Digital Forensic InnoDB Database Engine for Employee Performance Appraisal Application

. Data is something that can be manipulated by irresponsible people and causing fraud. The use of log files, data theft, unauthorized person, and infiltration are things that should be prevented before the problem occurs. The authenticity of application data that evaluates the performance of company employees is very cruc ial. This paper will explain how to maintain the company’s big data as a valid standard service to assess employee performance database, based on employee performance of MariaDB or MySQL 5.0.11 with InnoDB storage engine. The authenticity of data is required for decent digital evidence when sabotage occurs. Digital forensic analysis carried out serves to reveal past activities, record time and be able to recover deleted data in the InnoDB storage engine table. A comprehensive examination is carried out by looking at the internal and external aspects of the Relational Database Management System (RDBMS). The result of this research is in the form of forensic tables in the InnoDB engine before and after sabotage occurs.


Introduction
At present almost all companies have a database system [1]. Information is formed quickly and is a basic requirement of a company [2,3]. Companies that already have a computer-based information system (CBIS) have stored their information into a database management system. This information is crucial and is used as the main tool to make decisions about the performance of employees in the company [3]. Results and information on forensic databases can be used for several reasons [4,5]. First, find out how safe the data in the company is stored. The company wants to know whether certain privileges can be violated or even damaged related to the database they have. Second, the results of forensic databases can be used to prevent unwanted events. Early detection and analysis of attacks on the database must be able to be analyzed. Third, companies that have databases that contain employee data certainly concern the interest of many people's privacy, thus authentic verification of each employee's data is needed for a more specific purpose, namely being able to guarantee correct and fair data.
File systems are very important for data integrity, performance, and ease of administration. The integrity of data in a database is absolute because all forms of corrupt data must be prevented [5]. Database performance aspects are seen from the speed and stability of processing large companies' data as well as the ease of data administration that influences database performance. The file system in the employee appraisal research uses NTFS (New Technology File System). NTFS is very good for digital forensic analysis with extensive application support [5,6].
Analysis of the data contained in a database, it requires deep knowledge of the data which is to know the data is formed, created and manipulated [7,8]. The expectation of the results of the knowledge is a clear, consistent and explicit statement regarding the result of the analysis. The main objective of this research is to be able to analyze the MariaDB or MySQL database that uses the InnoDB engine with the main function to asses employee performance. MariaDB is a multiuser database that has one daemon, so it does not have wrapping as found in Apache + suexec/cgiwrap. Users who use the MariaDB database have access to all databases contained in the data directory, namely /mysql/data. MariaDB and MySQL already have excellent access privilege systems, but bugs in MariaDB code or even configuring the privilege system can potentially open a database containing important secrets that should have limited access. The in-file and out-file data in the MariaDB database are two things that can become security loopholes by replacing the database remotely.
This study explains the structure and architecture of a database that is owned by a company. The CBIS in the form of employee performance appraisers. Data that is owned by the company will be reconstructed by looking at the cluster file system. The results of digital forensic analysis are used to detect whether there is sabotage or not.
The first discussion in this paper is about internal checks on MariaDB, settings used in MariaDB, access privileges, connection control checks, chroot checking, local in-file data load checking, and SSL-based connection checks. The second is a simple SQL-table internal explanation and looks for the relevance between keys, data types and other components of the database compiler. The third is the identification of acts of sabotage against the database.

Research Method
MariaDB is the most popular open source RDBMS server. MariaDB is a free version of MySQL, so both have the same database engine. MariaDB database security analysis used for corporate performance app assessment. It is analyzed from several aspects, which according to the author are crucial from a data security perspective.

Investigation the Installation of Database Engines
Installation of the MariaDB database engine in the employee performance app assessment in this study was analyzed by looking at the machines installed separately or not separately [5]. The potential for sabotage of engine installations is analyzed through various open ports including internet ports (80) and (3306). Furthermore, the investigation is intended to see the "Shell" configuration for each user whether the default or has a private configuration.

Access Privilege
Privileged access systems are very important for a digital forensic study [9]. Allegations of a case of sabotage will be directed into this passage. Employee appraisers in this study will analyze the access rights of each user, analyzing the user is very important to find sabotage agents, because sabotage is usually carried out by people who know for sure the information system used by the company. Ideally, for the security of shared hosting servers, each administrator is only permitted to access one database [10].

Internal Investigation
The internal investigation includes checking the database engine which is the default used by MariaDB [4]. MariaDB stores all information on each table into the .frm file. The filename is created automatically when a table is formed through the create_frm () function in the file /sql/table.cc. Each .frm file in the table by default has a limit of 4 GB if this limit is exceeded then the MariaDB engine will truncate to prevent overflow or error. Forensic data analysis of the application of the employee performance appraisal website in this study adopted an integrated digital forensic process model framework adapted to research.
The researcher acquired the NTFS file system where the MariaDB database was placed using digital forensic applications. Cluster acquisition in the database application performance appraisal employees have the main target, namely information from the tables in the database include general table information, primary keys, field definitions, data storage checks.
The internal investigation includes checking the database engine which is the default used by MariaDB. MariaDB stores all information on each table into the .frm file. The filename is created automatically when a table is formed through the create_frm () function in the file /sql/table.cc. Each .frm file in the table by default has a limit of is exceeded. MariaDB engine will truncate to prevent overflow or error. Forensic data analysis of the application of the employee performance appraisal website in this study adopted an integrated digital forensic process model framework adapted to research.
The researcher acquired the NTFS file system where the MariaDB database was placed using digital forensic applications. Cluster acquisition in the database application performance appraisal employees have the main target, namely information from the tables in the database include general table information, primary keys, field definitions, data storage checks.

Identification of Sabotage
Sabotage is an action that is planned, organized by a person or organization intentionally with a particular target area to cause damage, loss, original data changes, and destruction both physically and non-physically [11]. The database is a source of company activity. To identify database sabotage that passes through a network, the network traffic of the researcher reads the traffic pattern, if abnormal indications are seen on IP seen as private addresses using NAT, the IP does not appear frequently in the log, time-stamp is too close, source port and the sequence number that rises simultaneously is this guide used by researchers to carry out forensic analysis with suspected attacks on the MariaDB server.
Changes to database files are checked based on the connection between binary log files and the user record. This check is needed to prove the consistency of all tables in the database based on transaction ID in each record, if there is a change in data not within the reporting range, which should be based on log databases and network logs, it is matched with the company's routine reporting, and then acts of sabotage are ensured.

Knowledge Based Digital Forensic
Information gathering and observation are the first steps taken to complete digital forensic analysis of InnoDB database engine application to evaluate employee performance. The purpose of this study is to detect sabotage of the database through the InnoDB engine that passes through computer networks.
Validation of the findings of forensic analysis was confirmed to the company and how to test and validate the act of sabotage. Correction and analysis results for digital forensic applications for evaluating employee performance under the supervision of digital forensic experts, when the InnoDB engine database is declared sabotage, the report is forwarded to the company for further legal action with evidence of digital forensic data.

Results of External Investigations
The installation of the MariaDB server in the employee performance app assessment in this study was not done separately, so the MariaDB daemon named mysqld is in the same engine. The potential for sabotage against the installation of this engine is through various open ports including internet ports (80). The shell for each user still uses the default, so the intruder can use this weakness to sabotage through shell access. Databases have great potential for sabotage by accessing database files and logs in the /mysql/data.
The results of the examination of privileged access were found that the app appraisers of employees in this study had different access but were still low regarding the understanding of data security threats, as evidenced by the privileged access "select" that is owned by each database admin without limiting privileges to file or process. Ideally for the security of shared hosting servers, each administrator is only permitted to access one database so that the findings of privileged access to the employee performance app are as follows: user: This arrangement can be used by intruders to sabotage. Users can view databases that exist on server machines because they have privileged grants and file privileges.

Results of Internal Investigations
Internal database investigation MariaDB requires knowledge to interpret every bit contained in each table in the database [4,8]. Digital forensic analysis is not possible without a good understanding of the properties of the MariaDB table [12]. Internal checks on the .frm file table files that are created automatically when a table is formed through the create_frm () function in the /sql/table.cc file through a series of processes. The first process is the cluster acquisition process in the NTFS file system where the MariaDB database is located. The internal inspection file system is an in-depth examination to find log files and digital artefacts. Both will be used as evidence for acts of sabotage database files.
Process of Acquiring the MariaDB database on the NTFS file system will produce an image file. The images file is used as evidence and digital forensic based analysis [4,5,13]. The acquisition of image files called bitstream is implemented to maintain valid evidence according to digital forensic provisions [14]. The bitstream technique copies the original bit-by-bit files that are in the system file in the form of binary numbers. The main purpose of bitstream techniques in the digital analysis of employee performance applications is to find hidden files, temporary files, files before overwriting and defragmented files [13]. This Study examines ten (10) main tables contained in the application database assessing employee performance. Digital forensic analysis is done by combining the results of the analysis using forensic software and manual analysis to comprehensively examine the contents of a table. The examination of each table is done by checking the .frm file that is owned. The file has a binary identity that is very important to be examined more deeply about the potential for sabotage that occurs. So that digital forensic analysis of applications to assess employee performance are shown in  Based on the hexadecimal structure in the .frm file the application table needs an in-depth examination so that the act of sabotage can be known with evidence that is following the digital forensic standards. Examination of these tables has the main purpose of finding table manipulation activities in the application database evaluating employee performance. Analysis of .frm table applications is as follows: Each table analyzed is intended to examine security violations in the form of sabotage. Data in the table that changes before the time of reports collection is considered as an act of infiltration or sabotage of the application database assessing employee performance. An explanation of the structure of the table is very necessary for forensic purposes because it is impossible for digital forensics to be done without knowing about the structure of the table.
The xamination of each table is continued by looking at each structure and data type used. The data type used in application tables evaluates employee performance using integers, varchar, and enum. A table that has a technical primary key will have a hexadecimal  [4]. Digital forensic analysis is carried out to ensure by examining tables that have a primary key. Each table arranged in this study has a different structure but is fixed since the application is used by the company so it is very necessary to look at the entire structure of tables and databases carefully, so that intrusion detection can be done.

Fig. 3. Record of Pengguna Tables
The table structure in the performance app is accessible through Cpanel owned by MariaDB. Digital forensic identification is done is to make sure the table structure does not change according to the default application, to be able to check the composition of the field; a hexadecimal check is used to obtain clear results.
Based on hexadecimal checks to each table represented by Fig.4 can be seen that, each table has a primary key, in the picture of primary key structure starts from position 0x00, cursor pos = 0, cluster = 10884595, log section = 87076760 to 0x80, cursor pos = 144, cluster = 10884595, log section = 87076760. In general, the log section range for frm table Employee is 87076760-87076764. Each table examined in the employee performance app appraisers has a unique record in the form of cursor posts, clusters and log sections that are different but are constant when inputted by each branch manager.

Fig. 4. Hexadecimal PrimaryKey Investigation of Pengguna
Furthermore, information about hexadecimal structures in employee performance appraisal application tables is used as a database comparison table that has been sabotaged. The information needed after the table key is the header file. The header file has important information, checksum, and offsets [4]. The header file has a key header that is intended to check the data storage allocation around the data file. Checking header files containing key header is done using the perfect copy technique. Perfect copy is a term in digital forensic science to save digital evidence. In the analysis the comparative data has a key header like the following:

Penetration Sabotage InnoDB
The hardware in this study consisted of 1 Dell PowerEdge T-30 Server, TP-Link TL-SG1024D, a Cloud Core Router CCR1009-7G-1C-PC Router, and 4 Acer PC Clients as in Table 3. The software in this study used the MariaDB server, Windows Server 2003, Windows 7 Ultimate, Metasploid, IDA Pro as shown in table 4. The hardware and software in this study are used to simulate the threat of attacks into the database engine. Sabotage is done using exploits. In Fig.5, the topology describing sabotage can be done by planting an exploid on the database server. Node 4 with IP 192.168.2.62 is used as a sabotage actor by exploiting the database via network media to the server. Penetrating tests are carried out using exploits. The way it works is to exploit weaknesses in the network system through open ports to attack user tables. Intruders can scan all ports, especially those that go to the database where the employee data is stored [15]. Furthermore, scanning on the network is to find the host and service for all computers on a network. The network scan results in identifying internal checks can be used by intruders to sabotage the InnoDB database engine. Status host a network can be tracked using NMAP commands via the -sP (IP Range) parameter, then the intruder will infiltrate through the company's LAN network by seeing hosts that are "UP" [16]. After the IP server was found, an intruder who wanted to sabotage port scans in more detail by changing the parameters in NMAP, the -A-T4 (IP target server parameter), as shown in Fig.6. Penetration is done successfully obtaining complete information about the server where the employee assessment database is located. This information contains a port, protocol, status, database server information, the programming language version, and fingerprint service. The logical topology penetrating test can be seen in Fig.5.  Information about the MariaDB server is known as a port and database version, and then sabotage is done using Metasploit. Metasploit was chosen because of its effective ability to enter the server security system and firewall. The trial is done by releasing the AUX module on Metasploit, the purpose of using the AUX module is to find out the database version on the target server, then penetrate the MariaDB login and username, by dumping the username and password module used is PAYLOAD. In the next step, the researcher sets the username and password on the target server, then resumes sending the EXPLOITS module.
Intruders do sabotage to have a target username and password manager or super user [15,17]. Table  "pengguna", table "karyawanterbaik_periode", table  "nilaikaryawan", table "karyawan" is the main target in a database sabotage mechanism for employee app assessment, because in the table the location of all data managers is located. Forensic analysis of sabotage crime using exploid will be directed to the table assuming with the Metasploit technique then he will pretend to be the super user manager or admin. Intruders will target the username and password as the manager. The prediction will lead to the login module on MariaDB, which contains the accounts, Guest and Root. Metasploit has a module that can enumerate the database, and dump the hash username and password [15]. Sabotage is not done by defacing or injecting a database or cracking, but pretending to be one of the top management decision makers of a company. The intruder has the target to master the password and username. The username and password always have a hash and potentially be attacked by has dumping through the auxiliary module on metasploit. The workings of the Metasploit and module are shown in Fig.7, and the Metasploit command line is shown in Fig.8

Result of Sabotage Database Engine Analysis
Based on the database environment settings used in the employee performance app assessment, penetrating the test on the MariaDB database can be done using exploits. The first stage in testing is to examine the internal and external database environments that are used for employee performance appraisers, including the table structure in the database. The second stage validates security threats through potential users. Testing and validating processes are carried out using forensic tools and database penetration tools. The database penetration tool is used to sabotage the best employee performance achievement results, so that the employee score is changed which leads to the award received by each employee. Metasploit is a database penetration tool that is compatible with the sabotage mechanism. The sabotage mechanism is made as if the final result of determining the best employee of the company is "best employee id=17" whereas the results before sabotage "best employee id=56", then sabotage is made as if the decision was approved by the manager area with NIK = CN2805131, so the selection decision id = 17 is valid. Sabotage uses database queries with the UPDATE command in the "nilai". "id_karyawan=56" is the target of sabotage. The "id_nilaikaryawan" field has several values based on the valuation variables that apply to the company. The assessment variables are attendance, late, report, recap, print log, and stock opname". Before the act of sabotage was carried out "id_karyawan=56" namely "Monica" has the highest value so that "Monica" is the employee with the best value of all branches, when penetration is done "Monica" is replaced by "id_karyawan=17" with the name "Lestari" as seen in Fig.9 and Fig.10.   Table Record after Sabotage The sabotage was continued by convincing the area manager with "NIK=CN2805131" to print the results. The next target is a table that stores the final assessment data. The target table is "arsip_laporan" which has a "nama_file" field that stores Portable Document File (.PDF) files, which contains the final assessment of the results of the application, complete with the date. The date of being targeted is replaced because the date session is based on current computer time, so to launch the sabotage action, the "tgl_buat" field is made exactly the same as before sabotage occurred so that the report printed on the PDF file will be the same as the following picture Fig.11 and Fig. 12.   Fig. 11. PDF Files before Sabotage

Validation of the Sabotage Forensic Database Engine
Forensic results prove that the database engine used is InnoDB, which is shown in the type column. The InnoDB engine supports transactions such as commit, rollback and crash recovery. InnoDB stores a "Null" value into a place called "Placeholder" when a primary key has been defined. Offset 260 on cursor heading 616-621 has hexadecimal 49 6E 6E 6F 44 42. Six strings of hexadecimal values refer to the database engine, so it can be said that 49 6E 6E 6F 44 42 is an interpretation of the InnoDB database engine. All tables in the database evaluating the performance of employees of PT. Campus Media consistently has the same hexadecimal number.

Fig. 13. Hexadecimal InnoDB Engine
Forensic results of all Hexadecimal if there is a change in the primary key in the form of a key addition or key reduction, then the offset will change according to the number of primary keys. Three fields of three parts that become primary key markers are: : 28 00 17 00 01 00 00 00 09 80 F5 02, 28 00 0A 00 01 00 00 00 02 80 05 00, and 0A 00 FF 50 52 49 4D 41 52 59. The first byte of each hexadecimal block indicates the name of the field that can be seen at offset 010, but the results are inversely proportional to the records stored in the table. Some results were successfully sabotaged as seen in  Fig.9, Fig.10, Fig.11, and Fig.12. Digital artifacts were found to look for transactions that occurred, namely checking Post and Get.
The examination of the GET and POST methods has digital evidence in the form of digital artifacts that indicate unnatural queries in the table. Examination carried out on the Apache webserver by analyzing the log recorded between the website and the database the results obtained are as illustrated in Fig.14, the data in the table has been changed.

Conclusion
The company data was successfully reconstructed through a file cluster system so that acts of sabotage can be known. Internal and external audits successfully examine sabotage actions that take advantage of the weaknesses of the privilege system, connection control, chroot, local in-file, and SSL based connections. The tables in the database of employee performance appraisers can be explained through the relevance of primary keys, data types, and other database compiler components. Sabotage is a planned crime that is very difficult to detect because it is able to exploit the weaknesses of standard security features. Furthermore, sabotage is not easily detected using ordinary checks on the table structure in the database, because the structure of each table targeted for sabotage does not change from the original, so digital forensic checks are needed. Log files and digital artefacts can be found when comparing the final report and checking the Get and Post methods on a web server using digital forensic tools. Based on penetrating digital forensic tests and analysis, employee performance appraisers can be exposed to sabotage attacks, so companies need to take steps to pay attention to a better level of security, and not only trust standard features. This study succeeded in answering potential security threats against the database in employee performance appraisers through a penetrating test.