π¬ What's Novel
- First forensic query language designed for cryptographically verifiable database logs
- Proof system for completeness and integrity of forensic query results using Merkle proofs
- Verifiable index structures accelerating forensic queries while preserving hash-chain integrity
- Practical framework for database-level security investigations with incremental verification
π§ Technical Approach
Phase 1 β Language Design (SkeinForensic)
Design a forensic query language with temporal predicates (BETWEEN timestamp, AFTER event), entity tracking, causal queries, and integrity assertions (PROVE COMPLETE) built into the grammar.
Phase 2 β Proof System
Merkle proofs for included records, boundary proofs for query range completeness, and absence proofs for negation queries. All proofs verifiable by an external auditor without database access.
Phase 3 β Index Structures
Auxiliary WAL indexes accelerating forensic queries while preserving verifiability. Indexes are hash-consistent with the chain, so their existence doesn't compromise integrity.
Phase 4 β Incremental Verification
Checkpoint-based verification building on previously verified log prefixes. Ongoing investigations can verify new log entries incrementally without re-checking the entire chain.
π§ͺ Hypotheses
A specialized forensic language expresses common forensic questions more naturally than adapting SQL to tamper-evident logs.
Completeness proofs can be generated efficiently alongside query results without significant overhead.
Incremental verification amortizes proof checking costs for ongoing investigations over time.
π SkeinDB Integration
π Key References
- Crosby & Wallach β "Efficient Data Structures for Tamper-Evident Logging" (2009)
- Pulls & Dahlberg β "Transparency Logs via Append-Only Authenticated Dictionaries" (2023)