P. Frühwirt, P. Kieseberg, K. Krombholz, E. Weippl:
"Towards a forensic-aware database solution: Using a secured database replication protocol and transaction management for digital investigations
(2014), 4; S. 336 - 348.
[ Publication Database
Databases contain an enormous amount of structured data. While the use of forensic analysis on the le system level
for creating (partial) timelines, recovering deleted data and revealing concealed activities is very popular and multiple
forensic toolsets exist, the systematic analysis of database management systems has only recently begun. Databases
contain a large amount of temporary data les and metadata which are used by internal mechanisms. These data
structures are maintained in order to ensure transaction authenticity, to perform rollbacks, or to set back the database
to a prede ned earlier state in case of e.g. an inconsistent state or a hardware failure. However, these data structures
are intended to be used by the internal system methods only and are in general not human-readable.
In this work we present a novel approach for a forensic-aware database management system using transactionand
replication sources. We use these internal data structures as a vital baseline to reconstruct evidence during a
forensic investigation. The overall bene t of our method is that no additional logs (such as administrator logs) are
needed. Furthermore, our approach is invariant to retroactive malicious modi cations by an attacker. This assures
the authenticity of the evidence and strengthens the chain of custody. To evaluate our approach, we present a formal
description, a prototype implementation in MySQL alongside and a comprehensive security evaluation with respect to
the most relevant attack scenarios.