Online Appendix to: Generalizing Database Forensics

Figures 16–19 show different parts of the formulation of the forensic analysis protocol (broken across four diagrams). We will discuss Page Write Timestamp corruption (on disk), Attribute corruption (on disk), and Schema corruption (on disk) using the the four figures as a guide. Data corruptions which affect an entire tuple will not be discussed since no tools exist right now that adequately analyze these problems, even though we can detect that corruption is present. In general, the identification of leaves for which no forensic tools exist (marked with “Pending Future Work”) is part of our future work. After the section devoted to the common starting path of the forensic protocol, each of the following sections corresponds to the leaves of the above-listed major corruption subtypes. We emphasize that this protocol assumes a single corruption event. A diagram depicting the taxonomy and protocol together can be accessed at http://www.cs.arizona.edu/projects/tau/dragoon/taxonomy protocol.pdf. The upper portion of the figures show portions of the UML taxonomy of corruption events (in shaded rectangles). Everything appearing below the taxonomy depicts the steps taken and the tools used in the forensic analysis protocol, in order to reach the leaves in the taxonomy. Within the lower position of the protocol are conditionals in diamonds that denote questions distinguishing between variations of the same corruption subtype, directives in (unshaded) rectangles that indicate some computational task to be performed, and connectors in ellipses that connect the different parts of the protocol using unique labels. Observables are the results of conditionals and of the forensic analysis algorithms. Recall that forensic analysis is a one-to-one correspondence between the observables and the elements in the taxonomy. Such a strong correspondence might not be possible to establish, either because of lack of tools (in this case the forensic analysis algorithms) or due to the nature of the problem. Hence, we characterize forensic analysis as a mapping from observables to subsets of the taxonomy, which we term conclusion sets. Elements belonging to the same conclusion set are indistinguishable from one another given the available tools. Conclusion sets are shown in parallelograms. A legend in Figure 16 summarizes this useful information. The flow of analysis in the protocol is generally upward, as indicated by the arrows.