Peter Frühwirt, Peter Kieseberg, Sebastian Schrittwieser, Markus Huber, Edgar Weippl
{"title":"InnoDB database forensics: Enhanced reconstruction of data manipulation queries from redo logs","authors":"Peter Frühwirt, Peter Kieseberg, Sebastian Schrittwieser, Markus Huber, Edgar Weippl","doi":"10.1016/j.istr.2013.02.003","DOIUrl":null,"url":null,"abstract":"<div><p>The InnoDB storage engine is one of the most widely used storage engines for MySQL. This paper discusses possibilities of utilizing the redo logs of InnoDB databases for forensic analysis, as well as the extraction of the information needed from the MySQL definition files, in order to carry out this kind of analysis. Since the redo logs are internal log files of the storage engine and thus cannot easily be changed undetected, this forensic method can be very useful against adversaries with administrator privileges, which could otherwise cover their tracks by manipulating traditional log files intended for audit and control purposes. Based on a prototype implementation, we show methods for recovering <em>Insert</em>, <em>Delete</em> and <em>Update</em> statements issued against a database.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"17 4","pages":"Pages 227-238"},"PeriodicalIF":0.0000,"publicationDate":"2013-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2013.02.003","citationCount":"29","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Security Technical Report","FirstCategoryId":"1085","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1363412713000137","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 29
Abstract
The InnoDB storage engine is one of the most widely used storage engines for MySQL. This paper discusses possibilities of utilizing the redo logs of InnoDB databases for forensic analysis, as well as the extraction of the information needed from the MySQL definition files, in order to carry out this kind of analysis. Since the redo logs are internal log files of the storage engine and thus cannot easily be changed undetected, this forensic method can be very useful against adversaries with administrator privileges, which could otherwise cover their tracks by manipulating traditional log files intended for audit and control purposes. Based on a prototype implementation, we show methods for recovering Insert, Delete and Update statements issued against a database.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
