Database Forensics: Database Tamper Detection and Prevention

Abstract

Audit logs are considered as a good practice for systems which contains sensitive data. Federal regulations are forced to maintain audit logs for secure systems such as financial applications, data for approval of drugs, military records, and even for electronic voting. It is critical that audit logs are correct and inalterable. Just by maintaining an audit log does not reflect 100% integrity. The problem with the audit logs is that insiders such as Database Administrator (DBA) or internal auditors who have full access to the database can tamper the database and alter the audit records to remain undetected. This research proposes a mechanism that runs on top of the Database Management Systems (DBMS) layer to prevent the intruders both inside and outside, from tampering the database. There are two main components, the security layer which is based on strong one-way hash functions to prevent the tampering events, and a validation program to detect whether any tampering event has been occurred. The security mechanism collects evidences of the transactions performed on the database and the validation program analyses those evidence to identify whether the database has been tampered. If a database tampering has been occurred the proposed mechanism will identify when the tampering has occurred, what records have been tampered and eventually if there is enough evidence the system will find out who the attacker is.