database forensic analysis with dbcarver
play

Database Forensic Analysis with DBCarver James Wagner, Alexander - PowerPoint PPT Presentation

Dec 31, 2022 •256 likes •526 views

Database Forensic Analysis with DBCarver James Wagner, Alexander Rasin , Tanu Malik, Karen Heart, Hugo Jehle, Jonathan Grier 1 Data Systems and Optimization Lab at DePaul Tanu Malik James Wagner Jonathan Grier Hugo Jehle Karen Heart 2

  1. Database Forensic Analysis with DBCarver James Wagner, Alexander Rasin , Tanu Malik, Karen Heart, Hugo Jehle, Jonathan Grier 1

  2. Data Systems and Optimization Lab at DePaul Tanu Malik James Wagner Jonathan Grier Hugo Jehle Karen Heart 2

  3. Motivation • Cyber-crime • Detecting (and proving) data theft • JP Morgan/Dow Jones • Mobile device analysis • FBI, 4Discovery • Involves a database 3

  4. Motivation • Example Queries • Reconstruct deleted data • Identify recent access, modifications • Detect catalog/data tampering • Un-trusted environment 4

  5. Forensic Analysis Targets • Logs • Audit, Query, WAL • RAM • Buffer cache, intermediate data • Buffer cache, intermediate data • Query-able DB content • Tables, MVs, Catalog • Un-query-able content • Indexes, Deleted data, Free-listed data 5

  6. Forensic Analysis Targets • Logs DB RECOVERY • Audit, Query, WAL • RAM • Buffer cache, intermediate data • Buffer cache, intermediate data Chain of • Query-able DB content Custody? • Tables, MVs, Catalog • Un-query-able content • Indexes, Deleted data, Free-listed data 6

  7. File Carving (JPEG) Header File Fragment 1 1 File Fragment 2 Footer 7

  8. Forensic Analysis Targets • Logs FILE CARVING • Audit, Query, WAL • RAM • Buffer cache, intermediate data • Buffer cache, intermediate data • Query-able DB content • Tables, MVs, Catalog • Un-query-able content • Indexes, Deleted data, Free-listed data 8

  9. Generalized Page Carving Table Data Page Header Customer Row Directory 20% Row 1 Address Other Row 2 Address Structures Row 3 Address Row 4 Address Row 4 Address Row Data Free space, etc. 80% Row 4 : 4, Mark, Boston Row 3 : 3, Mary, Dallas Row 2 : 2, Jane, Chicago Row 1 : 1, John, Boston 9

  10. Forensic Analysis Targets • Logs DB CARVING • Audit, Query, WAL • RAM • Buffer cache, int. data • Buffer cache, int. data • Query-able DB content • Tables, MVs, Catalog • Un-query-able content • Indexes, Deleted data, Free-listed data 10

  11. DBCarver Architecture Iteratively load synthetic data Database Parameter Management Detector Capture DB storage System Generate DB Generate DB config. file DBMS disk DBMS RAM image image Cached index/data pages Updated, Deleted rows Unallocated (free) pages DB Carver DB config. files Catalog, logs, etc

  12. DBCarver Architecture Iteratively load synthetic data Database Parameter Management Detector Capture DB storage System Generate DB Generate DB config. file DBMS disk DBMS RAM image image Cached index/data pages Updated, Deleted rows Unallocated (free) pages DB Carver DB config. files Catalog, logs, etc

  13. Oracle PostgreSQL SQLite Firebird DB2 SQLServer MySQL Apache Derby Structure Yes No Yes No Identifier Unique Yes No Page ID Row Dir. Top-to-bottom insertion Bottom-to-top insertion Sequence Row No Yes No Yes Identifier Column Column Yes Yes No No Yes Yes No No Yes Yes Count Count 4, Mark, Boston 3-column row Row 4 4, Mark, Boston Row 4 4 4, Mark, Boston Row 4 3 4, Mark, Boston 13

  14. DBCarver Architecture Iteratively load synthetic data Database Parameter Management Detector Capture DB storage System Generate DB Generate DB config. file DBMS disk DBMS RAM image image Cached index/data pages Updated, Deleted rows Unallocated (free) pages DB Carver DB config. files Catalog, logs, etc

  15. DBCarver Output (SQLite on Android) Number of Active Rows Internal RowID … Deleted Row

  16. Forensic Value of an Index (Update) Employee Table Employee Index on (LastName) 111 J. Doe … Emp. 42K Doe 222 J. Smith … Emp. 35K Jack Jack 333 333 A.Locke A.Locke … Mgr. … Mgr. 65K 65K Locke 444 P. Jack … Emp. 37K NotSmith 222 I. NotSmith … Emp. 35K Smith 16

  17. Forensic Value of Caching (Update) Memory (RAM) Disk Storage 111 J. Doe … Emp. 42K 222 J. Smith … Emp. 35K Data Page 333 A.Locke … Mgr. 65K 444 P. Jack … Emp. 37K 17

  18. Forensic Value of Caching (Update) 111 J. Doe … Emp. 42K 222 J. Smith … Emp. 35K Data Page (a copy in 333 A.Locke … Mgr. 65K RAM) 444 P. Jack … Emp. 37K Memory (RAM) Disk Storage 111 J. Doe … Emp. 42K 222 J. Smith … Emp. 35K Data Page 333 A.Locke … Mgr. 65K 444 P. Jack … Emp. 37K 18

  19. Forensic Value of Caching (Update) 111 J. Doe … Emp. 42K 222 J. Smith … Emp. 35K Data Page 333 A.Locke … Mgr. 65K (a copy in 444 P. Jack … Emp. 37K RAM) 222 222 I. NotSmith I. NotSmith … Emp. … Emp. 35K 35K Memory (RAM) Disk Storage 111 J. Doe … Emp. 42K 222 J. Smith … Emp. 35K Data Page 333 A.Locke … Mgr. 65K 444 P. Jack … Emp. 37K 19

  20. Forensic Value of Caching (Update) 111 J. Doe … Emp. 42K 222 J. Smith … Emp. 35K Data Page 333 A.Locke … Mgr. 65K (a copy in 444 P. Jack … Emp. 37K RAM) 222 222 I. NotSmith I. NotSmith … Emp. … Emp. 35K 35K Memory (RAM) Disk Storage 111 J. Doe … Emp. 42K 222 J. Smith … Emp. 35K Data Page 333 A.Locke … Mgr. 65K 444 P. Jack … Emp. 37K 222 I. NotSmith … Emp. 35K 20

  21. Delete Progression • Storage state: – Issue the delete command – ??? (Profit?) – Value is gone – Value is gone • Observe disk and RAM state – In Table, Index (e.g., Unique ), MV 21

  22. Delete Progression • T 0 : Load the data (Table, Index, MV) • T 1 : Delete a unique value (222) • T 2 : Refresh the MV • T 3 : Flush_buffer_cache() • T 4 : Overwrite the buffer cache • T 5 : Vacuum Table, Index and MV 22

  23. Table Index MV Table Index MV Disk RAM T 0 222 222 222 T 1 222 222 222 222 222 T 2 T 2 222 222 222 222 222 222 222 222 222 222 222 222 T 3 222 222 222 222 222 222 T 4 222 222 222 T 5 23

  24. Recover Corrupted Data • Load SSBM Scale1 data • Simulate disk corruption (random writes) DWDate Supplier Customer Part Lineorder Full JOIN 24

  25. Conclusions/Future Work • DB Carving • No apriori assumptions • Forensic Meta-Queries – Reconstruct deleted data – Detect recently updated values – Identify log tampering 25

  26. 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Oracle Database Audit Scripts, Privacy & Security considerations Challenge: Forensic analysis

Oracle Database Audit Scripts, Privacy & Security considerations Challenge: Forensic analysis

Oracle Database Audit Scripts, Privacy & Security considerations Challenge: Forensic analysis of license French case law concluded that that Oracle's scripts are scripting much more data than what is legally relevant usage on Oracle

117 views • 9 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University Specialist, Swedish National Laboratory of Forensic Science Forensic science Every contact leaves a trace Edmond Locard (1877 1966) Forensic

1.32k views • 78 slides
Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing

Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing

Mathieu Deous Julien Reveret Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing forensic analysis on a compromised web server What to search, where, how ? Logs but also dynamic analysis What

603 views • 28 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
mtDNAmanager: A Forensic Mitochondrial DNA Database Aimed at Supporting Data Quality Control and

mtDNAmanager: A Forensic Mitochondrial DNA Database Aimed at Supporting Data Quality Control and

mtDNAmanager: A Forensic Mitochondrial DNA Database Aimed at Supporting Data Quality Control and Generating Reliable Frequency Estimates Hwan Young Lee 1 , Injee Song 2 , Eunho Ha 3 , Sung-Bae Cho 2 , Woo Ick Yang 1 , Kyoung-Jin Shin 1 (1)

351 views • 17 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
Forensic evaluation of nine miniSTR loci to aid analysis of degraded DNA in Koreans Ukhee Chung,

Forensic evaluation of nine miniSTR loci to aid analysis of degraded DNA in Koreans Ukhee Chung,

Forensic evaluation of nine miniSTR loci to aid analysis of degraded DNA in Koreans Ukhee Chung, Hwan Young Lee, Myung Jin Park, Sang-Ho Cho, Kyoung-Jin Shin and Woo Ick Yang Department of Forensic Medicine, Yonsei University College of

554 views • 13 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
Outline of presentation MPS in forensic genetics Developed 3 in-house MPS panels

Outline of presentation MPS in forensic genetics Developed 3 in-house MPS panels

2017-09-05 Implementing Massively Parallel Sequencing for Forensic DNA Analysis Using In-house PCR Panels Kyoung-Jin Shin, Ph.D. Dept. of Forensic Medicine Yonsei University College of Medicine Seoul, Republic of Korea Outline of

710 views • 23 slides
THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations Explore various clinical presentations seen in forensic settings Implement evidence-based and novel treatment strategies to the new forensic

946 views • 80 slides
Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on

Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on

Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on Computation and Society Harvard University 1:15pm, Tuesday, August 15, 2006 1 Todays forensic tools are designed for one drive at a time.

552 views • 34 slides
A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

379 views • 36 slides
Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric Evidence in Forensic Automatic Speaker Recognition Dr. Andrzej Drygajlo Speech Processing and Biometrics Group Swiss Federal Institute of Technology

546 views • 44 slides
Metabolic flux estimation So far in this course we have examined techniques that help us

Metabolic flux estimation So far in this course we have examined techniques that help us

Metabolic flux estimation So far in this course we have examined techniques that help us understanding the cells capabilities: Given genome, what kind of metabolic network (Metabolic reconstruction) Given metabolic network, what

347 views • 34 slides
Arithmetic universes as generalized point-free spaces Steve Vickers CS Theory Group Birmingham

Arithmetic universes as generalized point-free spaces Steve Vickers CS Theory Group Birmingham

Arithmetic universes as generalized point-free spaces Steve Vickers CS Theory Group Birmingham * Grothendieck: "A topos is a generalized topological space" * ... it's represented by its category of sheaves * but that depends on

474 views • 36 slides
CSE443 Compilers Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Phases of a Syntactic

CSE443 Compilers Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Phases of a Syntactic

CSE443 Compilers Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Phases of a Syntactic compiler structure Figure 1.6, page 5 of text Example L = { 0, 1, 00, 11, 000, 111, 0000, 1111, } G = ( {0,1}, {S, ZeroList, OneList}, {S

654 views • 29 slides
Probabilistic -Regular Expressions Thomas Weidner Universitt Leipzig LATA 2014 1.

Probabilistic -Regular Expressions Thomas Weidner Universitt Leipzig LATA 2014 1.

Probabilistic -Regular Expressions Thomas Weidner Universitt Leipzig LATA 2014 1. Probabilistic regular expressions on infinite words Motivation In this talk LATA 2014 Probabilistic -Regular Expressions Thomas Weidner (Universitt

646 views • 31 slides
Space-Efficient Fragments of Higher-Order Fixpoint Logic Florian Bruse 1 2 Martin Lange 1 Etienne

Space-Efficient Fragments of Higher-Order Fixpoint Logic Florian Bruse 1 2 Martin Lange 1 Etienne

Space-Efficient Fragments of Higher-Order Fixpoint Logic Florian Bruse 1 2 Martin Lange 1 Etienne Lozes 2 1 Universit at Kassel, Germany 2 LSV, ENS Paris-Saclay, France September 8, 2017 Bruse, Lange, Lozes: Space-Efficient Fragments of

1.17k views • 68 slides
Stream Programming Environments Pat Hanrahan Computer Science & Electrical Engineering

Stream Programming Environments Pat Hanrahan Computer Science & Electrical Engineering

Stream Programming Environments Pat Hanrahan Computer Science & Electrical Engineering Stanford University GP^2 Workshop August 7-8, 2004 Acknowledgements Bill Dally Ian Buck Eric Darve Mattan Erez Vijay Pande

350 views • 19 slides
Stallings graphs for quasi-convex subgroups of hyperbolic groups Pascal Weil (CNRS, Universit

Stallings graphs for quasi-convex subgroups of hyperbolic groups Pascal Weil (CNRS, Universit

Stallings graphs for quasi-convex subgroups of hyperbolic groups Pascal Weil (CNRS, Universit e de Bordeaux) Joint work with Olga Kharlampovich (CUNY) and Alexei Miasnikov (Stevens Institute) GAGTA 7, New York City, May 2013 Pascal Weil

754 views • 63 slides
ELECTROCHEMICAL DISINFECTION, APPLICATIONS IN WATER AND WASTEWATER TREATMENTS Active anodes

ELECTROCHEMICAL DISINFECTION, APPLICATIONS IN WATER AND WASTEWATER TREATMENTS Active anodes

CEE 597T Electrochemical Water and Wastewater Treatment ELECTROCHEMICAL DISINFECTION, APPLICATIONS IN WATER AND WASTEWATER TREATMENTS Active anodes (e.g., Pt, IrO 2 , and RuO 2 ), which present low oxygen evolution overpotential, are good

457 views • 33 slides

More recommend