Reconstruction in Database Forensics

Adedayo, Oluwasola Mary

January 2015

The increasing usage of databases in the storage of critical and sensitive information in many organizations has led to an increase in the rate at which databases are exploited in computer crimes. Databases are often manipulated to facilitate crimes and as such are usually of interest during many investigations as useful information relevant to the investigation can be found therein. A branch of digital forensics that deals with the identification, preservation, analysis and presentation of digital evidence from databases is known as database forensics. Despite the large amount of information that can be retrieved from databases and the amount of research that has been done on various aspects of databases, database security and digital forensics in general, very little has been done on database forensics. Databases have also been excluded from traditional digital investigations until very recently. This can be attributed to the inherent complexities of databases and the lack of knowledge on how the information contained in the database can be retrieved, especially in cases where such information have been modified or existed in the past. This thesis addresses one major part of the challenges in database forensics, which is the reconstruction of the information stored in the database at some earlier time. The dimensions involved in a database forensics analysis problem are identified and the thesis focuses on one of these dimensions. Concepts such as the relational algebra log and the inverse relational algebra are introduced as tools in the definition of a theoretical framework that can be used for database forensics. The thesis provides an algorithm for database reconstruction and outlines the correctness proof of the algorithm. Various techniques for a complete regeneration of deleted or lost data during a database forensics analysis are also described. Due to the importance of having adequate logs in order to use the algorithm, specifications of an ideal log configuration for an effective reconstruction process are given, putting into consideration the various dimensions of the database forensics problem space. Throughout the thesis, practical situations that illustrate the application of the algorithms and techniques described are given. The thesis provides a scientific approach that can be used for handling database forensics analysis practice and research, particularly in the aspect of reconstructing the data in a database. It also adds to the field of digital forensics by providing insights into the field of database forensics reconstruction. / Thesis (PhD)--University of Pretoria, 2015. / Computer Science / PhD / Unrestricted

Computer Science

Digital Forensics

Database Forensics

Digital Forensics Investigation

Forensic analysis

UCTD

TRACE DATA-DRIVEN DEFENSE AGAINST CYBER AND CYBER-PHYSICAL ATTACKS.pdf

Abdulellah Abdulaziz M Alsaheel (17040543)

11 October 2023

<p dir="ltr">In the contemporary digital era, Advanced Persistent Threat (APT) attacks are evolving, becoming increasingly sophisticated, and now perilously targeting critical cyber-physical systems, notably Industrial Control Systems (ICS). The intersection of digital and physical realms in these systems enables APT attacks on ICSs to potentially inflict physical damage, disrupt critical infrastructure, and jeopardize human safety, thereby posing severe consequences for our interconnected world. Provenance tracing techniques are essential for investigating these attacks, yet existing APT attack forensics approaches grapple with scalability and maintainability issues. These approaches often hinge on system- or application-level logging, incurring high space and run-time overheads and potentially encountering difficulties in accessing source code. Their dependency on heuristics and manual rules necessitates perpetual updates by domain-knowledge experts to counteract newly developed attacks. Additionally, while there have been efforts to verify the safety of Programming Logic Controller (PLC) code as adversaries increasingly target industrial environments, these works either exclusively consider PLC program code without connecting to the underlying physical process or only address time-related physical safety issues neglecting other vital physical features.</p><p dir="ltr">This dissertation introduces two novel frameworks, ATLAS and ARCHPLC, to address the aforementioned challenges, offering a synergistic approach to fortifying cybersecurity in the face of evolving APT and ICS threats. ATLAS, an effective and efficient multi-host attack investigation framework, constructs end-to-end APT attack stories from audit logs by combining causality analysis, Natural Language Processing (NLP), and machine learning. Identifying key attack patterns, ATLAS proficiently analyzes and pinpoints attack events, minimizing alert fatigue for cyber analysts. During evaluations involving ten real-world APT attacks executed in a realistic virtual environment, ATLAS demonstrated an ability to recover attack steps and construct attack stories with an average precision of 91.06%, a recall of 97.29%, and an F1-score of 93.76%, providing a robust framework for understanding and mitigating cyber threats.</p><p dir="ltr">Concurrently, ARCHPLC, an advanced approach for enhancing ICS security, combines static analysis of PLC code and data mining from ICS data traces to derive accurate invariants, providing a comprehensive understanding of ICS behavior. ARCHPLC employs physical causality graph analysis techniques to identify cause-effect relationships among plant components (e.g., sensors and actuators), enabling efficient and quantitative discovery of physical causality invariants. Supporting patching and run-time monitoring modes, ARCHPLC inserts derived invariants into PLC code using program synthesis in patching mode and inserts invariants into a dedicated monitoring program for continuous safety checks in run-time monitoring mode. ARCHPLC adeptly detects and mitigates run-time anomalies, providing exceptional protection against cyber-physical attacks with minimal overhead. In evaluations against 11 cyber-physical attacks on a Fischertechnik manufacturing plant and a chemical plant simulator, ARCHPLC protected the plants without any false positives or negatives, with an average run-time overhead of 14.31% in patching mode and 0.4% in run-time monitoring mode.</p><p dir="ltr">In summary, this dissertation provides invaluable solutions that equip cybersecurity professionals to enhance APT attack investigation, enabling them to identify and comprehend complex attacks with heightened accuracy. Moreover, these solutions significantly bolster the safety and security of ICS infrastructure, effectively protecting critical systems and strengthening defenses against cyber-physical attacks, thereby contributing substantially to the field of cybersecurity.</p>

Software and application security

System and network security

ICS Security

forensics investigation

attack detection

A perícia forense no Brasil. / Forensic expertise in Brazil.

Silva, Alexandre Alberto Gonçalves da

16 December 2009

Este trabalho apresenta um olhar sobre a atividade forense começando no antigo Egito, berço da civilização ocidental, passando pela colonização portuguesa e sua influência, até chegar ao Brasil atual, trazendo os elementos interdisciplinares característicos da perícia em cada período histórico. Dado a este caráter interdisciplinar, o trabalho tenta demonstrar quais foram as bases legislativas em cada época. O objetivo foi identificar os problemas que surgiram ao longo do tempo para o exercício da perícia como auxiliar da Justiça, assim como destacar elementos que possam melhorar a relação entre peritos, juízes e partes, tendo em vista o resultado de seu trabalho: o laudo pericial. / This work presents a look at the forensic activity starting in ancient Egypt, the cradle of Western civilization, through the Portuguese colonization and their influence, until getting to Brazil nowadays, with the aim to bring the characteristic elements of interdisciplinary expertise in every historical period. Given its interdisciplinary character, this essay attempts to point which legislative bases had experts to carry out their activities. The aim was to identify the elements which analyzed the problems that have arisen over time to the exercise of skill as an activity assistant, as well as to highlight areas that may assist the improvement of the activity for forensics, judges and parties, as well as the final result of his work: the expert report.

Criminal evidence

Criminal forensics investigation

Criminalística

Forensic history

Forensic in Brazil

Forensic in the west

Forensics

História da perícia

Perícia forense

Perícia forense no Brasil

Perícia forense no ocidente

Prova pericial

Technological examinations

A perícia forense no Brasil. / Forensic expertise in Brazil.

Alexandre Alberto Gonçalves da Silva

16 December 2009

Este trabalho apresenta um olhar sobre a atividade forense começando no antigo Egito, berço da civilização ocidental, passando pela colonização portuguesa e sua influência, até chegar ao Brasil atual, trazendo os elementos interdisciplinares característicos da perícia em cada período histórico. Dado a este caráter interdisciplinar, o trabalho tenta demonstrar quais foram as bases legislativas em cada época. O objetivo foi identificar os problemas que surgiram ao longo do tempo para o exercício da perícia como auxiliar da Justiça, assim como destacar elementos que possam melhorar a relação entre peritos, juízes e partes, tendo em vista o resultado de seu trabalho: o laudo pericial. / This work presents a look at the forensic activity starting in ancient Egypt, the cradle of Western civilization, through the Portuguese colonization and their influence, until getting to Brazil nowadays, with the aim to bring the characteristic elements of interdisciplinary expertise in every historical period. Given its interdisciplinary character, this essay attempts to point which legislative bases had experts to carry out their activities. The aim was to identify the elements which analyzed the problems that have arisen over time to the exercise of skill as an activity assistant, as well as to highlight areas that may assist the improvement of the activity for forensics, judges and parties, as well as the final result of his work: the expert report.

Criminalística

História da perícia

Perícia forense

Perícia forense no Brasil

Perícia forense no ocidente

Prova pericial

Criminal evidence

Criminal forensics investigation

Forensic history

Forensic in Brazil

Forensic in the west

Forensics

Technological examinations