This document discusses using hybrid logical clocks (HLC) to improve database forensics and establish chain of custody for audit records. It proposes a forensically-aware distributed database architecture that uses HLC to generate, collect and preserve audit records in a way that accurately timelines events. Initial results show HLC provides a more scalable and accurate approach than previous vector clock-based methods. Future work involves formally proving the architecture's correctness and improving overhead for timelining with high transaction volumes.

1. Hybrid Logical Clocks for DB Forensics
Filing the Gap between Chain of Custody and Database Auditing.
Denys A. Flores & Arshad Jhumka
Rotorua, New Zealand
August 6th, 2019

2. Topics
 The Insider Adversary and Transactional Databases
 Proactive Database Forensics
 Towards a Forensically-Aware DB Architecture
 Vector Clocks vs. Hybrid Logical Clocks
 Proposed Forensic Controllers
 Results
 Conclusions and Future Work

3. Databases are in everything…

4. The Insider Adversary and Transactional Databases
Database Forensics allows investigating malicious DML operations (inserts,
updates, deletes) performed by trusted insiders who could misuse their
privileged access [1].
Database audit records become important evidence for investigating
privileged access misuse in order to disclose or contaminate [2] sensitive
transactional information [3].
Admissibility of audit records is challenged due to the lack of accountability
and forensic features within the database environment.
As a result, malicious insiders may cover up their activities by making them
look as authorized [4].

5. Reactive vs. Proactive Database Forensics
Reactive DB Forensics
Aims reconstructing the ‘original’ DB state [5] - bottom-up.
Adapts traditional forensic techniques such as table-relationship
analysis [7] and data file carving [8].
Challenges evidence admissibility due to lack of formalization [9]
Leads to conjectures about insider behavior as evidence may be
partially recovered or unavailable.
Proactive DB Forensics
Uses pre-designed forensic features of a DB [6] for auditing insider
activities – top-down.
Generates, collects and preserves DB audit records [10] within a
forensically ready environment.
Admissibility depends on properly justifying Chain of Custody in the
system operation.
Audit records provide more insider activity traces which may not be
possible to identify within reactively recovered evidence.

6. Chain of Custody (CoCCoCCoCCoC)
Describes the evidence continuum, providing an unbroken accountability trail to justify
every action performed on a piece of evidence, in accordance with 4 generally accepted
principles [12]:
Building an accurate timeline of events is key!

7. CoC-based System Properties
CoC properties: Role segregation, provenance, event timelining and causality
We aim to build an accurate timeline about the occurrence of DML operations.
In distributed systems with high concurrency, causality violations may happen
unexpectedly.
Its difficult to certainly know whether an event ‘happen before’ another.
Vector Clocks and Hybrid Logical Clocks have been used to solve this problem.

8. Vector Clocks (VCVCVCVC) vs. Hybrid Logical Clocks (HLCHLCHLCHLC)
VC logical timestamps Vm.τ[i] in Tι,
representing the current observed logical
clock value of each audit store Fi ∈ FDB.
Notice that size(Vm) = |FDB| .
Used in multi-version databases,
HLC logical timestamps Vm.τm
composed of tuples <pt, l, c>
representing instant physical time,
maximum physical time and a
concurrency flag, respectively.

9. Forensically-Aware Distributed DB Architecture

10. Forensically-Aware Distributed DB Architecture
A. Concurrent DMLDMLDMLDML Request Generator: A Master Event Generator (MeGen)
and Client Event Generators (CeGen), implemented in JMeter in master-
slave mode in order to produce synthetic workload to emulate concurrent
DML requests.
B. Transactional (NNNNDBDBDBDB) and Forensic (FFFFDBDBDBDB) Databases: implemented in
MSSQL Server 2014 with operative (DBuser), administrative (DBadmin) and
forensic (DBforensics) roles enabled. For HLC, these databases are
deployed in Linked Server mode and synchronised with an NTP-based time
service.
C. Proactive Database Forensic Controllers: implemented using Common
Language Runtime (CLR) C# Assemblies, and deployed as triggers and stored
procedures in their respective databases with exclusive enable/disable
permissions assigned to DBforensics.

11. Generation and Collection of Audit Records

12. Preservation of Audit Records
• A timeline Tι ∈ FDB is a sequence of timestamps Vm, such
that:
• VC Timestamp (logical order):
• HLC Timestamp (logical order + Unix Time):

13. Collection and Preservation of Audit Records

14. Results

15. 7. Conclusions and Future Work
HLCHLCHLCHLC is more scalable and accurate than our previous VCVCVCVC –based proposal
Without any optimization, 70% of transactions with HLCHLCHLCHLC commit in up to 3.5
secs (test 720 operations per test scenario)
However, a baseline has been established for developing more research in the
field of proactive DB Forensics and CoC admissibility of audit records.
Future work involves:
(a) Formally proving the architecture’s correctness in terms of compliance
with CoC-based system properties
(b) Improving overhead during timeline construction to perform better with
high transactional workload (more than 10,000 operations per test
scenario)

16. Denys A. Flores
PhD Candidate
Department of Computer Science
University of Warwick
email: d.flores-armas@warwick.ac.uk
web: go.warwick.ac.uk/dflores
Thank You!