n South African Computer Journal - Database application schema forensics




The application schema layer of a Database Management System (DBMS) can be modified to produce results that do not reflect the data actually stored in the database. For example, table structures may be corrupted by changing the metadata of a database, or operators of the database can be altered to produce incorrect results when used in queries. Such incorrect results may lead to a forensic examination to determine the cause of the problem. Alternatively, such modifications may be employed as an anti-forensic technique in an attempt to hide the actual data from an investigator when an investigation lead to the examination of a database. In both cases forensic examiners need to be aware of the impact of such metadata on queries and plan their examination of the database accordingly. Different versions of a layer of metadata may exist: a version as found on the computer being investigated, the version that was initially designed, versions from backups, and so on. It is possible that these versions are identical, but subtle ad hoc changes are often made over time and someone with access and malicious intent can introduce changes to modify the behaviour of the DBMS to achieve some nefarious goal.

This paper initially discusses categories of possibilities that exist to (surreptitiously) change the application schema; practical examples are used to illustrate these possibilities.
The paper is based on the premise that a specific combination of DBMS layers of metadata and data should be assembled to test specific hypotheses. For example, questions about how a DBMS should have responded to a specific query and how it does, in fact, respond are both facts that may be important to a forensic investigator. The paper illustrates how such a combination of layers may be of use to examine a specific facet of the behaviour of the DBMS. The paper refers to such a combination of layers as a configuration.
The primary purpose of the paper is to explore methods that may be used to construct a given configuration for testing. A process is proposed on how forensic evidence should be extracted from the application schema layer of a DBMS.


Article metrics loading...

This is a required field
Please enter a valid email address
Approval was a Success
Invalid data
An Error Occurred
Approval was partially successful, following selected items could not be processed due to error