Title :
Trees Cannot Lie: Using Data Structures for Forensics Purposes
Author :
Kieseberg, Peter ; Schrittwieser, Sebastian ; Mulazzani, Martin ; Huber, Markus ; Weippl, Edgar
Author_Institution :
SBA-Res., Vienna, Austria
Abstract :
Today´s forensic techniques for databases are primarily focused on logging mechanisms and artifacts accessible in the database management systems (DBMSs). While log files, plan caches, cache clock hands, etc. can reveal past transactions, a malicious administrator´s modifications might be much more difficult to detect, because he can cover his tracks by also manipulating the log files and flushing transient artifacts such as caches. The internal structure of the data storage inside databases, however, has not yet received much attention from the digital forensic research community. In this paper, we want to show that the diversity of B+-Trees, a widely used data structure in today´s database storage engines, enables a deep insight of the database´s history. Hidden manipulations such as predated INSERT operations in a logging database can be revealed by our approach. We introduce novel forensic techniques for B+-Trees that are based on characteristics of the tree structure and show how database management systems would have to be modified to even better support tree forensic techniques.
Keywords :
computer forensics; database management systems; tree data structures; tree searching; cache clock hands; data storage; data structures; database management system; digital forensic research community; flushing transient artifact; log files; logging mechanism; malicious administrator modification; plan caches; tree forensic technique; Digital forensics; Engines; Indexes; Vegetation; InnoDB; b+ tree; database forensics;
Conference_Titel :
Intelligence and Security Informatics Conference (EISIC), 2011 European
Conference_Location :
Athens
Print_ISBN :
978-1-4577-1464-1
Electronic_ISBN :
978-0-7695-4406-9
DOI :
10.1109/EISIC.2011.18
