Database application schema forensics
The application schema layer of a Database Management System (DBMS) can be modified to produce results that do not reflect the data actually stored in the database. For example, table structures may be corrupted by changing the metadata of a database, or operators of the database can be altered to p...
Uloženo v:
| Vydáno v: | South African computer journal = Suid-Afrikaanse rekenaartydskrif Ročník 55; číslo 1; s. 1 - 11 |
|---|---|
| Hlavní autoři: | , , |
| Médium: | Journal Article |
| Jazyk: | angličtina |
| Vydáno: |
South African Computer Society (SAICSIT)
01.12.2014
|
| Témata: | |
| ISSN: | 1015-7999, 2313-7835 |
| On-line přístup: | Získat plný text |
| Tagy: |
Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
|
| Abstract | The application schema layer of a Database Management System (DBMS) can be modified to produce results that do not reflect the data actually stored in the database. For example, table structures may be corrupted by changing the metadata of a database, or operators of the database can be altered to produce incorrect results when used in queries. Such incorrect results may lead to a forensic examination to determine the cause of the problem. Alternatively, such modifications may be employed as an anti-forensic technique in an attempt to hide the actual data from an investigator when an investigation lead to the examination of a database. In both cases forensic examiners need to be aware of the impact of such metadata on queries and plan their examination of the database accordingly. Different versions of a layer of metadata may exist: a version as found on the computer being investigated, the version that was initially designed, versions from backups, and so on. It is possible that these versions are identical, but subtle ad hoc changes are often made over time and someone with access and malicious intent can introduce changes to modify the behaviour of the DBMS to achieve some nefarious goal. This paper initially discusses categories of possibilities that exist to (surreptitiously) change the application schema; practical examples are used to illustrate these possibilities. The paper is based on the premise that a specific combination of DBMS layers of metadata and data should be assembled to test specific hypotheses. For example, questions about how a DBMS should have responded to a specific query and how it does, in fact, respond are both facts that may be important to a forensic investigator. The paper illustrates how such a combination of layers may be of use to examine a specific facet of the behaviour of the DBMS. The paper refers to such a combination of layers as a configuration. The primary purpose of the paper is to explore methods that may be used to construct a given configuration for testing. A process is proposed on how forensic evidence should be extracted from the application schema layer of a DBMS. |
|---|---|
| AbstractList | The application schema layer of a Database Management System (DBMS) can be modified to produce results that do not reflect the data actually stored in the database. For example, table structures may be corrupted by changing the metadata of a database, or operators of the database can be altered to produce incorrect results when used in queries. Such incorrect results may lead to a forensic examination to determine the cause of the problem. Alternatively, such modifications may be employed as an anti-forensic technique in an attempt to hide the actual data from an investigator when an investigation lead to the examination of a database. In both cases forensic examiners need to be aware of the impact of such metadata on queries and plan their examination of the database accordingly. Different versions of a layer of metadata may exist: a version as found on the computer being investigated, the version that was initially designed, versions from backups, and so on. It is possible that these versions are identical, but subtle ad hoc changes are often made over time and someone with access and malicious intent can introduce changes to modify the behaviour of the DBMS to achieve some nefarious goal. This paper initially discusses categories of possibilities that exist to (surreptitiously) change the application schema; practical examples are used to illustrate these possibilities. The paper is based on the premise that a specific combination of DBMS layers of metadata and data should be assembled to test specific hypotheses. For example, questions about how a DBMS should have responded to a specific query and how it does, in fact, respond are both facts that may be important to a forensic investigator. The paper illustrates how such a combination of layers may be of use to examine a specific facet of the behaviour of the DBMS. The paper refers to such a combination of layers as a configuration. The primary purpose of the paper is to explore methods that may be used to construct a given configuration for testing. A process is proposed on how forensic evidence should be extracted from the application schema layer of a DBMS. |
| Author | Oliviery, Martin S. Beyers, Hector Q. Hancke, Gerhard P. |
| Author_xml | – sequence: 1 givenname: Hector Q. surname: Beyers fullname: Beyers, Hector Q. – sequence: 2 givenname: Martin S. surname: Oliviery fullname: Oliviery, Martin S. – sequence: 3 givenname: Gerhard P. surname: Hancke fullname: Hancke, Gerhard P. |
| BookMark | eNqly70KwjAUQOEgFWzVd-jiWMgPtY1rrYize7htb0kkpsEb318E38DpDB-nYFlYAq5YLpVQVdOqOmO54KKuGq31hhVED86lbLXM2eEMCQYgLCFG70ZIbgkljRafUM7LCwO5kXZsPYMn3P-6ZadLf--uFcHgAiZDgPE9GJtSJGMnbyyEyaP5muC15Ka_deKodCPUX_MHSGRDUg |
| ContentType | Journal Article |
| DatabaseTitleList | |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISSN | 2313-7835 |
| EndPage | 11 |
| ExternalDocumentID | https://hdl.handle.net/10520/EJC163971 |
| GroupedDBID | .4S 1RI ADBBV AFFHD AFKRA ALMA_UNASSIGNED_HOLDINGS ANHLU ARCSS BCNDV BENPR CCPQU GROUPED_DOAJ OK1 P2P PHGZM PHGZT PIMPY RFP TUS |
| ID | FETCH-sabinet_saepub_https_hdl_handle_net_10520_EJC1639713 |
| ISSN | 1015-7999 |
| IngestDate | Thu Nov 27 13:21:40 EST 2025 |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | 1 |
| Language | English |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-sabinet_saepub_https_hdl_handle_net_10520_EJC1639713 |
| ParticipantIDs | sabinet_saepub_https_hdl_handle_net_10520_EJC163971 |
| PublicationCentury | 2000 |
| PublicationDate | 20141201 |
| PublicationDateYYYYMMDD | 2014-12-01 |
| PublicationDate_xml | – month: 12 year: 2014 text: 20141201 day: 01 |
| PublicationDecade | 2010 |
| PublicationTitle | South African computer journal = Suid-Afrikaanse rekenaartydskrif |
| PublicationYear | 2014 |
| Publisher | South African Computer Society (SAICSIT) |
| Publisher_xml | – name: South African Computer Society (SAICSIT) |
| SSID | ssj0022892 ssib026972025 |
| Score | 3.8006706 |
| Snippet | The application schema layer of a Database Management System (DBMS) can be modified to produce results that do not reflect the data actually stored in the... |
| SourceID | sabinet |
| SourceType | Publisher |
| StartPage | 1 |
| SubjectTerms | Application schema forensics Database abstract layers Database forensic process Database forensics H.1.m H.2.7 |
| Title | Database application schema forensics |
| URI | https://hdl.handle.net/10520/EJC163971 |
| Volume | 55 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| journalDatabaseRights | – providerCode: PRVAON databaseName: DOAJ Directory of Open Access Journals customDbUrl: eissn: 2313-7835 dateEnd: 20241231 omitProxy: false ssIdentifier: ssj0022892 issn: 1015-7999 databaseCode: DOA dateStart: 20100101 isFulltext: true titleUrlDefault: https://www.doaj.org/ providerName: Directory of Open Access Journals – providerCode: PRVPQU databaseName: ProQuest Central customDbUrl: eissn: 2313-7835 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0022892 issn: 1015-7999 databaseCode: BENPR dateStart: 20090101 isFulltext: true titleUrlDefault: https://www.proquest.com/central providerName: ProQuest – providerCode: PRVPQU databaseName: ProQuest Publicly Available Content Database customDbUrl: eissn: 2313-7835 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0022892 issn: 1015-7999 databaseCode: PIMPY dateStart: 20090101 isFulltext: true titleUrlDefault: http://search.proquest.com/publiccontent providerName: ProQuest |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwtV1JT8JAFJ4gevDibtzTg5xIG7vQxRsBVEwkGDjgqRnaaVLRakoh8Df8xb7XmZbWk5KYkIZMl-n0vXxvmbcQcm2OfcMB0JNt30ZvlWHJYxB8MgXie5rtUXUcpM0mrF7PHo2cfqXyleXCzN-sKLIXC-fzX0kNY0BsTJ39A7nzh8IA_AeiwxHIDsdfEb5NE4qyqV7Ym66DDcveKcYUYsC6CHB_zTJ0Z7h1E3BE9ESbh7ymRE1vA7yEvoxXTCiINuy0MmERhcmX_nQSh0Fu1DPRQwLEGe4G1J-VlRc3RBG8FAlCSQi4oqzwL_J4lNA9izEPrN5Xiv4I1fgR21F-56w1RR6DCmrzoNltDbrDzNPBcRe0EtlyeK8khaVjoHnqMjqmimDNa_qWmJIjr1oQ4QK-y3W0Uw4DUgH94FeuY5G6LxoaBlt2HlsqbnaCRb2h3xhVstnvPvVfMozSTMfSbgr1HMFg5TvqYgFgR2FtZHhoQU8Z7pEdYWBITc4Y-6TCogOym30hSWD5IallfCIV-ETifCLlfHJEbu86w9aDLGZzpxSzKNM0rakLy3P58lw8ly7OzZemH5Nq9BGxEyIZph80GkzzHEwytn0agE4IFzVseAXdME-JvsYEZ2vddU62Vwx1QapJPGOXZMubJ-E0vhKE-AZurmQ7 |
| linkProvider | ProQuest |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Database+application+schema+forensics&rft.jtitle=South+African+computer+journal+%3D+Suid-Afrikaanse+rekenaartydskrif&rft.au=Beyers%2C+Hector+Q.&rft.au=Oliviery%2C+Martin+S.&rft.au=Hancke%2C+Gerhard+P.&rft.date=2014-12-01&rft.pub=South+African+Computer+Society+%28SAICSIT%29&rft.issn=1015-7999&rft.eissn=2313-7835&rft.volume=55&rft.issue=1&rft.spage=1&rft.epage=11&rft.externalDocID=https%3A%2F%2Fhdl.handle.net%2F10520%2FEJC163971 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1015-7999&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1015-7999&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1015-7999&client=summon |