Digital Forensics Report for Dagens Næringsliv

Abstract

Dagens Næringsliv (DN) approached the Norwegian University of Science and Technology (NTNU) to investigate whether some data manipulation had occurred in various log files in its possession. DN advised they are in the process of investigating what it suspected to be the fraudulent manipulation of data in the database of a music streaming service and sought cross-validation on this hypothesis. The NTNU was asked to investigate whether there was in fact manipulation of the data, and if so, the scope, methodology, and location of this manipulation. DN suspected there had been manipulation of data due to a spike of user records within specific time periods, but did not provide any further details as to why they determined the data to be manipulated and the methods by which it occurred. Using advanced statistical analysis of the data provided by DN, NTNU determined that there had in fact been a manipulation of the data at particular times due to the large presence of similar duplicate records occurring for a large percentage of the userbase that was active at any given time. In reviewing the data, in isolation from any other records or logs, it was not possible to determine the exact means of manipulation; however, the absence of records with unreadable data suggested it was not an external Structured Query Language Injection (SQLi) vector based attacked, but rather manipulation from within the streaming service itself. Due to the targeted nature and extent of the manipulation, it is very unlikely that this manipulation was solely the result of a code based bug or other system anomaly. The following analysis shows in detail why this conclusion is the most likely conclusion and further, the nature and extent it is suspected that the manipulation has affected the accuracy of the data.