Database forensics

Database forensics is a branch of digital forensic science relating to the forensic study of databases and their related metadata.[1]

The discipline is similar to computer forensics, following the normal forensic process and applying investigative techniques to database contents and metadata. Cached information may also exist in a servers RAM requiring live analysis techniques.

A forensic examination of a database may relate to the timestamps that apply to the update time of a row in a relational table being inspected and tested for validity in order to verify the actions of a database user. Alternatively, a forensic examination may focus on identifying transactions within a database system or application that indicate evidence of wrongdoing, such as fraud.

Software tools can be used to manipulate and analyse data. These tools also provide audit logging capabilities which provide documented proof of what tasks or analysis a forensic examiner performed on the database.

Currently many database software tools are in general not reliable and precise enough to be used for forensic work as demonstrated in the first paper published on database forensics.[2] There is currently a single book published in this field,[3] though more are destined.[4] Additionally there is a subsequent SQL Server forensics book by Kevvie Fowler named SQL Server Forensics which is well regarded also.[5]

The forensic study of relational databases requires a knowledge of the standard used to encode data on the computer disk. A documentation of standards used to encode information in well-known brands of DB such as SQL Server and Oracle has been contributed to the public domain.[6][7] Others include Apex Analytix.[8]

Because the forensic analysis of a database is not executed in isolation, the technological framework within which a subject database exists is crucial to understanding and resolving questions of data authenticity and integrity especially as it relates to database users.

Further reading

  • Farmer and Venema, 1999, http://www.porcupine.org/forensics/forensic-discovery/appendixB.html
  • Sarbanes Oxley section 404 – enforce financial standards to limit chance of fraud. http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/
  • HIPAA – Health and Portability Act https://web.archive.org/web/20051219200504/http://www.cms.hhs.gov/hipaa/
  • Fair Credit Reporting Act (FCRA) http://www.gao.gov/new.items/d06674.pdf
  • Oracle Forensics In a Nutshell, Paul M. Wright (May 2007) http://www.oracleforensics.com/wordpress/wp-content/uploads/2007/03/OracleForensicsInANutshell.pdf
  • Oracle Forensics, Paul Wright, Rampant Techpress, ISBN 0-9776715-2-6, May 2008. http://www.rampant-books.com/book_2007_1_oracle_forensics.htm
gollark: If you require everyone/a majority to say "yes, let us make the thing" publicly, then you probably won't get any of the thing - if you say "yes, let us make the thing" then someone will probably go "wow, you are a bad/shameful person for supporting the thing".
gollark: Say most/many people like a thing, but the unfathomable mechanisms of culture™ have decided that it's bad/shameful/whatever. In our society, as long as it isn't something which a plurality of people *really* dislike, you can probably get it anyway since you don't need everyone's buy-in. And over time the thing might become more widely accepted by unfathomable mechanisms of culture™.
gollark: I also think that if you decide what to produce via social things instead of the current financial mechanisms, you would probably have less innovation (if you have a cool new thing™, you have to convince a lot of people it's a good idea, rather than just convincing a few specialized people that it's good enough to get some investment) and could get stuck in weird signalling loops.
gollark: So it's possible to be somewhat insulated from whatever bizarre trends are sweeping things.
gollark: In a capitalistic system, people don't have to like me as long as I can throw money at them, see.

References

  1. Olivier, Martin S. (March 2009). "On metadata context in Database Forensics". Digital Investigation. 5 (3–4): 115–123. CiteSeerX 10.1.1.566.7390. doi:10.1016/j.diin.2008.10.001.
  2. "Oracle Database Forensics using LogMiner - GIAC Certified Student Practical". Archived from the original on 2006-04-28. Retrieved 2006-04-08.
  3. Oracle Forensics ISBN 0-9776715-2-6 (May 2008)
  4. Oracle Forensics Using Quisix ISBN 0-470-19118-X (Dec 2008)
  5. SQL Server Forensics ISBN 0-321-54436-6 (Dec 2008)
  6. SANS Institute - Forensic Analysis of a SQL Server 2005 Database Server
  7. Oracle Forensics and Incident Response - databasesecurity.com Archived September 8, 2013, at the Wayback Machine
  8. http://www.bizjournals.com/triad/stories/2004/01/05/story3.html
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.