A method, system and computer-usable medium are disclosed for performing forensic database security operations to verify database query integrity. A database protocol packet is intercepted, inspected and then processed by an external database security mechanism (EDSM) system to extract a database query. The database query is then processed with a secret key to generate a first keyed-hash message authentication code (HMAC) value, which is then inserted into the intercepted database protocol packet according to database protocol rules to generate a modified database protocol packet in a way that HMAC values and database query will be stored in predetermined database server session tracking tables. The modified database protocol packet is then provided to a database server, where database server subsequently accessed by the EDSM system to retrieve the database query and the first HMAC value. The EDSM system then uses the same secret key to calculate a second HMAC value for the retrieved database query, which is compared to the first HMAC value to determine whether they match. If not, then the database query is marked as having been modified after being inspected by the EDSM system.
展开▼