An Approach to Examine the Metadata and Data of a Database Management System by making use of a Forensic Comparison Tool
Beyers, Olivier, and Hancke
2011
Citation information
H. Beyers, M. S. Olivier, and G. P. Hancke. “An Approach to Examine the Metadata and Data of a Database Management System by making use of a Forensic Comparison Tool”. In: Proceedings of the 2011 Information Security for South Africa (ISSA 2011) Conference. Ed. by H. S. Venter, M. Coetzee, and M. Loock. (Work in Progress Paper; published electronically). Johannesburg, South Africa, Aug. 2011Abstract
This paper will discuss how a forensic comparison tool can effectively assist in a forensic investigation of the metadata and data of a database installation, and an approach to handle the output of the forensic comparison tool in a forensic investigation. The metadata of a psql DBMS installation was compromised to support this statement. The relational database management system was divided into four abstract layers to separate various types of metadata and separate the metadata from the data. These four abstract layers are the data model, data dictionary, and application schema and application data layers. Code was implemented to construct a forensic tool that compares a suspect DBMS installation with a clean DBMS installation. Any discrepancies between the two DBMS installation are reported. The forensic tool considers two types of comparisons namely a file search and dump search. The file search has a three step procedure of (1) checking if all files in both installations are the same, (2) compare the md5 hashes of files that exist in both DBMS installations, (3) and compare the contents of files which are not the same. The dump search makes a dump of both DBMS installations and compares the output. The dump search is particular useful in managing discrepancies found with the file search. This paper proposes a way in which these discrepancies can be handled by considering various outcomes and scenarios. The four abstract layers make it easier to manage a forensic examination after discrepancies were reported by the forensic comparison tool. An approach is discussed on how to deal with add-ons and different versions of DBMS installations. Although the psql DBMS was used for the forensic tool, the concepts in this paper remain independent of DBMS.
BibTeX reference
@inproceedings(dbfct,author={Hector Beyers and Martin S Olivier and Gerhard P Hancke},
title={An Approach to Examine the Metadata and Data of a Database Management System by making use of a Forensic Comparison Tool},
editor={Hein S Venter and Marijke Coetzee and Mariaan Loock},
booktitle={Proceedings of the 2011 Information Security for South Africa (ISSA 2011) Conference},
month=aug,
year={2011},
address={Johannesburg, South Africa},
note={(Work in Progress Paper; published electronically)} )