Forensic analysis of database tampering

Kyriacos Pavlou; Richard T. Snodgrass

doi:10.1145/1142473.1142487

Forensic analysis of database tampering

Kyriacos Pavlou, Richard T. Snodgrass

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

28 Scopus citations

Abstract

Mechanisms now exist that detect tampering of a database, through the use of cryptographically-strong hash functions. This paper addresses the next problem, that of determining who, when, and what, by providing a systematic means of performing forensic analysis after such tampering has been uncovered. We introduce a schematic representation termed a "corruption diagram" that aids in intrusion investigation. We use these diagrams to fully analyze the original proposal, that of a linked sequence of hash values. We examine the various kinds of intrusions that are possible, including retroactive, introactive, backdating, and postdating intrusions. We then introduce successively more sophisticated forensic analysis algorithms: the monochromatic, RGB, and polychromatic algorithms, and characterize the "forensic strength" of these algorithms. We show how forensic analysis can efficiently extract a good deal of information concerning a corruption event.

Original language	English (US)
Title of host publication	SIGMOD 2006 - Proceedings of the ACM SIGMOD International Conference on Management of Data
Pages	109-120
Number of pages	12
DOIs	https://doi.org/10.1145/1142473.1142487
State	Published - 2006
Event	2006 ACM SIGMOD International Conference on Management of Data - Chicago, IL, United States Duration: Jun 27 2006 → Jun 29 2006

Publication series

Name	Proceedings of the ACM SIGMOD International Conference on Management of Data
ISSN (Print)	0730-8078

Other

Other	2006 ACM SIGMOD International Conference on Management of Data
Country/Territory	United States
City	Chicago, IL
Period	6/27/06 → 6/29/06

Keywords

Append-only
Corruption diagram
Cryptographic hash function
Forensic strength

ASJC Scopus subject areas

Software
Information Systems

Access to Document

10.1145/1142473.1142487

Cite this

Pavlou, K & Snodgrass, RT 2006, Forensic analysis of database tampering. in SIGMOD 2006 - Proceedings of the ACM SIGMOD International Conference on Management of Data. Proceedings of the ACM SIGMOD International Conference on Management of Data, pp. 109-120, 2006 ACM SIGMOD International Conference on Management of Data, Chicago, IL, United States, 6/27/06. https://doi.org/10.1145/1142473.1142487

@inproceedings{4d9e81573b3840ec9f76e24a7b09cb5f,

title = "Forensic analysis of database tampering",

abstract = "Mechanisms now exist that detect tampering of a database, through the use of cryptographically-strong hash functions. This paper addresses the next problem, that of determining who, when, and what, by providing a systematic means of performing forensic analysis after such tampering has been uncovered. We introduce a schematic representation termed a {"}corruption diagram{"} that aids in intrusion investigation. We use these diagrams to fully analyze the original proposal, that of a linked sequence of hash values. We examine the various kinds of intrusions that are possible, including retroactive, introactive, backdating, and postdating intrusions. We then introduce successively more sophisticated forensic analysis algorithms: the monochromatic, RGB, and polychromatic algorithms, and characterize the {"}forensic strength{"} of these algorithms. We show how forensic analysis can efficiently extract a good deal of information concerning a corruption event.",

keywords = "Append-only, Corruption diagram, Cryptographic hash function, Forensic strength",

author = "Kyriacos Pavlou and Snodgrass, {Richard T.}",

year = "2006",

doi = "10.1145/1142473.1142487",

language = "English (US)",

isbn = "1595934340",

series = "Proceedings of the ACM SIGMOD International Conference on Management of Data",

pages = "109--120",

booktitle = "SIGMOD 2006 - Proceedings of the ACM SIGMOD International Conference on Management of Data",

note = "2006 ACM SIGMOD International Conference on Management of Data ; Conference date: 27-06-2006 Through 29-06-2006",

}

TY - GEN

T1 - Forensic analysis of database tampering

AU - Pavlou, Kyriacos

AU - Snodgrass, Richard T.

PY - 2006

Y1 - 2006

N2 - Mechanisms now exist that detect tampering of a database, through the use of cryptographically-strong hash functions. This paper addresses the next problem, that of determining who, when, and what, by providing a systematic means of performing forensic analysis after such tampering has been uncovered. We introduce a schematic representation termed a "corruption diagram" that aids in intrusion investigation. We use these diagrams to fully analyze the original proposal, that of a linked sequence of hash values. We examine the various kinds of intrusions that are possible, including retroactive, introactive, backdating, and postdating intrusions. We then introduce successively more sophisticated forensic analysis algorithms: the monochromatic, RGB, and polychromatic algorithms, and characterize the "forensic strength" of these algorithms. We show how forensic analysis can efficiently extract a good deal of information concerning a corruption event.

AB - Mechanisms now exist that detect tampering of a database, through the use of cryptographically-strong hash functions. This paper addresses the next problem, that of determining who, when, and what, by providing a systematic means of performing forensic analysis after such tampering has been uncovered. We introduce a schematic representation termed a "corruption diagram" that aids in intrusion investigation. We use these diagrams to fully analyze the original proposal, that of a linked sequence of hash values. We examine the various kinds of intrusions that are possible, including retroactive, introactive, backdating, and postdating intrusions. We then introduce successively more sophisticated forensic analysis algorithms: the monochromatic, RGB, and polychromatic algorithms, and characterize the "forensic strength" of these algorithms. We show how forensic analysis can efficiently extract a good deal of information concerning a corruption event.

KW - Append-only

KW - Corruption diagram

KW - Cryptographic hash function

KW - Forensic strength

UR - http://www.scopus.com/inward/record.url?scp=34250628104&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34250628104&partnerID=8YFLogxK

U2 - 10.1145/1142473.1142487

DO - 10.1145/1142473.1142487

M3 - Conference contribution

AN - SCOPUS:34250628104

SN - 1595934340

SN - 9781595934345

T3 - Proceedings of the ACM SIGMOD International Conference on Management of Data

SP - 109

EP - 120

BT - SIGMOD 2006 - Proceedings of the ACM SIGMOD International Conference on Management of Data

T2 - 2006 ACM SIGMOD International Conference on Management of Data

Y2 - 27 June 2006 through 29 June 2006

ER -

Forensic analysis of database tampering

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this