The University of Arizona

TAU: Dragoon

Forensic Analysis and Compliant Databases

In the Dragoon project we couple τBerkeleyDB, our version of BerkeleyDB with transaction-time support and auditing, with facilities to validate a database to detect tampering and tools to perform forensic analysis of such tampering once it has been detected.

Transaction-time support in a database allows it to store all the information that was ever entered into the system. Changed and deleted information can be retrieved at a later stage to check for mistakes or malicious act.

A transaction-time table can be considered to be a particularly robust form of audit log. Audit logs are considered good practice for business systems, and are required by federal regulations for secure systems, drug approval data, medical information disclosure, financial records, and electronic voting. Given the central role of audit logs, it is critical that they are correct and inalterable. It is not sufficient to say, "our data is correct, because we store all interactions in a separate audit log." The integrity of the audit log itself must also be guaranteed.


We have developed mechanisms
within BerkeleyDB, based on
cryptographically strong one-way
hash functions, that prevent an
intruder, including an auditor or an
employee or even an unknown bug
within the DBMS itself, from silently
corrupting the audit log. The DBMS
stores additional information in the
database to enable a separate audit
log validator to examine the database
along with this extra information and
state conclusively whether the audit
log has been compromised. We have
shown with our implementation that
the overhead for auditing is low and that the validator can efficiently and correctly determine if the audit log has been compromised.

We also provide a systematic means of performing forensic analysis after such tampering has been uncovered, to determine who, when, and what. We have developed a schematic representation termed a "corruption diagram" that aids in intrusion investigation. We have developed successively more sophisticated forensic analysis algorithms: the monochromatic, RGB, RGBY, Tiled Bitmap, and a3D algorithms, which can efficiently extract a good deal of information concerning a corruption event.

Here is a simple graphic illustrating our approach, created by Cheryl Ryan.


We are now broadening this research to complement the existing market for compliance storage servers , which guarantee that data are not overwritten before the end of their mandatory retention period. These servers are intended for preserving unstructured and semi-structured data at a file-level granularity---email, spreadsheets, reports, instant messages.

With Radu Sion and Marianne Winslett, we are developing a DBMS architecture that supports a spectrum of approaches to regulatory compliance, each appropriate for a particular domain, and each with different tradeoffs between security and efficiency. The key challenge of this work is to provide compliance assurances for the DBMS, even against insiders with superuser powers, while balancing the need for trustworthiness against the conflicting requirements for high performance and low cost. To meet this need, our architecture will provide tunable tradeoffs between security and performance, through a spectrum of techniques ranging from tamper detection to tamper prevention for data, indexes, logs, and metadata; tunable vulnerability windows; tunable granularities of protection; careful use of magnetic disk as a cache; judicious use of secure coprocessors on the DBMS platform and compliance storage server platform; a block-based compliance storage server; and judicious retargeting of an on-disk encryption unit. For more information please visit the Regulatory Compliance for DBMS Engines webpage.

Project Name

Dragoon is an acronym for "Database foRensic Analysis safeGuard Of arizONa". The word "dragoon" refers to a member of a European military unit formerly composed of heavily armed mounted troops. Dragoon regiments were established in most European armies during the late 17th and early 18th centuries. The name is derived from the French word for dragon. Dragoon is also a transitive verb meaning to coerce (someone) into compliance. Moreover, the Dragoon Mountains are a range of mountains located to the southwest of Tucson, Arizona.

We believe the name is a perfect descriptor of our prototype information accountability system since its name has a connection to Arizona and alludes to both guards and fierce mythological creatures.

graphic The Dragoon logo was designed by Yifeng Li.


Radu Sion (Stony Brook University)
Richard T. Snodgrass
Marianne Winslett (University of Illinois)

Graduate Students:
Kyriacos Pavlou (Chief Programmer)
Rui Zhang

Previous Faculty:
Christian S. Collberg

Previous Graduate Students:
Natasha Gaitonde
Qing Ju
Soumyadeb Mitra
Shilong (Stanley) Yao

Previous Undergraduate Students:
Yifeng Li
Melinda Malmgren
Michael Patterson


nsf2 Achieving Compliant Databases
National Science Foundation, IIS-0803229
September 2008 to March 2012 (Marianne Winslett, PI and Radu Sion and Richard T. Snodgrass, co-PIs)
nsf2 Tamperproof Audit Logs
National Science Foundation, IIS-0415101
September 2005 to August 2008 (Richard T. Snodgrass, PI and Christian Collberg, PI) Surety LLC
Provided access to their AbsoluteProof (R) product
for digital notarization.


Kyriacos E. Pavlou and Richard T. Snodgrass. "Temporal Implications of Database Information Accountability," International Symposium on Temporal Representation and Reasoning (TIME), September 2012. (Paper pdf, Presentation pdf)

Kyriacos E. Pavlou and Richard T. Snodgrass. "Achieving Database Information Accountability in the Cloud," Short paper, Data Management in the Cloud (DMC) Workshop, April 2012. (pdf)

Kyriacos E. Pavlou and Richard T. Snodgrass. "Dragoon: An Information Accountability System for High-Performance Databases," Demonstration,
International Conference on Data Engineering (ICDE), April 2012. (pdf)
Poster: graphic

Kyriacos E. Pavlou. "Database Forensics in the Service of Information Accountability," SIGMOD/PODS PhD Poster Session, June 2011.
(pdf) and poster presented

Kyriacos E. Pavlou and Richard T. Snodgrass, "The Tiled Bitmap Forensic Analysis Algorithm," IEEE Transactions on Knowledge and Data Engineering 22(4):590–601, 2010. (pdf)

Soumyadeb Mitra, Marianne Winslett, Richard T. Snodgrass, and Shashank Yaduvanshi, "An Architecture for Regulatory Compliant Database Management," in Proceedings of the International Conference on Data Engineering (ICDE), pp. 162–173, Shanghai, China, 2009. (pdf)

Kyriacos Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering," in ACM Transactions on Database Systems 33(4), 45+26 pages, December 2008. (pdf)

Melinda Malmgren, "An Infrastructure for Database Tamper Detection and Forensic Analysis," Honors Thesis, University of Arizona, May 2007 (pdf).

Kyriacos Pavlou and Richard. T. Snodgrass, "The Pre-images of Bitwise AND Functions in Forensic Analysis,'' TimeCenter TR 87, October, 2006. (pdf)

Kyriacos Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering," in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109–120, Chicago, June, 2006. (pdf)

David Lomet, Richard T. Snodgrass, and Christian S. Jensen, "Exploiting the Lock Manager for Timestamping," in Proceedings of the Ninth International Database Engineering and Applications Symposium (IDEAS 2005), pp. 357–368, Montreal, Canada, July 2005. (pdf)

Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper Detection in Audit Logs," in Proceedings of the International Conference on Very Large Databases, Toronto, Canada, August–September 2004, pp. 504–515. (pdf)

Mani Sethuraman, "Implementation and Evaluation of a Partitioned Store for Transaction-Time Databases," TimeCenter TR-76, December 2003. (pdf)

Corruption Event Taxonomy & Forensic Analysis Protocol

Corruption Event Taxonomy and Forensic Analysis Flowchart (pdf)

Implementation of Forensic Analysis Algorithms

The ForensicAnalysis.tar.gz file contains a C implementation of four forensic analysis algorithms we developed: Monochromatic, RGBY, Tiled Bitmap, and a3D.

ForensicAnalysis_v2.0.tar.gz . This is v2.0 of the Forensic Analysis Algorithms Implementation in C. The code has been restructured so it is easier to follow (especially in the case of the Tiled Bitmap Algorithm).


"Keeping Your DBA Honest" (article)

"UA Shares NSF Grant for Research on Securing Databases" (news story)

The Dragoon Prototype Software

The following is the beta version of the Dragoon software including the notarization and validation daemons, the database audit GUIs for the DBA, Chief Security Officer (CSO), and Crime Scene Investigator (CSI), along with setup instructions and a complete demo of the system.

The instructions can be read here.

The Dragoon system architecture diagram can be downloaded here.

The Dragoon system can be downloaded here.

Webmaster: Kyri Pavlou