Lockard Principle and database theft

05 March,2016 by Jack Vamvas

A friend of mine who works in the legal system introduced me to the Locard principle and is it relates to crime investigation. Locard principle contends that the crime perpetrator introduces something to the crime scense and leaves  something at crime scenes. These two phenomena can be added to forensic evidence. I wanted to know how you apply this idea to cybercrime .

Cybercrime has unique characteritics which distinguish it from "traditional" crime. For example , if someone is using a mobile phone as an endpoint to connect into a network and steal data from a database,is it possible to connect the crime with a particular individual ?

There is a challenge on the forensics expert to widen the scope of a crime scene. The target object may be a database server , but the crime scene could be international. The forensic investigator may need to visit multiple locations.

Trace logs such as the default trace are available on database servers, oS, routers , switches, mobile phones etc, but mapping a unified profile is not a trivial exercise . Firstly, there is the proble of aggregating the logs,Secondly, different layers of permission may be required across national borders. The individual maybe in one country , the ISP could be another country , the database server may be in a third country and then once data is packaged it could move anywhere.

Another complication is bots. These can be intsalled on a serrver with instructions, and then let to execute on target server(s) at future points in time. These will use the credentials\authentication of the server. This further  adds more layers

It's something to think about when capturing traces and what information is retained for troubleshooting historical situations

Read More on trace logs and other logs available

Powershell Script – How to get windows logs events with Get-WinEvent for a date range

Powershell Get-EventLog and Event Log messages - SQL Server DBA

How to determine who deleted a SQL Server database

 


Author: Jack Vamvas (http://www.sqlserver-dba.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on Lockard Principle and database theft


sqlserver-dba.com | SQL Server Performance Tuning | SQL Server DBA:Everything | FAQ | Contact|Copyright & Disclaimer