TY - GEN
T1 - Forensic analysis of database tampering
AU - Pavlou, Kyriacos
AU - Snodgrass, Richard T.
PY - 2006
Y1 - 2006
N2 - Mechanisms now exist that detect tampering of a database, through the use of cryptographically-strong hash functions. This paper addresses the next problem, that of determining who, when, and what, by providing a systematic means of performing forensic analysis after such tampering has been uncovered. We introduce a schematic representation termed a "corruption diagram" that aids in intrusion investigation. We use these diagrams to fully analyze the original proposal, that of a linked sequence of hash values. We examine the various kinds of intrusions that are possible, including retroactive, introactive, backdating, and postdating intrusions. We then introduce successively more sophisticated forensic analysis algorithms: the monochromatic, RGB, and polychromatic algorithms, and characterize the "forensic strength" of these algorithms. We show how forensic analysis can efficiently extract a good deal of information concerning a corruption event.
AB - Mechanisms now exist that detect tampering of a database, through the use of cryptographically-strong hash functions. This paper addresses the next problem, that of determining who, when, and what, by providing a systematic means of performing forensic analysis after such tampering has been uncovered. We introduce a schematic representation termed a "corruption diagram" that aids in intrusion investigation. We use these diagrams to fully analyze the original proposal, that of a linked sequence of hash values. We examine the various kinds of intrusions that are possible, including retroactive, introactive, backdating, and postdating intrusions. We then introduce successively more sophisticated forensic analysis algorithms: the monochromatic, RGB, and polychromatic algorithms, and characterize the "forensic strength" of these algorithms. We show how forensic analysis can efficiently extract a good deal of information concerning a corruption event.
KW - Append-only
KW - Corruption diagram
KW - Cryptographic hash function
KW - Forensic strength
UR - http://www.scopus.com/inward/record.url?scp=34250628104&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34250628104&partnerID=8YFLogxK
U2 - 10.1145/1142473.1142487
DO - 10.1145/1142473.1142487
M3 - Conference contribution
AN - SCOPUS:34250628104
SN - 1595934340
SN - 9781595934345
T3 - Proceedings of the ACM SIGMOD International Conference on Management of Data
SP - 109
EP - 120
BT - SIGMOD 2006 - Proceedings of the ACM SIGMOD International Conference on Management of Data
T2 - 2006 ACM SIGMOD International Conference on Management of Data
Y2 - 27 June 2006 through 29 June 2006
ER -