X-RayVisionforDatabases

JamesWagner

TanuMalik Karen Heart

JonathanGrierAlexanderRasin

Motivation

•Dataisavaluableasset

•Databreaches•Morethan85%goundetected[1]

• Averagedetectiontimeis210days[2]

[1]E.OuelletandP.E.Proctor.Magicquadrantforcontent-awaredatalossprevention.TechnicalReport,2012.

[2]T.TrustWave.globalsecurityreport,2013.http://www.trustwave.com/2013GSR,2013.

DBMSesareEverywhere

• Theobvious• Financialdata• Websiteback-end

• Thelessobvious• Mobilephones(SQLite)

• HumanResources(PeopleSoft)

• Web-browsers(SQLite)

DBMSisaBlackBox

DatabaseManagementSystem(DBMS)

ValuableData

DBMS:TheInnerWorld

DBMSInterfaces

DBStorageManagement

Engine

DBAuditlogs

DBaccesspermissionsandaccounts

DBEncryption

DBBackupsystem

DBRAMBuffer

DBCachemanagement

DBAuxiliarystructures(indexes,MVs)

DBTriggers/Rules

DBMiner(LogsandTransactions)

CurrentinvestigativetoolsdonotworkonDBMSes

DatabasefilesaremeaninglesswithoutDBMS

ParameterDetector

DatabaseManagement

System

DBParser

Iterativelyloadsyntheticdata

CaptureDBstorage

DBconfig.files

GenerateDBconfig.file DBMSdisk

imageDBMSRAM

image

Updated,Deletedrows

Cachedindex/datapages

Catalog,logs,etc

Unallocated(free)pages

DBCarverArchitecture

ParameterDetector

DatabaseManagement

System

DBParser

Iterativelyloadsyntheticdata

CaptureDBstorage

DBconfig.files

GenerateDBconfig.file DBMSdisk

imageDBMSRAM

image

Updated,Deletedrows

Cachedindex/datapages

Catalog,logs,etc

Unallocated(free)pages

DBCarverArchitecture

Oracle PostgreSQL SQLite

Firebird DB2 SQLServer MySQL ApacheDerby

StructureIdentifier Yes No Yes No

UniquePage ID Yes No

RowDir.Sequence Top-to-bottominsertion Bottom-to-topinsertionRowIdentifier No Yes No Yes

ColumnCount Yes No Yes No Yes

3-columnrow4,Mark,Boston

Row4 4,Mark,Boston

Row4 4 4,Mark,Boston

Row4 3 4,Mark,Boston

ParameterDetector

DatabaseManagement

System

DBParser

Iterativelyloadsyntheticdata

CaptureDBstorage

DBconfig.files

GenerateDBconfig.file DBMSdisk

imageDBMSRAM

image

Updated,Deletedrows

Cachedindex/datapages

Catalog,logs,etc

Unallocated(free)pages

DBCarverArchitecture

DBCarverOutput(SQLiteonAndroid)

…

NumberofActive Rows

InternalRowID

DeletedRow

OracleRAMSnapshots

InsiderThreats(LogTampering)

UseCasesandCollaborations

• Ongoingcases• Lawenforcement(FederalandState)

• Mobiledevices• Privateforensicconsultants

• PostgreSQL

• Wearelookingforcollaborations!• Testourexistingprototype• Workwithyouonwhatyouneed

ContactUs

• Availableduringbreakat4:00• AlexanderRasin• DePaulUniversity,312-362-7008,arasin@depaul.edu

• JonathanGrier• DigitalForensicsconsultant

• KarenHeart• Litigationattorney– sowearealsointerestedinallassociatedlegal/evidentialissues