KEMBAR78
Database forensics | PDF
DP
Uploaded byDenys A. Flores, PhD
2,766 views

Database forensics

1) Data breaches are a constant threat, with insiders posing a major risk. 2) Proactive database forensics is an emerging area that can help detect and respond to insider threats. 3) A proactive forensic architecture is needed to integrate auditing and forensics activities to reliably gather evidence from multiple sources and ensure its integrity.

Denys A. Flores 20 Jan 2016
They happen around the world and sometimes security officers are not aware of them after a few weeks/months One of the impacts of data breaches is the disclosure/access to unauthorised/critical information The number of Data Breach Investigations increased 54% in between 2012 and 2013 Insiders and outsiders are a constant threat for information security
In 2015, 69% of big companies and 38% of small business faced external attacks ◦ Protocol-level vulnerabilities (SSL Heartbleed) ◦ Kernel Vulnerabilities (bypass ASLR and DEP) ◦ Application Bugs (heap/stack overflows/legacy code) ◦ Third-party plug-ins ◦ Web-based attacks (SQL injection/DoS) ◦ Malware (Trojans/RATs/Rogueware)
The major source of costly data breaches Financially motivated or intentional/malicious system damage ◦ IP Spoofing ◦ Sniffing/Scanning ◦ Credential Misuse ◦ Unauthorised Information Disclosure (Negligence or Intentional)
Weak information security policy Lack of role segregation Compliance is not Security: ◦ Auditing is more focused on complex standard compliance than detecting information security issues and attack vectors CSIRTs perform very little analysis of incidents and apply weak recovery techniques (wipe/reinstall) CSIRTs skills are sometimes limited Malicious employees evade detection and hide activity – they become either attackers or accomplices
Encryption ◦ End-to-end encryption do not solve the problem of credential misuse. ◦ It has a lot of impact in infrastructure performance. ◦ It’s not the same encrypting a hard drive than a database Security Architecture ◦ Incident management technologies do not consider data management and classification ◦ Companies think that security tools are the silver bullet for all security problems ◦ Device misconfiguration Cloud Services ◦ Effective outsourced security management ◦ Effective outsourced data/information management ◦ Effective physical/logical access control to database servers
As a database stores information, information security principles apply. Information Security: ◦ A set of human and technical measures and procedures to protect information security properties: Confidentiality Integrity Availability Possession or Control Authenticity Authentication Non-repudiation Provenance Authorisation Utility AccountabilityAccountabilityAccountabilityAccountability
AccountabilityAccountabilityAccountabilityAccountability ◦ Security characteristic to track activities of identification, authorisation and access to ensure that an actor with access to resources behaves in accordance with security, business and ethics rules (non-repudiation) ◦ It considers the fact that a fully secure system does not exist, so in case of a security event (e.g. data breach), this must be associated to the attacker by using accurate and reliable digital evidence (provenance) ◦ Requires proper monitoring and logging of actions to ensure the proper storage, use and maintenance of databases ◦ It is related to auditing and forensics purposes
AuditingAuditingAuditingAuditing ◦ Methodological and recurring examination and review of activities over a period of time. ◦ Ensures compliance with laws, policies and other regulations by using accurate records of who did what and when. ◦ Relies on authentication and authorisation controls.
ForensicsForensicsForensicsForensics ◦ Methodological identification, preservation, acquisition and examination of digital evidence to report and reflect on a security event that may have legal implications. ◦ Is a vital process for incident response to analyse an event in a timely manner, and if possible, identify the parties involved. ◦ Relies on evidence provenance.
The main research focus in database security has been external threats (outsiders) There is an emerging concern related to intentional unauthorised attempts to access or destroy data, along with malicious actions performed by authorised users (insiders) Insiders are a great threat and the main cause of database tampering and fraud – this is our research interest
Very little research in the field of databases in comparison to cloud forensics Two research areas ◦ Reactive Approach ◦ Proactive Approach
Reactive Approach: ◦ After a security event (e.g. data breach) has occurred ◦ Reconstruct or recover an original state of the database ◦ Rely on traditional digital forensics analysis (imaging and data carving) which are not fully compatible with the complexity of databases, and may not ensure evidence integrity and its admissibility in legal proceedings ◦ Not effective for incident response (limited time and resources) ◦ Ad-hoc practices depending on the DBMS (MSSQL/Oracle)
Proactive Approach ◦ Formalise the forensic analysis of databases ◦ Resilience/Readiness: Ensure accountability (auditing and forensics) Deploy security configurations and controls to detect/prevent/deter security incidents on databases caused by insiders (fraud/misuse) Enable CSIRTs to investigate security incidents on databases caused by insiders (fraud/misuse) in a timely manner
Proactive Approach ◦ Provenance Research field mostly developed in provenance-aware software applications A property of accountability to trace activities back to their source regarding time, location Ensure chain of custody by ensuring provenance of evidence during its recording and storage Consider different evidence sources, not just the database
Proactive Database Forensics Architecture ◦ Ensure integrity of evidence (non-repudiation and provenance) before, during and after a security event ◦ If evidence integrity is ensured then evidence is admissible because the systems that generated it are reliable (trustworthiness) ◦ Audit requirements Generate reliable evidence by logging and monitoring user action on the database + ◦ Forensics requirements Investigate incidents by identifying, preserving, acquiring and evaluating/analysing evidence to finally report and reflect on the events
Database misuse/fraud is mostly performed by insiders, however in the field of database forensics, this problem has drawn very little attention Reactive approaches for database forensics are more developed, but not fully admissible for forensic purposes Proactive approaches for database forensics are emergent research trends, more flexible for incident response and with higher likelihood of admissibility in legal proceedings
Proactive approaches must be formalised methodologically and practically A proactive database forensics architecture should be considered to gather evidence from different sources (network, servers, database) This architecture must consider aspects of both, forensics and auditing activities to ensure evidence integrity

More Related Content

PDF
Cloud-forensics
byanupriti
 
PPTX
Computer forensic ppt
byPriya Manik
 
PPTX
Mobile Forensics
byprimeteacher32
 
PPTX
Digital forensics
byvishnuv43
 
PPT
Cyber forensics
bypranjal dutta
 
PPTX
Mobile Forensics
byabdullah roomi
 
PPTX
Memory forensics.pptx
by9905234521
 
PPTX
Email investigation
byAnimesh Shaw
 
Cloud-forensics
byanupriti
 
Computer forensic ppt
byPriya Manik
 
Mobile Forensics
byprimeteacher32
 
Digital forensics
byvishnuv43
 
Cyber forensics
bypranjal dutta
 
Mobile Forensics
byabdullah roomi
 
Memory forensics.pptx
by9905234521
 
Email investigation
byAnimesh Shaw
 

What's hot

PPTX
mobile forensic.pptx
byAmbuj Kumar
 
PPTX
Network Forensics
byprimeteacher32
 
PPTX
Cyber Forensics Overview
byYansi Keim
 
PDF
Email Forensics
byGol D Roger
 
PDF
Digital Crime & Forensics - Presentation
byprashant3535
 
PPTX
Digital Evidence by Raghu Khimani
byDr Raghu Khimani
 
PPTX
Digital Forensics
byMithileysh Sathiyanarayanan
 
PPTX
Cyber forensics ppt
byRoshiniVijayakumar1
 
PPTX
Digital Forensic ppt
bySuchita Rawat
 
PPTX
Computer forensics
bydeaneal
 
PPTX
E mail forensics
bysaddamhusain hadimani
 
PPTX
Computer forensics toolkit
byMilap Oza
 
PPTX
Mobile forensic
byDINESH KAMBLE
 
PPTX
Mobile Phone Seizure Guide by Raghu Khimani
byDr Raghu Khimani
 
PPTX
Processing Crimes and Incident Scenes
byprimeteacher32
 
PPT
Digital Forensic
byCleverence Kombe
 
PPTX
E-mail Investigation
byedwardbel
 
PPTX
Computer forensics powerpoint presentation
bySomya Johri
 
PPTX
Digital forensic tools
byParsons Corporation
 
PPTX
First Responder Officer in Cyber Crime
byApplied Forensic Research Sciences
 
mobile forensic.pptx
byAmbuj Kumar
 
Network Forensics
byprimeteacher32
 
Cyber Forensics Overview
byYansi Keim
 
Email Forensics
byGol D Roger
 
Digital Crime & Forensics - Presentation
byprashant3535
 
Digital Evidence by Raghu Khimani
byDr Raghu Khimani
 
Digital Forensics
byMithileysh Sathiyanarayanan
 
Cyber forensics ppt
byRoshiniVijayakumar1
 
Digital Forensic ppt
bySuchita Rawat
 
Computer forensics
bydeaneal
 
E mail forensics
bysaddamhusain hadimani
 
Computer forensics toolkit
byMilap Oza
 
Mobile forensic
byDINESH KAMBLE
 
Mobile Phone Seizure Guide by Raghu Khimani
byDr Raghu Khimani
 
Processing Crimes and Incident Scenes
byprimeteacher32
 
Digital Forensic
byCleverence Kombe
 
E-mail Investigation
byedwardbel
 
Computer forensics powerpoint presentation
bySomya Johri
 
Digital forensic tools
byParsons Corporation
 
First Responder Officer in Cyber Crime
byApplied Forensic Research Sciences
 

Similar to Database forensics

PDF
A1802030104
byIOSR Journals
 
PPTX
Cybersecurity Seminar March 2015
byLawley Insurance
 
PDF
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
byIDERA Software
 
PPTX
Logs in Security and Compliance flare
byzilberberg
 
PDF
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...
byIDERA Software
 
PDF
The MITRE ATT&CK "Collection" Tactic is Missing Very Important Techniques: D...
byMITRE ATT&CK
 
PPTX
Introduction to Cyber Forensics Module 1
byAnpumathews
 
PPTX
NumaanHuq_Hackfest2015
byNumaan Huq
 
PPTX
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
byn|u - The Open Security Community
 
PPTX
Računalna forenzika i automatizirani odgovor na mrežne incidente
byDamir Delija
 
PPTX
Your data is your business: Secure it or Lose it!
byPerformance Tuning Corporation
 
PDF
security in database management system.
byprajal
 
PPTX
Deconstructing Data Breach Cost
byResilient Systems
 
PDF
Co3 rsc r5
byPatrick Florer
 
PPTX
Database Security Assessment | Database Security Assessment Services
byCyber Security Experts
 
PPTX
basic to advance network security concepts
byamansinght675
 
PPTX
Digital literacy lecture 2 data security.pptx
byjohnnderitu16
 
PPTX
Data security by the Yashwanth ganjikunta
byy6rmpbxgyk
 
PDF
INT 1010 07-4.pdf
byLuis R Castellanos
 
PDF
Data breaches at home and abroad
byLaw Practice Strategy
 
A1802030104
byIOSR Journals
 
Cybersecurity Seminar March 2015
byLawley Insurance
 
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
byIDERA Software
 
Logs in Security and Compliance flare
byzilberberg
 
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...
byIDERA Software
 
The MITRE ATT&CK "Collection" Tactic is Missing Very Important Techniques: D...
byMITRE ATT&CK
 
Introduction to Cyber Forensics Module 1
byAnpumathews
 
NumaanHuq_Hackfest2015
byNumaan Huq
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
byn|u - The Open Security Community
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
byDamir Delija
 
Your data is your business: Secure it or Lose it!
byPerformance Tuning Corporation
 
security in database management system.
byprajal
 
Deconstructing Data Breach Cost
byResilient Systems
 
Co3 rsc r5
byPatrick Florer
 
Database Security Assessment | Database Security Assessment Services
byCyber Security Experts
 
basic to advance network security concepts
byamansinght675
 
Digital literacy lecture 2 data security.pptx
byjohnnderitu16
 
Data security by the Yashwanth ganjikunta
byy6rmpbxgyk
 
INT 1010 07-4.pdf
byLuis R Castellanos
 
Data breaches at home and abroad
byLaw Practice Strategy
 

More from Denys A. Flores, PhD

PDF
D flores trust-com19-pres
byDenys A. Flores, PhD
 
PDF
Conozca cómo evadir el ataque de los hackers
byDenys A. Flores, PhD
 
PPTX
eDem&eGov 2014
byDenys A. Flores, PhD
 
PDF
Memorias del Campus Party Quito 2014
byDenys A. Flores, PhD
 
PPT
eDem&eGov 2013
byDenys A. Flores, PhD
 
PDF
Memorias del Campus Party Quito 2013
byDenys A. Flores, PhD
 
PDF
TrustCom-16 - Paper ID 227
byDenys A. Flores, PhD
 
PDF
WPCCS 16 Presentation
byDenys A. Flores, PhD
 
D flores trust-com19-pres
byDenys A. Flores, PhD
 
Conozca cómo evadir el ataque de los hackers
byDenys A. Flores, PhD
 
eDem&eGov 2014
byDenys A. Flores, PhD
 
Memorias del Campus Party Quito 2014
byDenys A. Flores, PhD
 
eDem&eGov 2013
byDenys A. Flores, PhD
 
Memorias del Campus Party Quito 2013
byDenys A. Flores, PhD
 
TrustCom-16 - Paper ID 227
byDenys A. Flores, PhD
 
WPCCS 16 Presentation
byDenys A. Flores, PhD
 

Recently uploaded

PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
NDP Act GAID Simplified: From Confusion to Compliance
byMuiz Adeleke
 
PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
 
PDF
Data Structure - 12 Graph
byAndiNurkholis1
 
PDF
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
PDF
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
PDF
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
PDF
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
PPTX
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PDF
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
PDF
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
NDP Act GAID Simplified: From Confusion to Compliance
byMuiz Adeleke
 
Using Copilot with Microsoft Office Apps
byDeb Walther
 
Data Structure - 12 Graph
byAndiNurkholis1
 
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 

Database forensics

  • 1.
  • 2.
    They happen aroundthe world and sometimes security officers are not aware of them after a few weeks/months One of the impacts of data breaches is the disclosure/access to unauthorised/critical information The number of Data Breach Investigations increased 54% in between 2012 and 2013 Insiders and outsiders are a constant threat for information security
  • 3.
    In 2015, 69%of big companies and 38% of small business faced external attacks ◦ Protocol-level vulnerabilities (SSL Heartbleed) ◦ Kernel Vulnerabilities (bypass ASLR and DEP) ◦ Application Bugs (heap/stack overflows/legacy code) ◦ Third-party plug-ins ◦ Web-based attacks (SQL injection/DoS) ◦ Malware (Trojans/RATs/Rogueware)
  • 4.
    The major sourceof costly data breaches Financially motivated or intentional/malicious system damage ◦ IP Spoofing ◦ Sniffing/Scanning ◦ Credential Misuse ◦ Unauthorised Information Disclosure (Negligence or Intentional)
  • 5.
    Weak information securitypolicy Lack of role segregation Compliance is not Security: ◦ Auditing is more focused on complex standard compliance than detecting information security issues and attack vectors CSIRTs perform very little analysis of incidents and apply weak recovery techniques (wipe/reinstall) CSIRTs skills are sometimes limited Malicious employees evade detection and hide activity – they become either attackers or accomplices
  • 6.
    Encryption ◦ End-to-end encryptiondo not solve the problem of credential misuse. ◦ It has a lot of impact in infrastructure performance. ◦ It’s not the same encrypting a hard drive than a database Security Architecture ◦ Incident management technologies do not consider data management and classification ◦ Companies think that security tools are the silver bullet for all security problems ◦ Device misconfiguration Cloud Services ◦ Effective outsourced security management ◦ Effective outsourced data/information management ◦ Effective physical/logical access control to database servers
  • 7.
    As a databasestores information, information security principles apply. Information Security: ◦ A set of human and technical measures and procedures to protect information security properties: Confidentiality Integrity Availability Possession or Control Authenticity Authentication Non-repudiation Provenance Authorisation Utility AccountabilityAccountabilityAccountabilityAccountability
  • 8.
    AccountabilityAccountabilityAccountabilityAccountability ◦ Security characteristicto track activities of identification, authorisation and access to ensure that an actor with access to resources behaves in accordance with security, business and ethics rules (non-repudiation) ◦ It considers the fact that a fully secure system does not exist, so in case of a security event (e.g. data breach), this must be associated to the attacker by using accurate and reliable digital evidence (provenance) ◦ Requires proper monitoring and logging of actions to ensure the proper storage, use and maintenance of databases ◦ It is related to auditing and forensics purposes
  • 9.
    AuditingAuditingAuditingAuditing ◦ Methodological andrecurring examination and review of activities over a period of time. ◦ Ensures compliance with laws, policies and other regulations by using accurate records of who did what and when. ◦ Relies on authentication and authorisation controls.
  • 10.
    ForensicsForensicsForensicsForensics ◦ Methodological identification,preservation, acquisition and examination of digital evidence to report and reflect on a security event that may have legal implications. ◦ Is a vital process for incident response to analyse an event in a timely manner, and if possible, identify the parties involved. ◦ Relies on evidence provenance.
  • 11.
    The main researchfocus in database security has been external threats (outsiders) There is an emerging concern related to intentional unauthorised attempts to access or destroy data, along with malicious actions performed by authorised users (insiders) Insiders are a great threat and the main cause of database tampering and fraud – this is our research interest
  • 12.
    Very little researchin the field of databases in comparison to cloud forensics Two research areas ◦ Reactive Approach ◦ Proactive Approach
  • 13.
    Reactive Approach: ◦ Aftera security event (e.g. data breach) has occurred ◦ Reconstruct or recover an original state of the database ◦ Rely on traditional digital forensics analysis (imaging and data carving) which are not fully compatible with the complexity of databases, and may not ensure evidence integrity and its admissibility in legal proceedings ◦ Not effective for incident response (limited time and resources) ◦ Ad-hoc practices depending on the DBMS (MSSQL/Oracle)
  • 14.
    Proactive Approach ◦ Formalisethe forensic analysis of databases ◦ Resilience/Readiness: Ensure accountability (auditing and forensics) Deploy security configurations and controls to detect/prevent/deter security incidents on databases caused by insiders (fraud/misuse) Enable CSIRTs to investigate security incidents on databases caused by insiders (fraud/misuse) in a timely manner
  • 15.
    Proactive Approach ◦ Provenance Researchfield mostly developed in provenance-aware software applications A property of accountability to trace activities back to their source regarding time, location Ensure chain of custody by ensuring provenance of evidence during its recording and storage Consider different evidence sources, not just the database
  • 16.
    Proactive Database ForensicsArchitecture ◦ Ensure integrity of evidence (non-repudiation and provenance) before, during and after a security event ◦ If evidence integrity is ensured then evidence is admissible because the systems that generated it are reliable (trustworthiness) ◦ Audit requirements Generate reliable evidence by logging and monitoring user action on the database + ◦ Forensics requirements Investigate incidents by identifying, preserving, acquiring and evaluating/analysing evidence to finally report and reflect on the events
  • 17.
    Database misuse/fraud ismostly performed by insiders, however in the field of database forensics, this problem has drawn very little attention Reactive approaches for database forensics are more developed, but not fully admissible for forensic purposes Proactive approaches for database forensics are emergent research trends, more flexible for incident response and with higher likelihood of admissibility in legal proceedings
  • 18.
    Proactive approaches mustbe formalised methodologically and practically A proactive database forensics architecture should be considered to gather evidence from different sources (network, servers, database) This architecture must consider aspects of both, forensics and auditing activities to ensure evidence integrity