Towards a Forensic-Aware Database Solution: Using a secured Database Replication Protocol and Transaction Management for Digital Investigations Peter Fr¨ uhwirt a , Peter Kieseberg a , Katharina Krombholz a , Edgar Weippl a a SBA Research gGmbH, Favoritenstraße 16, 1040 Vienna, Austria Abstract Databases contain an enormous amount of structured data. While the use of forensic analysis on the file system level for creating (partial) timelines, recovering deleted data and revealing concealed activities is very popular and multiple forensic toolsets exist, the systematic analysis of database management systems has only recently begun. Databases contain a large amount of temporary data files and metadata which are used by internal mechanisms. These data structures are maintained in order to ensure transaction authenticity, to perform rollbacks, or to set back the database to a predefined earlier state in case of e.g. an inconsistent state or a hardware failure. However, these data structures are intended to be used by the internal system methods only and are in general not human-readable. In this work we present a novel approach for a forensic-aware database management system using transaction- and replication sources. We use these internal data structures as a vital baseline to reconstruct evidence during a forensic investigation. The overall benefit of our method is that no additional logs (such as administrator logs) are needed. Furthermore, our approach is invariant to retroactive malicious modifications by an attacker. This assures the authenticity of the evidence and strengthens the chain of custody. To evaluate our approach, we present a formal description, a prototype implementation in MySQL alongside and a comprehensive security evaluation with respect to the most relevant attack scenarios. Keywords: MySQL, InnoDB, digital forensics, databases, data tempering, replication, transaction management 1. Introduction Common ACID-compliant Database Management Sys- tems (DBMS) provide mechanisms to ensure system in- tegrity and to recover the database from inconsistent states or failures. Therefore they contain a large amount of in- ternal data structures and protocols. Their main purpose is to provide basic functionality like rollbacks, crash recov- ery and transaction management, as well as more advanced techniques like replication or supporting cluster architec- tures. They are solely intended to be used by internal methods of the system to ensure the integrity of the sys- tem. Since databases are typically used to store structured data, most complex systems make use of at least basic database techniques for forensic analysis. Thus, when investigating an arbitrary system, standardized forensic techniques targeting the underlying database allow an in- vestigator to retrieve fundamental information without hav- ing to analyze the (probably proprietary) application layer. Database forensics support efficient forensic investigations in order to e.g. detect acts of fraud or data manipulation. Email addresses: pfruehwirt@sba-research.org (Peter Fr¨ uhwirt), pkieseberg@sba-research.org (Peter Kieseberg), kkrombholz@sba-research.org (Katharina Krombholz), eweippl@sba-research.org (Edgar Weippl) However, little attention has been paid on the enormous value of internal data structures to reconstruct evidence during a forensic investigation. To illustrate the need for guaranteeing that a database is unaltered, the following questions may be useful in the course of some digital investigations: • Was a data record changed in a certain period of time and at what exact moment? • Was data manipulated in the underlying file system by bypassing the SQL-interface? • What statements were issued against the database in a given time frame? • How have manipulated data records been changed with respect to the time line? • What transactions have been rolled back in the past? In this paper, we propose a novel forensic-aware database solution. Our approach is based on internal data struc- tures for replication and transaction that are used by the database for crash recovery. They are in general not human- readable and intended to be read and used only by inter- nal methods of the system. The overall benefit of our method is that no log files such as administrator logs are Preprint submitted to International Journal of Digital Forensics & Incident Response (Digital Investigation) September 6, 2014