Raul QuinonezCS 4398 Digital Forensics10/25/13

How to detect tampering?

What data has been tampered?

Who did it via forensic analysis?

Cryptographic Hashing functions

Normal Processing Phase

Digital Normalization Service

Each transaction is hashed

Identify corrupted stored data transactions

Focus on original time of transaction and time of corrupted transaction

Several corrupted tuples- Multi-locus

Single corrupted tuple- Single-locus

MonochromaticCumulative hash chains (black)

RGBYThree types of chains (Red, green, blue)

Tiled BitmapTiles of chains over continous data segments

a3D AlgorithmPartial hash chanis changes with transaction time

Tiled bitmap is the cheapest

Monochromatic is the easiest to implement

RGBY is the best option for larger corruption cases

a3D Algorithm has a constant cost

How, what and who?

Forensic Algorithms

Comparison of algorithms

Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering," in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109-120, Chicago, June, 2006.