A UNIVERSAL CARVING APPROACH FOR DATABASE FORENSIC ANALYSIS James Wagner, Alexander Rasin, Jonathan Grier.

Slides:

Advertisements

Similar presentations

Module 2: Database Architecture

Advertisements

<Insert Picture Here>

5 Copyright © 2005, Oracle. All rights reserved. Managing Database Storage Structures.

Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.

Page 1JSOC Review – 17 March 2005 Database Maintenance Karen Tian

Chapter Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.

DBMS Transactions and Rollback Recovery Helia / Martti Laiho.

CSE 781 – DATABASE MANAGEMENT SYSTEMS Introduction To Oracle 10g Rajika Tandon.

An introduction to SQL 1/21/2014 – See chapter 2.3 and 6.1 PostgreSQL -

Architecture Rajesh. Components of Database Engine.

1099 Why Use InterBase? Bill Todd The Database Group, Inc.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Guest Lecture September 21, 2009.

A Brief Documentation.  Provides basic information about connection, server, and client.

Database structure and space Management. Database Structure An ORACLE database has both a physical and logical structure. By separating physical and logical.

Database structure and space Management. Segments The level of logical database storage above an extent is called a segment. A segment is a set of extents.

6 Copyright © 2007, Oracle. All rights reserved. Managing Database Storage Structures.

Oracle 10g Database Administrator: Implementation and Administration Chapter 5 Basic Storage Concepts and Settings.

Performance. Performance Performance is a critical issue especially in a multi-user environment. Benchmarking is one way of testing this.

ICOM 5016 – Introduction to Database Systems Lecture 13- File Structures Dr. Bienvenido Vélez Electrical and Computer Engineering Department Slides by.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.

Bigtable: A Distributed Storage System for Structured Data

Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.

1 Chapter Overview Using Standby Servers Using Failover Clustering.

Introduction to File Processing with PHP. Review of Course Outcomes 1. Implement file reading and writing programs using PHP. 2. Identify file access.

Introduction to Core Database Concepts Getting started with Databases and Structure Query Language (SQL)

Select Operation Strategies And Indexing (Chapter 8)

Retele de senzori Curs 1 - 1st edition UNIVERSITATEA „ TRANSILVANIA ” DIN BRAŞOV FACULTATEA DE INGINERIE ELECTRICĂ ŞI ŞTIINŢA CALCULATOARELOR.

9 Copyright © 2004, Oracle. All rights reserved. Getting Started with Oracle Migration Workbench.

Introduction to Database Programming with Python Gary Stewart

Oracle Database Architectural Components

DBMS ● What are they? ● Why used ● Examples? – Oracle – Access – MySQL – Postgres – SQLServer – Sqlite.

The very Essentials of Disk and Buffer Management.

Fundamental of Database Systems

What is Database Administration ?

Failure-Atomic Slotted Paging for Persistent Memory

In-Memory Capabilities

Module 11: File Structure

CS320 Web and Internet Programming SQL and MySQL

Database structure and space Management

Database System Concepts and Architecture

CS422 Principles of Database Systems Course Overview

A Technical Overview of Microsoft® SQL Server™ 2005 High Availability Beta 2 Matthew Stephen IT Pro Evangelist (SQL Server)

Chapter 12 Information Systems.

Database Management Systems (CS 564)

Oracle 10g Database Administrator: Implementation and Administration

Chapter Overview Understanding the Database Architecture

Database Management .

Introduction of Week 3 Assignment Discussion

Module 11: Data Storage Structure

Physical Database Structure .

Data generators by Jan Kincl.

Structured Query Language

Troubleshooting Techniques(*)

Instructor 彭智勇武汉大学软件工程国家重点实验室电话:

Chapter 13: Data Storage Structures

DATABASE IMPLEMENTATION ISSUES

CS3220 Web and Internet Programming SQL and MySQL

ICOM 5016 – Introduction to Database Systems

Introduction to Database Systems CSE 444 Lectures 19: Data Storage and Indexes May 16, 2008.

File Organization.

Performance And Scalability In Oracle9i And SQL Server 2000

Threats to Privacy in the Forensic Analysis of Database Systems

CS3220 Web and Internet Programming SQL and MySQL

Database Implementation Issues

Updating Databases With Open SQL

Database administration

Introduction to Database systems

CS222/CS122C: Principles of Data Management UCI, Fall 2018 Notes #03 Row/Column Stores, Heap Files, Buffer Manager, Catalogs Instructor: Chen Li.

INTRODUCTION A Database system is basically a computer based record keeping system. The collection of data, usually referred to as the database, contains.

Updating Databases With Open SQL

Presentation transcript:

A UNIVERSAL CARVING APPROACH FOR DATABASE FORENSIC ANALYSIS James Wagner, Alexander Rasin, Jonathan Grier

 Background (File System Forensics vs. Database Forensics)  Reconstructing Data and DICE  Reconstructing Deleted Data  Experiments  Conclusion and Future Work Overview

File System Forensics Header File Fragment 1 File Fragment 2 Footer gap

Database Forensics Challenges  Database specific data models  No file headers  Record reconstruction  Values are encoded with metadata Forensics is Reconstruction, not Recovery  No database intervention  Backups are not available  Corrupted disk, deleted files, read-only

Table Customer Table Supplier Index C_Age Materialized View C_Account Database Structures IDNameCity IDName Steve Sally Sam Susy San Diego Springfield St. Louis Seattle Craig Claire Chris Carol Account $2000 $5000 $1000 $4000 Name Claire Carol Account $5000 $4000 AgePointer Age SELECT Name, Account FROM Customer WHERE Account > 3000;

Page Header Row Directory Row Data Other Structures Row 4 : 4, Mark, Boston Row 3 : 3, Mary, Dallas Row 2 : 2, Jane, Chicago Row 1 : 1, John, Boston Row 1 Address Row 2 Address Row 3 Address Row 4 Address Table Data Customer Free space, etc. 20% 80% Database Storage: Pages  Minimum Unit of Storage  Typically 4KB or 8KB

Parameter Detector Database Management System Content Parser Iteratively load synthetic data Capture DB storage DB config. files Generate DB config. file DBMS disk image DBMS RAM snapshot Data pages (tables & indexes) Deleted data, etc. Volatile user artifacts DICE: Database Image Content Explorer

Parameter Detector Database Management System Content Parser Iteratively load synthetic data Capture DB storage DB config. files Generate DB config. file DBMS disk image DBMS RAM snapshot Data pages (tables & indexes) Deleted data, etc. Volatile user artifacts DICE: Parameter Collector

Parameter Detector Database Management System Content Parser Iteratively load synthetic data Capture DB storage DB config. files Generate DB config. file DBMS disk image DBMS RAM snapshot Data pages (tables & indexes) Deleted data, etc. Volatile user artifacts DICE: Content Parser

DICE and Python  Adapters for every database  Portable across operating systems  Simple database connections  Constantly changing and creating page parameters

Parameter Collection: Row Data Example: MySQL primary key storage

Parameter Collection: Datatypes  How do you automate it? Example: Integers PostgreSQL(4 bytes): (256 0 * B 1 ) + (256 1 * B 2 ) + (256 2 * B 3 ) + (256 3 * B 4 ) 1 = 1, 0, 0, = 0, 1, 0, = 1, 1, 0, 0 Oracle: Uses zero compression. 4 = 3, 192, 5 40 = 3, 192, = 3, 193, = 4, 193, 5, 41  Datatype Detection. Example: PostgreSQL Integer of String? ASCII Decimal3 J ay

5 | 10John Smith | 11 | 5Texas 1&3&5&15 || 5 | 11 | John Smith | Texas Generalizing Parameters

Parsing Example: PostgreSQL ParameterValue Raw Data Delimiter 2, 9, 24 Raw Data Position 4 Number Storage4 String X String Y 2 3 Number MethodPSQL ASCIIDecimal '39 C67 u117 s115 t116 ASCIIDecimal o111 m109 e101 r114 # C1 = 1579(Integer) C2 = Customer# (String) Length = (39 – 3)/2 = 18

DBMSes Different parameters No Linux Support Hard to get some older DB versions

Deleted Data  No longer recoverable  A delete only marks data, not overwrite.  Unallocated storage  Three flavors of deleted data DICE can reconstruct: 1. Rows 2. Pages 3. Values

Deleted Data: Rows 1. MySQL or Oracle 2. PostgreSQL 3. SQLite *DB2 and SQL Server mark a deletion in the row directory

Deleted Data: Pages

Deleted Data: Values

Experiment 1: Recovering Deleted Rows Introduction  Lifetime of deleted rows  Representative DBs Oracle - Percent page utilization (39%) SQL Server – Overwrite if there’s space Setup  2 tables: 20K random sized rows  85 rows/page, 236 pages  Random & contiguous deletes  Inserted rows were random size OracleSQLServer ActionT1(Rand)T2(Cont) Delete 1K Rows Insert 1K Rows T1(Rand)T2(Cont) Step 1 Step 2 Step 3

Experiment 1: Example

Experiment 2: Memory Monitoring (Step 1 of 3) Part Synthetic Tables Lineorder EmptyIndexes CustomerOther  1 pixel = 1 page  50K pages total Snapshot 1Snapshot 2

Experiment 2: Memory Monitoring (Step 2 of 3) Part Synthetic Tables Lineorder EmptyIndexes CustomerOther  1 pixel = 1 page  50K pages total Snapshot 2Snapshot 3

Experiment 2: Memory Monitoring (Step 3 of 3) Part Synthetic Tables Lineorder EmptyIndexes CustomerOther  1 pixel = 1 page  50K pages total Snapshot 3Snapshot 4

Experiment 2: Memory Monitoring (Summary)

Conclusion  DICE generalizes storage at the page level  Reconstruct data (corrupted, deleted, RAM) Future Work  Detect log file modification with DICE Audit the DBA Disk - Deleted, updated and inserted rows RAM - Read-only queries

Questions