I. INTRODUCTION:

Digital forensics is defined as the practice of scientifically proven technical methods and tools towards the preservation, collection, analysis, validation, documentation and presentation of after-the-fact digital information derived from digital sources for the purpose of facilitating or furthering the reconstruction of events as forensic evidence. Examples of digital sources includes Mobile phones, VLSI chips, Hard disks, Computers, Copiers, Digital Cameras, CD’S, DVD’s, Network Routers as well as Software, Communication protocols etc. Digital forensic investigation could be used as Post-incident investigation or examination of tampered digital systems to make inquiries about past events, allowing reconstructing the occurred attack scenarios, identifying the location of attackers, understanding what was occurred to prevent future similar incidents and argument the results with irrefutable proofs.

Databases are the nerve center of our economy. Every piece of your personal information is stored there – medical records, bank accounts, employment history, pensions, car registrations, insurance, financial, design, telemarketing, consumer electronics companies etc. Data in these sectors is growing exponentially day by day. In the same pace, malfunctioning with data has also significantly harmed big organizations. In recent years, database attacks are increasing exponentially throughout the world.

Database Forensics is a branch of Digital Forensic relating to the forensic study of Databases and their related metadata. It follows the normal forensic process and applying investigative techniques. Intruders such as hackers, crackers, sniffers etc. always look to steal the data for misuse. This leads to big losses to the government as well as large sized companies. Taking into consideration the security breaches and attacks on databases (both enterprise or government), auditing has become a mandatory part of organization to ensure integrity of the data on one hand and it is also necessary to report the tampering of data on the other hand. A forensic examination method using may help in identifying transactions within a database system or application that indicate evidence of wrongdoing, such as fraud, tampering, hacking of databases. Preserving, authenticating, analyzing, and accurately producing data from enterprise databases requires special skills and methodologies.

Section 2 of this paper gives an insight about the auditing features provided by some DBMSs while for others programming is required. Section 3 deals with analysis of various strategies by observing their performance. Section 4 gives the conclusion as to how different DBMSs can be either configured or programmed for automatic auditing.

II. ENABLING DBMSs FOR AUDITING:

A. Configuring Microsoft Access by Programming:

Currently Microsoft Access is present in many administrative systems. The hard disks today are more stable than before, still a flicker of the power can cause damage to the entire valuable data of the company. “Compact and Repair Database” feature provided by Microsoft Access can overcome problems caused by a crash. Re-linking the Back-end database may also help. Many a times instead of this also recovery becomes impossible.

Let’s say that an audit trail for an access database is required to be created to capture the following information:

1. Username

2. computer name (user computer)

3. columns changed in the tables

4. date and time of access (or change)

Create a global module and use field tagging for the section of form input one wants to audit.

B. Create the Audit Table:

This needs an Audit Trail table to store the audit records. The table has the following fields:

TABLE I. EXAMPLE AUDIT TABLE

Field Name	Data Type
AuditTrailID	AutoNumber (Primary Key)
DateTime	Date/Time
UserName	Text
FormName	Text
RecordID	Text
Action	Text
FieldName	Text
OldValue	Text
NewValue	Text

A Code is written that records Additions, Edits and Deletes. The program records activities like “ADD NEW” and “EDIT”. For “EDIT”, it records OLD as well as NEW values along with other necessary information in the Audit trail table. This information in this table can be analyzed by the investigator to find suspicious EDIT transactions [3].

C. Audit table changes in SQL server:

Although SELECT statements are not considered harmful, but there are some cases when auditing of such statements becomes essential. These cases which require that SELECT statements be audited include:

· To find out who and when is accessing your data for troubleshooting security, application, or performance issues

· To provide a necessary requirement (e.g. to comply with HIPAA or other regulations) [9]

There are several SQL Server native solutions for auditing SELECT statements.

· Stored procedures and functions

· SQL Server trace technology

· SQL Server Audit feature

This section will focus on how to audit a table in SQL server using a trigger. It is desirable to keep to track of all table changes that are happening across all the databases in a given SQL server instance. For example, when somebody creates a new table, all the information viz. name of database in which the table is created, the table name, event type (whether it is CREATE table, ALTER table or DROP table), the login name of the associated person who made the change, the exact transact SQL command that they have execute and what was the date and time when that change happened. To get this information, EventData function is required to be executed. If EventData function is programmed to scan every SELECT operation, this function will return the data associated with each SELECT operation. The data returned will be in XML format. As soon as somebody executes a SELECT query, this trigger is fired and returns data associated with the table on which SELECT query has been fired. A sample output of EventData function is as follows:

<EVENT_INSTANCE>

<EventType>SELECT_TABLE</ EventType>

<ServerName>MANISH-PC</ServerName>

<LoginName>MANISH-PC\mhb</LoginName>

<DatabaseName>SampleDB</DatabaseName>

<ObjectName>MyTable</ObjectName>

<ObjectType>Table</ObjectType>

<CommandText>Select * from MyTable where countryname= ‘India’</CommandText>

</TSQLCommand>

</EVENT_INSTANCE>

TABLE II. OUTPUT OF EXECUTION OF QUERY

Databas

eName

Table

Name

EventTy

Login

Name

SQLCo

mmand

AuditD

ateTime

Sample DB

MyTa ble

SELECT

_TABLE

MAN ISH-

PC\m hb

Select * from MyTabl e where country

name= ‘India’

2019-

12-30

17:30-

24-240

Sample DB

MyTa ble

SELECT

_TABLE

MAN ISH-

PC\m hb

Select * from Custom ers where citynam e= ‘New

Delhi’

2019-

12-29

16:45-

57-430

Sample DB

MyTa ble

SELECT

_TABLE

MAN ISH-

PC\m hb

Select * from admin

2019-

12-26

23:30-

11-610

SQL Server’s trace technology works via an API called SQL Server Profiler [9]. The following table shows the output of trace done by Profiler when a SELECT statement is executed on the sample ACME database and the information is captured in TraceSELECTsTable.

TABLE III. OUTPUT OF SQL’s TRACE FEATURE

Application Name

Database

Name

HostName

LoginName

StartTime

Text Data

Microsoft SQL Server

Management Stidio-Query

AC ME DB

LENOVO

LENOVO\IKI

2013 - 12 - 25

13:41:49 .54 0

SELECT [InvoiceID], [Amount],[CustomerID] ….

Microsoft SQL Server

Management Stidio-Query

AC ME DB

LENOVO

LENOVO\IKI

2013 - 12 - 25

13:41:50 .73 3

SELECT [InvoiceID], [Name], [Email] FROM ….

Limitation of this feature is that it requires precise manual set up using filters, it doesn’t provide a solution against tampering with the captured information by trusted parties, and there’s no archiving ability. Additionally, in order to export data and create appropriate auditing reports, this auditing method requires T-SQL knowledge.

All features of SQL Server Audit are available in the Enterprise and Developer editions of SQL Server 2014. It is not available at the database level in other editions. For this or legacy reasons, the instance may be using SQL Server Trace for auditing, which remains an acceptable solution for the time being [10].

The SQL Server Audit feature of SQL Server 2008 was made available in Enterprise and Developer editions only. It is helpful in auditing both server and database events. Moreover, it produces less overhead than trace technology but at the cost of slight impact on server performance [9]. It provides better fine-tuning of the auditing than the trace technology. Its limitations include non-availability in two SQL Server editions. Moreover, there is no archiving nor tamper evident repository. And it requires manual set up of each SQL Server instance and database, and T-SQL is a must for deeper analysis and reporting.

Other solution for auditing SELECT operations like ApexSQL Audit provides compliance tool in addition to auditing that tracks and reports events on SQL Server by auditing access and changes to the SQL Server instance and its objects. It provides a range of built-in reports, along with the custom report designer to create custom SQL Server auditing reports by using logical conditions in combination with all event sources and possible events.

D. Using SQLite Triggers for Audit Trail:

Trigger is an event-driven feature of SQLite that helps to make an audit trail for specified operations like INSERT, UPDATE and DELETE.

An intruder can illegally delete original data and insert other data. This can be understood by following sample example:

For INSERT

CREATE TRIGGER aft_insert AFTER INSERT ON emp_details BEGIN

INSERT INTO emp_log(emp_id, salary, edittime) VALUES(NEW.employee_id, NEW.salary, current_date); END;

For DELETE

CREATE TRIGGER aft_delete AFTER DELETE ON student_mast BEGIN

INSERT into stu_log (description) VALUES ('Update Student Record '||

. NAME||' Class: '||OLD.ST_CLASS||' -> Deleted on '|| date('NOW'));

END;

Triggers are used to achieve data consistency. They help to replicate the data for this purpose.

E. Using Cryptographic Hash Functions:

Pavlou and Snodgress [6][7] make use of strong cryptographic one-way hash functions to detect tampering in the data (it may be the data stored in database tables or log data generated by DBMS during operations. In [6] digital notarization service has been incorporated to solve the purpose. Every tuple or page has to be digitally notarized by the remote server. It detects the tampering of data during validation process. Hence can work on the snapshot of the data only. The various algorithms using notarization technique can detect one to many corruptions in database files or transaction log files.

F. File carving technique to detect data breaches:

Sometimes, it may happen that intruder is the insider person like DBA, who has all the privileges to access the data. He can deliberately disable the log for some time, make whatever changes he wants and enables the log again. This activity can never be traced since log table has no clue about the transactions done by DBA. In [11], it has been shown how the deleted data can be tracked by analyzing both, the log and RAM. It is known that data after deletion remains in the memory till the time it is overwritten. If an approach is used to check the log and RAM simultaneously and that to before the overwriting of the deleted data, then it is possible to detect and recover the deleted data. But the approach in [11] does not always guarantee that data will be recovered, since it will be available till the time it is not overwritten.

III. ANALYSIS OF VARIOUS TECHNIQUES:

The feature in MS-Access enables detection of corrupted data by providing log facility. By analyzing log details, details of data tampering can be obtained.

SQL server is effective in maintaining a log for all the DML operations, especially for SELECT operation. This enables the investigator to detect illegal copying of the data.

SQLite has feature to generate log using Triggers and is more suitable for runtime environment.

With cryptographic functions and notarization mechanism, there are some performance issues. The remote location of notarizer, traffic generated during validation and notarization. Moreover, it does not detect the data corruption at runtime as Triggers do.

File carving technique can be applied to different types of DBMSs. But the limitation is that it may not always give successful results.

IV. CONCLUSION:

After analyzing the pros and cons of various methods, it is clear that novel methods are required to be devised which can reap the benefits of cryptographic hash functions as well as triggers. Also new method must be able to detect the tampering in absence of auditing.

V. REFERENCE:

1. The SQL Server“AUDIT (Traditional Auditing)”, https://docs. oracle.com/database/121/SQLRF/statements_4007.htm#S QLRF01107

2. “MySQL Enterprise Audit”, https://dev.mysql. com/doc/refman/8.0/en/audit-log.html

3. “Audit Trail in Access Forms in 6 Steps”, https://blueclawdatabase.com/access-forms-audit-trail“SQL Server Audit”, https://docs.microsoft.com /en- us/sql/relational-databases/security/auditing/sql-server- audit-database-engine?view=sql-server-ver15

4. “SQLite Triggers”, https://www.w3resource.com /sqlite/sqlite-triggers.php

5. Kyriacos Pavlou, Richard T. Snodgress, “Forensic Analysis of Database Tampering,” SIGMOD’06, pp: 109- 120, June 27-29, 2006.

6. Kyriacos Pavlou, Richard T. Snodgress, “Generalizing Database Forensics,” ACM Transaction on Database Forensics, pp. 1-60, June 2013.

7. David Litchfield, “Oracle forensics part 7 Using the oracle system change number in forensic investigations,” An NGSSoftware Insight Security Research (NISR) Publication, November 2008.

8. “Auditing SELECT statements on SQL Server”, https://solutioncenter.apexsql.com/auditing-select- statements-on-sql-server/

9. “SQL Server must generate Trace or Audit records when unsuccessful attempts to add privileges/permissions occur”, https://www. stigviewer.com/stig/ms_sql_server_2014_instance/2018- 09-18/finding/V-67923

10. Wagner J. at el. (2017), “Carving database storage to detect and trace security breaches,” Digital Investigation (Elsevier), Issue 22, pp. 127-136.

Received on 23.05.2020 Accepted on 19.06.2020

Int. J. Tech. 2020; 10(1):97-101.

DOI: 10.5958/2231-3915.2020.00019.X