Detecting Database Security Breaches using Memory Forensics


June 3, 2022 1:00 PM — 2:00 PM


CDM 222 and online


James Wagner, University of New Orleans, USA


Cyberattacks continue to evolve and adapt to state-of-the-art security mechanisms. Therefore, it is critical for security experts to routinely inspect audit logs to detect complex security breaches. However, if a system was compromised during a cyberattack, the validity of the audit logs themselves cannot necessarily be trusted. Specifically, for a database management system (DBMS), an attacker with elevated privileges may temporarily disable the audit logs, tamper with the audit logs, or issue obfuscated queries. Thus, security experts need techniques to validate logs independent of a potentially compromised system to detect security breaches.

In this research talk, we discuss our work to develop techniques to validate audit logs for DBMSes. We rely on the fact the queries must ultimately be processed in memory regardless of any security mechanisms they may have bypassed. Our techniques collect forensic artifacts from memory snapshots. Additionally, we demonstrate that query operations follow a repeated set of patterns. Operations such as a full table scan, index access, or joins each leave behind their own set of distinct forensic artifacts in memory. Given these known patterns, we propose that the forensic artifacts in a memory snapshot allows one to reverse-engineer query activity and validate audit logs independent of the DBMS itself.


James Wagner is an assistant professor in the Department of Computer Science at the University of New Orleans. His primary research interests are in database security, digital forensics, and data retention policies. He was recently awarded a three-year, $158,000 grant from the Louisiana Board of Regents to develop methods that track the physical movement of data within a system for the purpose of detecting data tampering and exfiltration. During his PhD at DePaul University, his research focused on formal methods in digital forensics and fine-grained access control policies for database systems.

Leave a Reply

Your email address will not be published. Required fields are marked *