Download Presentation - DePaul University

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts
no text concepts found
Transcript 
A UNIVERSAL CARVING APPROACH FOR
DATABASE FORENSIC ANALYSIS
James Wagner, Alexander Rasin, Jonathan Grier
Overview
 Background (File System Forensics vs. Database Forensics)
 Reconstructing Data and DICE
 Reconstructing Deleted Data
 Experiments
 Conclusion and Future Work
File System Forensics
Header
File
Fragment
1
gap
File
Fragment
2
Footer
Database Forensics
Challenges
 Database specific data models
 No file headers
 Record reconstruction
 Values are encoded with metadata
Forensics is Reconstruction, not Recovery
 No database intervention
 Backups are not available
 Corrupted disk, deleted files, read-only
Database Structures
Index C_Age
Age Pointer
26
2
33
4
34
3
40
1
Table Customer
ID Name Account Age
Table Supplier
ID Name
City
1
2
3
4
1 Steve San Diego
2 Sally Springfield
3 Sam St. Louis
4 Susy
Seattle
Craig
Claire
Chris
Carol
$2000
$5000
$1000
$4000
40
26
34
33
SELECT Name, Account
FROM Customer
WHERE Account > 3000;
Materialized View C_Account
Name
Account
Claire
Carol
$5000
$4000
Database Storage: Pages
Table Data
Customer
•Page Header
20%
•Row Directory
•Other Structures
 Minimum Unit of Storage
 Typically 4KB or 8KB
Row1 Address
Row2 Address
Row3 Address
Row4 Address
Free space, etc.
80%
•Row Data
Row4: 4, Mark, Boston
Row3: 3, Mary, Dallas
Row2: 2, Jane, Chicago
Row1: 1, John, Boston
DICE: Database Image Content Explorer
Iteratively load
synthetic data
Parameter
Detector
Database
Management
Capture DB
storage
System
Generate DB
config. file
DBMS disk
image
DBMS RAM
snapshot
Data pages
(tables & indexes)
DB config. files
Content Parser
Deleted data, etc.
Volatile user
artifacts
DICE: Parameter Collector
Iteratively load
synthetic data
Parameter
Detector
Database
Management
Capture DB
storage
System
Generate DB
config. file
DBMS disk
image
DBMS RAM
snapshot
Data pages
(tables & indexes)
DB config. files
Content Parser
Deleted data, etc.
Volatile user
artifacts
DICE: Content Parser
Iteratively load
synthetic data
Parameter
Detector
Database
Management
Capture DB
storage
System
Generate DB
config. file
DBMS disk
image
DBMS RAM
snapshot
Data pages
(tables & indexes)
DB config. files
Content Parser
Deleted data, etc.
Volatile user
artifacts
DICE and Python
 Adapters for every database
 Portable across operating systems
 Simple database connections
 Constantly changing and creating page parameters
Parameter Collection: Row Data
Example: MySQL primary key storage
Parameter Collection: Datatypes
 How do you automate it? Example: Integers
PostgreSQL(4 bytes): (2560 * B1) + (2561 * B2) + (2562 * B3) + (2563 * B4)
1 = 1, 0, 0, 0
256 = 0, 1, 0, 0
257 = 1, 1, 0, 0
Oracle: Uses zero compression.
4 = 3, 192, 5
40 = 3, 192, 41
400 = 3, 193, 5
440 = 4, 193, 5, 41
 Datatype Detection. Example: PostgreSQL Integer of String?
ASCII
.
Decimal 3
J
a
y
74 97 121
Generalizing Parameters
5 | 10John Smith | 11 | 5Texas
1&3&5&15 || 5 | 11 | John Smith | Texas
Parsing Example: PostgreSQL
Parameter
Value
Raw Data
Delimiter
Raw Data
Position
Number Storage
2, 9, 24
Number Method
PSQL
4
4
String X
2
String Y
3
ASCII Decimal
0
2
9
24
0
+
43
6
0
0
Length =
'
39
(39 – 3)/2 = 18
C
67
u
117
s
115
t
116
C1 = 1579(Integer)
C2 = Customer#000001579(String)
ASCII Decimal
o
111
m
109
e
101
r
114
#
35
0
48
0
48
0
48
0
48
0
48
1
49
5
53
7
55
9
57
DBMSes
Hard to get
some older
DB versions
Different
parameters
No Linux
Support
Deleted Data
 No longer recoverable
 A delete only marks data, not overwrite.
 Unallocated storage
 Three flavors of deleted data DICE can reconstruct:
1. Rows
2. Pages
3.Values
Deleted Data: Rows
1. MySQL or
Oracle
2. PostgreSQL
3. SQLite
*DB2 and SQL Server mark a deletion in the row directory
Deleted Data: Pages
Deleted Data: Values
Experiment 1: Recovering Deleted Rows
Introduction
 Lifetime of deleted rows
 Representative DBs
Oracle - Percent page utilization (39%)
SQL Server – Overwrite if there’s space
Oracle
Setup
 2 tables: 20K random sized rows
 85 rows/page, 236 pages
 Random & contiguous deletes
 Inserted rows were random size
SQLServer
Action
T1(Rand) T2(Cont) T1(Rand) T2(Cont)
Step 1 Delete 1K Rows
1000
1000
1000
1000
Step 2 Insert 1K Rows
1000
8
416
354
Step 3 Insert 1K Rows
1000
8
394
12
Experiment 1: Example
Experiment 2: Memory Monitoring (Step 1 of 3)
Snapshot 1
 1 pixel = 1 page
 50K pages total
Snapshot 2
Lineorder
Part
Synthetic Tables
Customer
Indexes
Other
Empty
Experiment 2: Memory Monitoring (Step 2 of 3)
Snapshot 2
 1 pixel = 1 page
 50K pages total
Snapshot 3
Lineorder
Part
Synthetic Tables
Customer
Indexes
Other
Empty
Experiment 2: Memory Monitoring (Step 3 of 3)
Snapshot 3
 1 pixel = 1 page
 50K pages total
Snapshot 4
Lineorder
Part
Synthetic Tables
Customer
Indexes
Other
Empty
Experiment 2: Memory Monitoring (Summary)
Conclusion
 DICE generalizes storage at the page level
 Reconstruct data (corrupted, deleted, RAM)
Future Work
 Detect log file modification with DICE
Audit the DBA
Disk - Deleted, updated and inserted rows
RAM - Read-only queries
Questions
Related documents