|
 ABSTRACT
Mechanisms now exist that detect tampering of a database, through the use of cryptographically-strong hash functions. This paper addresses the next problem, that of determining who, when, and what, by providing a systematic means of performing forensic analysis after such tampering has been uncovered. We introduce a schematic representation termed a "corruption diagram" that aids in intrusion investigation. We use these diagrams to fully analyze the original proposal, that of a linked sequence of hash values. We examine the various kinds of intrusions that are possible, including retroactive, introactive, backdating, and postdating intrusions. We then introduce successively more sophisticated forensic analysis algorithms: the monochromatic, RGB, and polychromatic algorithms, and characterize the "forensic strength" of these algorithms. We show how forensic analysis can efficiently extract a good deal of information concerning a corruption event.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
|
| |
2
|
J. Bair, M. Böhlen, C. S. Jensen, and R. T. Snodgrass, "Notions of Upward Compatibility of Temporal Query Languages," Business Informatics (Wirtschafts Informatik) 39(1):25--34, February, 1997.
|
| |
3
|
K. Fu, M. F. Kaashoek and D. Mazières, "Fast and secure distributed read-only file system," in Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, pp. 181--196, October 2000.
|
| |
4
|
P. A. Gerr, B. Babineau, and P. C. Gordon, "Compliance: the effect on information management and the storage industry," Enterprise Storage Group Technical Report, May 2003.
|
| |
5
|
S. Haber and W. S. Stornetta, "How To Time-Stamp a Digital Document," Journal of Cryptology 3:99--111, 1999.
|
| |
6
|
W. W. Hsu and S. Ong, "Fossilization: A process for establishing truly trustworthy records," IBM Research report RJ 10331, 2004.
|
| |
7
|
C. S. Jensen and C. E. Dyreson (eds), "A Consensus Glossary of Temporal Database Concepts---February 1998 Version," in Temporal Databases: Research and Practice, O. Etzion, S. Jajodia, and S. Sripada (eds.), Springer-Verlag, pp. 367--405, 1998.
|
| |
8
|
|
| |
9
|
Lab Compliance, www.labcompliance.com/e-signatures/overview.htm, viewed November 14, 2005.
|
 |
10
|
David Lomet , Roger Barga , Mohamed F. Mokbel , German Shegalov , Rui Wang , Yunyue Zhu, Immortal DB: transaction time support for SQL server, Proceedings of the 2005 ACM SIGMOD international conference on Management of data, June 14-16, 2005, Baltimore, Maryland
[doi> 10.1145/1066157.1066295]
|
| |
11
|
David Mazières , Michael Kaminsky , M. Frans Kaashoek , Emmett Witchel, Separating key management from file system security, Proceedings of the seventeenth ACM symposium on Operating systems principles, p.124-139, December 12-15, 1999, Charleston, South Carolina, United States
|
| |
12
|
|
| |
13
|
Oracle Corporation, "Oracle Database 10g Workspace Manager Overview," Oracle White Paper, May 2005.
|
| |
14
|
|
| |
15
|
R. T. Snodgrass, S. S. Yao, and C. Collberg, "Tamper Detection in Audit Logs," in Proceedings of the International Conference on Very Large Databases, pp. 504--515, Toronto, Canada, September 2004.
|
| |
16
|
|
CITED BY 3
|
|
Hilary J. Holz , Anne Applin , Bruria Haberman , Donald Joyce , Helen Purchase , Catherine Reed, Research methods in computing: what are they, and how should we teach them?, ACM SIGCSE Bulletin, v.38 n.4, December 2006
|
|
|
|
|
|
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
H.2