malicious hacking in a database.In this paper, we present our database forensics methods, which are capable of examining database content from a storage (disk or RAM) image without using any log or file system metadata. We describe how these methods can be used to detect security breaches in an untrusted environment where the security threat arose from a privileged user (or someone who has obtained such privileges). Finally, we argue that a comprehensive and independent audit framework is necessary in order to detect and counteract threats in an environment where the security breach originates from an administrator (either at database or operating system level).

Citation Keyrasin_establishing_2018