On the Completeness of Reconstructed Data for Database Forensics

  • Oluwasola Mary Adedayo
  • Martin S. Olivier
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 114)

Abstract

Databases are often used to store critical and sensitive information in various organizations and this has led to an increase in the rate at which databases are exploited in computer crimes. Even though various investigations involving databases have been explored, very little amount of research has been done on database forensics. This paper briefly describes a database reconstruction algorithm presented in an earlier work and shows the limitation that can be encountered when the algorithm has to deal with partially reconstructed relations or the deletion of tuples in a relation. Since reconstructed data can often be used as the evidence to support or refute claims about the data in a database, the inability to reconstruct necessary data may imply the absence of evidence. However, according to an axiom from forensic science, this does not mean an evidence of absence. As such, this paper presents two different techniques that can be used in reconstructing more tuples in a relation and provide corroborating evidence to claims about the data on a database. A typical example is used to describe the limitation of the database reconstruction algorithm and how the limitation can be overcomed by using the techniques described in the paper.

Keywords

Digital forensics Database forensics Database reconstruction algorithm Digital evidence Forensic science 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Carrier, B.: Defining digital forensic examination and analysis tools using abstraction layers. International Journal of Digital Evidence 1, 2003 (2002)MathSciNetGoogle Scholar
  2. 2.
    Casey, E.: Digital Evidence and Computer Crime - Forensic Science, Computers and the Internet, 3rd edn. Academic Press (2011)Google Scholar
  3. 3.
    Chisum, W.J., Turvey, B.: Evidence dynamics: Locard’s exchange principle & crime reconstruction. Journal of Behavioural Profiling 1(1) (January 2000)Google Scholar
  4. 4.
    Codd, E.F.: The Relational Model for Database Management, Version 2. Addison-Wesley (1990)Google Scholar
  5. 5.
    Fasan, O.M., Olivier, M.S.: Correctness proof for database reconstruction algorithm. Digital Investigations (2012)Google Scholar
  6. 6.
    Fasan, O.M., Olivier, M.S.: Reconstruction in database forensics. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics VIII. IFIP AICT, vol. 383, pp. 273–287. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  7. 7.
    Fowler, K.: SQL Server Forensic Analysis. Addison Wesley Professional (2008)Google Scholar
  8. 8.
    Garfinkel, S.L.: Digital forensics research: The next 10 years. Digital Investigation 7, S64 – S73 (2010); The Proceedings of the Tenth Annual DFRWS ConferenceGoogle Scholar
  9. 9.
    Litchfield, D.: Oracle forensics part 1: Dissecting the redo logs. NGSSoftware Insight Security Research (NISR) Publication (March 2007)Google Scholar
  10. 10.
    Litchfield, D.: Oracle forensics part 2: Locating dropped objects. NGSSoftware Insight Security Research (NISR) Publication (March 2007)Google Scholar
  11. 11.
    Litchfield, D.: Oracle forensics part 3: Isolating evidence of attacks against the authentication mechanism. NGSSoftware Insight Security Research (NISR) Publication (March 2007)Google Scholar
  12. 12.
    Litchfield, D.: Oracle forensics part 4: Live response. NGSSoftware Insight Security Research (NISR) Publication (April 2007)Google Scholar
  13. 13.
    Litchfield, D.: Oracle forensics part 5: Finding evidence of data theft in the absence of auditing. NGSSoftware Insight Security Research (NISR) Publication (August 2007)Google Scholar
  14. 14.
    Litchfield, D.: Oracle forensics part 6: Examining undo segments, flashback and the oracle recycle bin. NGSSoftware Insight Security Research (NISR) Publication (August 2007)Google Scholar
  15. 15.
    Olivier, M.S.: On metadata context in database forensics. Digital Investigation 5(3-4), 115–123 (2009)CrossRefGoogle Scholar
  16. 16.
    Palmer, G.: A road map for digital forensic research. Technical report. In: First Digital Forensic Research Workshop (DFRWS), Utica, New York (August 2001)Google Scholar
  17. 17.
    Wright, P.M.: Oracle database forensics using logminer. Next Generation Security Software (January 2005)Google Scholar
  18. 18.
    Wright, P.M., Burleson, D.K.: Oracle Forensics: Oracle Security Best Practices. Rampant Techpress (2010)Google Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2013

Authors and Affiliations

  • Oluwasola Mary Adedayo
    • 1
  • Martin S. Olivier
    • 1
  1. 1.ICSA, Department of Computer ScienceUniversity of PretoriaSouth Africa

Personalised recommendations