Database Forensics: Investigating Compromised Database Management Systems
Total Page:16
File Type:pdf, Size:1020Kb
DATABASE FORENSICS: INVESTIGATING COMPROMISED DATABASE MANAGEMENT SYSTEMS by Hector Quintus Beyers Submitted in fulfilment of the requirements for the degree Master of Engineering (Computer Engineering) in the Department of Electrical, Electronic and Computer Engineering Faculty of Engineering, Built Environment and Information Technology UNIVERSITY OF PRETORIA May 2013 © University of Pretoria SUMMARY DATABASE FORENSICS: INVESTIGATING COMPROMISED DATABASE MANAGEMENT SYSTEMS by Hector Quintus Beyers Supervisor: Prof. G.P. Hancke Co-supervisor: Prof. M.S. Olivier Department: Electrical, Electronic and Computer Engineering University: University of Pretoria Degree: Master of Engineering (Computer Engineering) Keywords: Database, Database Forensics, Compromised Database, Database Management System, Data Model Forensics, Data Dictionary Forensics, Application Schema Forensics INTRODUCTION The use of databases has become an integral part of modern human life. Often the data contained within databases has substantial value to enterprises and individuals. As databases become a greater part of people’s daily lives, it becomes increasingly interlinked with human behaviour. Negative aspects of this behaviour might include criminal activity, negligence and malicious intent. In these scenarios a forensic investigation is required to collect evidence to determine what happened on a crime scene and who is responsible for the crime. A large amount of the research that is available focuses on digital forensics, database security and databases in general but little research exists on database forensics as such. It is difficult for a forensic investigator to conduct an investigation on a DBMS due to limited information on the subject and an absence of a standard approach to follow during a forensic investigation. Investigators therefore have to reference disparate sources of information on the topic of database forensics in order to compile a self-invented approach to investigating a database. A subsequent effect of this lack of research is that compromised DBMSs (DBMSs that have been attacked and so behave abnormally) are not considered or understood in the database forensics field. The concept of compromised © University of Pretoria DBMSs was illustrated in an article by Olivier who suggested that the ANSI/SPARC model can be used to assist in a forensic investigation on a compromised DBMS. Based on the ANSI/SPARC model, the DBMS was divided into four layers known as the data model, data dictionary, application schema and application data. The extensional nature of the first three layers can influence the application data layer and ultimately manipulate the results produced on the application data layer. Thus, it becomes problematic to conduct a forensic investigation on a DBMS if the integrity of the extensional layers is in question and hence the results on the application data layer cannot be trusted. In order to recover the integrity of a layer of the DBMS a clean layer (newly installed layer) could be used but clean layers are not easy or always possible to configure on a DBMS depending on the forensic scenario. Therefore a combination of clean and existing layers can be used to do a forensic investigation on a DBMS. PROBLEM STATEMENT The problem to be addressed is how to construct the appropriate combination of clean and existing layers for a forensic investigation on a compromised DBMS, and ensure the integrity of the forensic results. APPROACH The study divides the relational DBMS into four abstract layers, illustrates how the layers can be prepared to be either in a found or clean forensic state, and experimentally combines the prepared layers of the DBMS according to the forensic scenario. The study commences with background on the subjects of databases, digital forensics and database forensics respectively to give the reader an overview of the literature that already exists in these relevant fields. The study then discusses the four abstract layers of the DBMS and explains how the layers could influence one another. The clean and found environments are introduced due to the fact that the DBMS is different to technologies where digital forensics has already been researched. The study then discusses each of the extensional abstract layers individually, and how and why an abstract layer can be converted to a clean or found state. A discussion of each extensional layer is required to understand how unique each layer of the DBMS is and how these layers could be combined in a way that enables a forensic investigator to conduct a forensic investigation on a compromised DBMS. It is illustrated that each layer is unique and could be corrupted in various ways. Therefore, each layer must be studied individually in a forensic context before all four layers are considered collectively. A forensic study is conducted on each abstract layer of the DBMS © University of Pretoria that has the potential to influence other layers to deliver incorrect results. Ultimately, the DBMS will be used as a forensic tool to extract evidence from its own encrypted data and data structures. Therefore, the last chapter shall illustrate how a forensic investigator can prepare a trustworthy forensic environment where a forensic investigation could be conducted on an entire PostgreSQL DBMS by constructing a combination of the appropriate forensic states of the abstract layers. RESULTS The result of this study yields an empirically demonstrated approach on how to deal with a compromised DBMS during a forensic investigation by making use of a combination of various states of abstract layers in the DBMS. Approaches are suggested on how to deal with a forensic query on the data model, data dictionary and application schema layer of the DBMS. A forensic process is suggested on how to prepare the DBMS to extract evidence from the DBMS. Another function of this study is that it advises forensic investigators to consider alternative possibilities on how the DBMS could be attacked. These alternatives might not have been considered during investigations on DBMSs to date. Our methods have been tested at hand of a practical example and have delivered promising results. © University of Pretoria OPSOMMING DATABASISFORENSIKA: ONDERSOEK VAN 'N ONBETROUBARE DATABASISBEHEERSTELSEL deur Hector Quintus Beyers Studieleier: Prof. G.P. Hancke Mede-studieleier: Prof. M.S. Olivier Departement: Elektriese, Elektroniese en Rekenaaringenieurswese Universiteit: Universiteit van Pretoria Graad: Magister in Ingenieurswese (Rekenaaringenieurswese) Sleutelwoorde: Databasis, Databasisforensika, Onbetroubare databasis, Databasisbeheerstelsel, Datamodelforensika, Datawoordeboekforensika, Toepassingskemaforensika INLEIDING Die gebruik van databasisse vorm vandag deel van die moderne mens se lewe. Individue en maatskappye heg dikwels baie waarde aan data wat in databasisse gestoor word. Soos databasisse 'n groter deel van mense se lewens uitmaak, word dit al meer aan menslike gedrag gekoppel. Negatiewe apekte van hierdie gedrag behels dikwels kriminele aktiwiteite, verwaarlosing en skadelike gedrag wat toegepas kan word op databasisse. Tydens sulke situasies word 'n forensiese ondersoek benodig om bewyse op te spoor ten einde te kan bepaal wat op die misdaadtoneel plaasgevind het en wie vir die misdaad verantwoordelik is. Daar is heelwat navorsing beskikbaar oor digitale forensika, databasissekuriteit en databasisse in die algemeen, maar min navorsing is beskikbaar wat op databasisforensika. Dit is moeilik vir 'n forensiese ontleder om 'n ondersoek op 'n databasisbeheerstelsel uit te voer weens die tekort aan inligting en die afwesigheid van standaardbenaderings tydens 'n forensiese ondersoek. Daarom moet forensiese ontleders tans self 'n groot verskeidenheid inligtingsbronne oor databasisforensika bymekaarmaak om self 'n benadering te kies vir 'n ondersoek op 'n databasisbeheerstelsel. 'n Gevolg van hierdie tekort aan navorsing is dat onbetroubare databasisbeheerstelsels (wat aangeval is en © University of Pretoria abnormaal reageer) nie oorweeg of verstaan word in databasisforensika nie. Die konsep van onbetroubare beheerstelsels is in ’n artikel deur Olivier voorgestel waar hy verduidelik dat die ANSI/SPARC-model gebruik kan word om te help tydens 'n forensiese ondersoek op 'n onbetroubare databasisbeheerstelsel. Die databasisbeheerstelsel word volgens die ANSI/SPARC-model in vier vlakke verdeel. Dit is die datamodel-, datawoordeboek-, toepassingskema- en toepassingsdatavlak. Die invloedryke aard van die eerste drie vlakke beïnvloed die toepassingsdatavlak en uiteindelik word die resultate vanuit die toepassingsdatavlak gemanipuleer. Dus word dit problematies om 'n forensiese ondersoek op 'n databasisbeheerstelsel uit te voer as die integriteit van die invloedryke vlakke bevraagteken kan word en die resultate van die toepassingsdatavlak nie meer vertrou kan word nie. Om die integriteit van 'n vlak van die databasisbeheerstelsel te herstel, kan 'n skoon vlak (nuutgeïnstalleerde vlak) gebruik word, maar om skoon vlakke op 'n databasisbeheerstelsel te konfigureer, is nie altyd maklik of moontlik nie, afhangende van die forensiese omgewing. Daarom moet 'n kombinasie van skoon en bestaande vlakke gebruik word om 'n ondersoek op 'n databasisbeheerstelsel uit te voer. PROBLEEMSTELLING Die probleem wat aangespreek moet word, is hoe om die regte kombinasie skoon en bestaande vlakke bymekaar te voeg vir 'n forensiese ondersoek op 'n onbetroubare databasisbeeheerstelsel sodat die integriteit van die forensiese