Forensic tools often operate in adversarial conditions, without cooperation from the device owner. Storage encryption (either device-drive or software) prevents forensic tools from accessing and reconstructing data in persistent storage. Meanwhile, RAM and its cache can provide an alternate source of decrypted data to forensic tools. Prior data encryption research considered disk partition encryption, encryption in file systems, and client-side encryption. However, such work does not account for encryption in database management systems (DBMS). DBMSes manage their own storage instead of relying on the operating system with native DBMS support for disk and RAM cache management, access control configuration, and built-in encryption features.
The first part of this talk teaches the basic principles of disk-to-RAM data flow within a DBMS. We describe different allocated RAM areas and their purpose in major relational DBMSes (including Oracle, SQL Server, PostgreSQL, and MySQL). We also survey the built-in encryption features available in these DBMSes, including deployment trade-offs. The second part of this talk describes DBMS encryption vulnerabilities through examples. We discuss SQL operations that potentially expose decrypted data in RAM. We also demonstrate the quantity of data cached by SQL queries and the lifecycle of that data in memory.