Auditing database systems through forensic analysis

The majority of sensitive and personal data is stored in a number of different Database Management Systems (DBMS). For example, Oracle is frequently used to store corporate data, MySQL serves as the back-end storage for many webstores, and SQLite stores personal data such as SMS messages or browser bookmarks. Consequently, the pervasive use of DBMSes has led to an increase in the rate at which they are exploited in cybercrimes. After a cybercrime occurs, investigators need forensic tools and methods to recreate a timeline of events and determine the extent of the security breach. When a breach involves a compromised system, these tools must make few assumptions about the system (e.g., corrupt storage, poorly configured logging, data tampering). Since DBMSes manage storage independent of the operating system, they require their own set of forensic tools. This dissertation presents 1) our database-agnostic forensic methods to examine DBMS contents from any evidence source (e.g., disk images or RAM snapshots) without using a live system and 2) applications of our forensic analysis methods to secure data. The foundation of this analysis is page carving, our novel database forensic method that we implemented as the tool DBCarver. We demonstrate that DBCarver is capable of reconstructing DBMS contents, including metadata and deleted data, from various types of digital evidence. Since DBMS storage is managed independently of the operating system, DBCarver can be used for new methods to securely delete data (i.e., data sanitization). In the event of suspected log tampering or direct modification to DBMS storage, DBCarver can be used to verify log integrity and discover storage inconsistencies

Smartphones as Distributed Witnesses for Digital Forensics

Part 3: Mobile Device ForensicsInternational audienceSmartphones have become an integral part of people’s lives. Their wide range of capabilities and support of diverse applications result in a wealth of data being stored in smartphone memory. Although tools are available to extract and view the data stored in smartphones, no comprehensive process exists for event reconstruction using the extracted data. Data in smartphones is typically stored in SQLite databases and can, therefore, be easily transformed. To perform event reconstruction, multiple SQLite databases have to be integrated. This paper proposes a novel mobile event reconstruction process that allows for event reconstruction by querying the integrated SQLite databases collected from multiple smartphones. The process can create detailed accounts of the events that took place before, during and after an incident