Assembling Metadata for Database Forensics

  • Hector Beyers
  • Martin Olivier
  • Gerhard Hancke
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 361)


Since information is often a primary target in a computer crime, organizations that store their information in database management systems (DBMSs) must develop a capability to perform database forensics. This paper describes a database forensic method that transforms a DBMS into the required state for a database forensic investigation. The method segments a DBMS into four abstract layers that separate the various levels of DBMS metadata and data. A forensic investigator can then analyze each layer for evidence of malicious activity. Tests performed on a compromised PostgreSQL DBMS demonstrate that the segmentation method provides a means for extracting the compromised DBMS components.


Database forensics metadata data model application schema 


  1. 1.
    E. Casey and S. Friedberg, Moving forward in a changing landscape, Digital Investigation, vol. 3(1), pp. 1–2, 2006.CrossRefGoogle Scholar
  2. 2., Oracle forensics (, 2007.Google Scholar
  3. 3.
    K. Fowler, Forensic analysis of a SQL Server 2005 Database Server, InfoSec Reading Room, SANS Institute, Bethesda, Maryland, 2007.Google Scholar
  4. 4.
    R. Koen and M. Olivier, An evidence acquisition tool for live systems, in Advances in Digital Forensics IV, I. Ray and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 325–334, 2008.CrossRefGoogle Scholar
  5. 5.
    D. Litchfield, The Oracle Hacker’s Handbook: Hacking and Defending Oracle, Wiley, Indianapolis, Indiana, 2007.Google Scholar
  6. 6.
    D. Litchfield, C. Anley, J. Heasman and B. Grindlay, The Database Hacker’s Handbook: Defending Database Servers, Wiley, Indianapolis, Indiana, 2005.Google Scholar
  7. 7.
    M. Olivier, On metadata context in database forensics, Digital Investigation, vol. 5(3-4), pp. 115–123, 2009.CrossRefGoogle Scholar
  8. 8.
    Quest Software, Oracle DBA Checklists: Pocket Reference, O’Reilly, Sebastopol, California, 2001.Google Scholar
  9. 9.
    P. Rob and C. Coronel, Database Systems: Design, Implementation and Management, Thomson Course Technology, Boston, Massachusetts, 2009.Google Scholar
  10. 10.
    U.S. Department of Justice, Electronic Crime Scene Investigation: A Guide for First Responders, Washington, DC ( files1/nij/187736.pdf), 2001.Google Scholar
  11. 11.
    P. Wright, Using Oracle forensics to determine vulnerability to zero-day exploits, InfoSec Reading Room, SANS Institute, Bethesda, Maryland, 2007.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Hector Beyers
    • 1
    • 2
  • Martin Olivier
    • 1
  • Gerhard Hancke
    • 1
  1. 1.University of PretoriaPretoriaSouth Africa
  2. 2.Dimension DataJohannesburgSouth Africa

Personalised recommendations