Research on Database

Forensics
Denys A. Flores
20 Jan
2016
Data Breaches
► They happen around the world and
sometimes security officers are not aware of
them after a few week s/ m ont h s

► One of the impacts of data breaches is the

disclosu re/ access to u n au t h o r i sed / crit
ical information

► The number of Data

Breach Investigations increased 54 % in
between 2012 and 2013
► Insiders and outsiders are a constant
threat for information security
Data Breaches
Outsiders (external threats)
► In 201 5, 69% of big
companies and 38% of small business
faced external attacks

0
Protocol- level vulnerabilities (SSL Heartbleed)
° Kernel Vulnerabilities (bypass ASLR and DEP)
0
Application Bugs (heap / st ack over fl ows /
legacy code)
0
Third- party plug- ins
0
Web - based attacks (SQL injection / Do s)
Outsiders (external threats)
0
Malware (Troj ans/ RAT s / Rogue ware)
Insiders (internal threats)
► The major source of costly
data breaches

► Financially motivated or intentional/

malicious system damage

0
IP Spoofing
0
Sn i f f i ng / Scanning
° Credential Misuse
0
Unauthorised Information Disclosure (Negligence
Insiders (internal threats)
or Intentional)
Security Management
Issues
► Weak information security policy

► Lack of role segregation

► Compliance is not Security:

0
Auditing is more focused on complex standard compliance than
detecting information security issues and attack vectors

► CSIRTs perform very little analysis of incidents and apply

weak recovery techniques (wipe/ reinstall )

► CSIRTs skills are sometimes limited

► Malicious employees evade detection and hide activity -

they become either attackers or accomplices
Technology Limitation
► Encryption s
0
End-to-end encryption do not solve the problem of credential
misuse.
0
It has a lot of impact in infrastructure performance.
0
It's not the same encrypting a hard drive than a database

► Security Architecture
0
Incident management technologies do not consider data
management and classification
° Companies think that security tools are the silver bullet for all
security problems
0
Device misconfiguration

► Cloud Services
0
Effective outsourced security management
0
Effective outsourced data/ information management
0
Effective physical / logical access control to database servers
Security and
Forensics
► As a database stores information, information
security principles apply.

► Information Security:
0
A set of human and technical measures and procedures to
protect information security properties:
• Confidentiality
• Integrity
• Availability
• Possession or Control
• Authenticity
• Authentication
• Non-repudiation
• Provenance
• Authorization
• Utility
· Accountability
Security and
Forensics
► Accountability
0
Security characteristic to track activities of identification,
authorization and access to ensure that an actor with
access to resources behaves in accordance with security,
business and ethics rules (non- repud i atio n)

0
It considers the fact that a fully secure system does not
exist, so in case of a security event (e.g. data breach), this
must be associated to the attacker by using accurate and
reliable digital evidence (provenance)

0
Requires proper monitoring and logging of actions to
ensure the proper storage, use and maintenance of
databases

0
It is related to auditing and forensics purposes
Security and
Forensics
► Auditing

0
Methodological and recurring examination and
review of activities over a period of ti me.

0
Ensures compliance with laws, policies and other
regulations by using accurate records of who did
what and when.

0
Relies on authentication and authorisation controls.
Security and
Forensics
► Forensics

0
Methodological identification, preservation,
acquisition and examination of digital evidence to
report and reflect on a security event that may have
legal implications.

0
Is a vital process for incident response to
analyse an event in a timely manner, and if
possible, identify the parties involved.

0
Relies on evidence provenance.
Database Forensics
► The main research focus in database security
has been extern al threats (outsiders)

► There is an emerging concern related to

intentional unauthorized attempts to access
or destroy data, along with malicious
actions performed by authorized users
(insiders)

► Insiders are a great threat and the main

cause of database tampering
Database Forensics
and fraud - this is our research interest
Database Forensics
► Very Little research in
the field of databases in
comparison to cloud forensics

► Two research areas

0
Reactive Approach

0
Proactive Approach
Database Forensics
► Reactive Approach:

0
After a security event (e.g. data breach) has occurred

0
Reconstruct or recover an original state of the database

0
Rely on traditional digital forensics analysis (imaging
and data carving) which are not fully compatible with
the complexity of databases, and may not ensure
evidence integrity and its admissibility in legal
proceedings

0
Not effective for incident response (limited time and
resources)

0
Ad- hoc practices depending on the DBMS (MSSQL / Or acle)
Database Forensics
► Proactive Approach

° Formalize the forensic analysis of databases

0
Resilience / Readiness:

• Ensure accountability (auditing and forensics)

• Deploy security configurations and controls to

Detect / prevent / deter security incidents on databases caused by
insiders (fraud/ misuse)

• Enable CSIRTs to investigate security incidents on

databases caused by insiders (fraud / misuse) in a timely
Database Forensics
manner
Database Forensics
► Proactive Approach
0
Provenance

• Research field mostly developed in provenance- aware

software applications

• A property of accountability to trace activities back to

their source regarding time, location

• Ensure chain of custody by ensuring provenance of evidence

during its recording and storage

• Consider different evidence sources, not just the database

Database Forensics
► Proactive Database Forensics Architecture
0
Ensure integrity of evidence (non- repudiation and provenance)
before, during and after a security event

0
If evidence integrity is ensured then evidence is
admissible because the systems that generated it are
reliable (trustworthiness)

0 Audit requirements
• Generate reliable evidence by logging and monitoring user action on the
database
+
° Forensics requirements
• Investigate incidents by identifying, preserving, acquiring and
evaluating / analyzing evidence to finally report and reflect on the events
Conclusions
► Database misuse / fraud
is mostly performed by insiders, however in
the field of database
forensics, this problem has drawn very little
attention

► Reactive approachesfor
database forensics are
more developed, but not fully admissible for
forensic purposes

► Proactive approaches for

database forensics are
Conclusions
emergent research trends, more flexible for
incident response and with higher likelihood of
admissibility in legal proceedings
Conclusions
► Proactive
approaches must be
formalized methodologically and
practically

► A proactive database
forensics architecture should be
considered to gather evidence from
different sources (network, servers, database)
Conclusions
► This architecture must
consider aspects of both, forensics and
auditing activities to ensure evidence
integrity