Reconstruction in Database Forensics

  • Oluwasola Mary Fasan
  • Martin Olivier
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 383)

Abstract

Despite the ubiquity of databases and their importance in digital forensic investigations, the area of database forensics has received very little research attention. This paper presents an algorithm for reconstructing a database for forensic purposes. Given the current instance of a database and the log of modifying queries executed on the database over time, the database reconstruction algorithm determines the data that was present in the database at an earlier time. The algorithm employs inverse relational algebra operators along with a relational algebra log and value blocks of relations to perform database reconstruction. Illustrative examples are provided to demonstrate the application of the algorithm and its utility in forensic investigations.

Keywords

Database forensics database reconstruction inverse relational algebra 

References

  1. 1.
    C. Binnig, D. Kossmann and E. Lo, Reverse query processing, Proceedings of the Twenty-Third IEEE International Conference on Data Engineering, pp. 506–515, 2007.Google Scholar
  2. 2.
    C. Binnig, D. Kossmann and E. Lo, Towards automatic test database generation, IEEE Data Engineering Bulletin, vol. 31(1), pp. 28–35, 2008.Google Scholar
  3. 3.
    N. Bruno and S. Chaudhuri, Flexible database generators, Proceedings of the Thirty-First International Conference on Very Large Databases, pp. 1097–1107, 2005.Google Scholar
  4. 4.
    E. Codd, The Relational Model for Database Management: Version 2, Addison-Wesley, Reading, Massachusetts, 1990.MATHGoogle Scholar
  5. 5.
    F. Cohen, Digital Forensic Evidence Examination, ASP Press, Livermore, California, 2010.Google Scholar
  6. 6.
    G. Graefe, Query evaluation techniques for large databases, ACM Computing Surveys, vol. 25(2), pp. 73–170, 1993.CrossRefGoogle Scholar
  7. 7.
    L. Haas, J. Freytag, G. Lohman and H. Pirahesh, Extensible query processing in Starburst, Proceedings of the ACM SIGMOD International Conference on the Management of Data, pp. 377–388, 1989.Google Scholar
  8. 8.
    D. Litchfield, Oracle Forensics Part 1: Dissecting the Redo Logs, NGSSoftware, Manchester, United Kingdom, 2007.Google Scholar
  9. 9.
    D. Litchfield, Oracle Forensics Part 2: Locating Dropped Objects, NGSSoftware, Manchester, United Kingdom, 2007.Google Scholar
  10. 10.
    D. Litchfield, Oracle Forensics Part 3: Isolating Evidence of Attacks Against the Authentication Mechanism, NGSSoftware, Manchester, United Kingdom, 2007.Google Scholar
  11. 11.
    D. Litchfield, Oracle Forensics Part 4: Live Response, NGSSoftware, Manchester, United Kingdom, 2007.Google Scholar
  12. 12.
    D. Litchfield, Oracle Forensics Part 5: Finding Evidence of Data Theft in the Absence of Auditing, NGSSoftware, Manchester, United Kingdom, 2007.Google Scholar
  13. 13.
    D. Litchfield, Oracle Forensics Part 6: Examining Undo Segments, Flashback and the Oracle Recycle Bin, NGSSoftware, Manchester, United Kingdom, 2007.Google Scholar
  14. 14.
    M. Olivier, On metadata context in database forensics, Digital Investigation, vol. 5(3-4), pp. 115–123, 2009.CrossRefGoogle Scholar
  15. 15.
    P. Wright, Oracle Database Forensics using LogMiner, NGSSoftware, Manchester, United Kingdom, 2005.Google Scholar
  16. 16.
    P. Wright, Oracle Forensics: Oracle Security Best Practices, Rampant Techpress, Kittrell, North Carolina, 2010.Google Scholar
  17. 17.
    S. Xu, S. Wang and M. Hong, Application of SQL RAT translation, International Journal of Intelligent Systems and Applications, vol. 3(5), pp. 48–55, 2011. CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Oluwasola Mary Fasan
    • 1
  • Martin Olivier
    • 1
  1. 1.University of PretoriaPretoriaSouth Africa

Personalised recommendations