Talks and Poster Presentations (with Proceedings-Entry):
P. Kieseberg, S. Schrittwieser, M. Mulazzani, M. Huber, E. Weippl:
"Trees Cannot Lie: Using Data Structures for Forensics Purposes";
Talk: European Intelligence and Security Informatics Conference 2011,
- 2011-09-14; in: "Proceedings of the European Intelligence and Security Informatics Conference",
Today´s forensic techniques for databases are primarily focused on logging mechanisms and artifacts accessible in the database management systems (DBMSs). While log files, plan caches, cache clock hands, etc. can reveal past transactions, a malicious administrator´s modifications might be much more difficult to detect, because he can cover his tracks by also manipulating the log files and flushing transient artifacts such as caches. The internal structure of the data storage inside databases, however, has not yet received much attention from the digital forensic research community. In this paper, we want to show that the diversity of B+-Trees, a widely used data structure in today´s database storage engines, enables a deep insight of the database´s history. Hidden manipulations such as predated INSERT operations in a logging database can be revealed by our approach. We introduce novel forensic techniques for B+-Trees that are based on characteristics of the tree structure and show how database management systems would have to be modified to even better support tree forensic techniques.
b+ tree, forensics
Electronic version of the publication:
Created from the Publication Database of the Vienna University of Technology.