The use of database has become an integral part of modern human life. Often the data contained within databases has substantial value to enterprises and individuals. As databases have become greater part of people’s daily lives, it becomes increasingly interlinked with human behavior. Negative aspects of this behavior might include criminal activity, negligence and malicious intent. In these scenarios a forensic investigation is required to collect evidence to determine what happened on crime scene and who is responsible for the crime. A large amount of research that is available focuses on digital forensics, database security and databases in general but little research exists on database forensics as such. It is difficult for forensic investigator to conduct an investigation database management system due to limited information on the subject and an absence of standard approach to follow during forensic investigation [1].

What is a Database?

Databases store the entire data pertaining to a web application and allow users to view, access, manage and update the information. In some cases, either the databases or the web applications may contain vulnerabilities that allow attackers to manipulate the contents of the database. Therefore, a forensic investigator must have sound knowledge of the database servers and their file systems. Additionally, the investigator should be able to examine their respective log files and find the cause of attacks [2].

What is Database Forensics?

Database Forensics is a branch of Digital Forensic science relating to the forensic study of databases and their related metadata. The discipline is similar to computer forensics, following the normal forensic process and applying investigative techniques to database contents and metadata. Cached information may also exist in servers RAM requiring live analysis techniques [3].

There are various different kinds of database systems, such as SQL Server, MySQL, Oracle, Sybase Anywhere, Postgresql, DB2, Sybase ASE and Informix. Besides, there exist a variety of accounting-specialized programs using a database system, such as Neo Plus I/II, Neo I PLUS and Neo I CUBE in Korea. There exist some difference in each database system, but all the database systems basically have common characteristics [4].

The following scenarios would require the intervention of a database forensic specialist:

  1. Failure of a database
  2. Deletion of information from database
  3. Inconsistencies in the data of a database
  4. Detection of suspicious behavior of users

 

A database forensics expert will normally use a read-only method or an identical forensic copy of the data when interfacing with a database to ensure that no data is compromised. They will run a series of diagnostic tools to help them to:

  1. Create a forensic copy of a database for analysis.
  2. Reconstruct missing data and/or log files associated with the deletion.
  3. Decipher data and ascertain possible causes of corruption.
  4. Audit user activities and isolate suspicious and illegal behavior.

 

Commonly used Database Systems:

This comes down to database popularity among businesses, companies and individuals. There are hundreds of different DBMS systems to choose from, but the five most popular database companies are listed below, as per DB-ENGINES.COM .

  1. Oracle (Relational Database Management System)
  2. MySQL (Relational Database Management System)
  3. Microsoft SQL Server (Relational Database Management System)
  4. PostgresSQL (Relational Database Management System)
  5. MongoDB (Document Stores) [5]

Due to such a variety of database systems, it is important to choose a proper investigation method for each database system. Before investigation methods are discussed for each unique database system, however, it is needed to suggest a single comprehensive investigation method by using the common characteristics of database systems. Not only does it help choose an investigation method proper for each database system, but it can be effectively used in investigating the enterprise environment, although investigators don’t know all the investigation methods for each database system [4].

References:

  1. Beyers, H.Q. (2013) “Database Forensics: Investigating Compromised Database Management Systems” [Online] (https://repository.up.ac.za/bitstream/handle/2263/41016/Beyers_Database_2013.pdf?sequence=1) Accessed on 28/8/2018.
  2. CHFI Module 09, “Database Forensics”.
  3. ‘Database Forensics” [Online] (https://en.wikipedia.org/wiki/Database_forensics) Accessed on 28/8/2018.
  4. Son et al. (2011) “The Method of Database Server Detection and Investigation in Enterprise Environment” [Online] (https://link.springer.com/chapter/10.1007/978-3-642-22339-6_20) Accessed on 28/8/2018.
  5. What is Database Forensics’ [Online] (https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/application-forensics/overview-types-of-database-forensics/#gref) Accessed on 31/8/2108.