Revision as of 11:54, 2 August 2010 edit ErrantX (talk \| contribs) Administrators 21,974 edits add ref, expand lead, remove unsourced definition ← Previous edit		Revision as of 15:28, 4 August 2010 edit undo ErrantX (talk \| contribs) Administrators 21,974 edits copyedit & expand, tag for needing better references, add navbox Next edit →
Line 1: {{refimprove\|date=August 2010}} {{ForensicScience}} '''Database Forensics''' is a branch of [[digital forensics\|digital forensic science]] relating to the forensic study of [[databases]] and their related metadata.<ref>{{cite web\|last=Olivier\|first=Martin S.\|title=On metadata context in Database Forensics\|url=http://www.sciencedirect.com/science/article/B7CW4-4TSD9G6-1/2/a5031117d753054d92f2afba332eadf8\|publisher=Science Direct\|accessdate=2 August 2010\|doi=10.1016/j.diin.2008.10.001.\|month=March\|year=2009}}</ref> The discipline is similar to [[computer forensics]], following the normal forensic process and applying investigative techniques to database contents and metadata. Cached information may also exist in a servers [[RAM]] requiring [[Digital forensics#live analysis\|live analysis]] techniques. Computer forensics principles can be applied to a database, which is a persistent data store, often relational. This means that sufficient due care by forensic technology professionals is given to how databases are first acquired and then analysed, as not to compromise their integrity. Forensic technology professionals may acquire whole desktops, laptops, servers and mobile devices for forensic examination as part of an ongoing investigation, but database applications may also contain vital evidence. Therefore, when applying computer forensic principles to databases, the database itself must be forensically acquired. This means that forensic copies of database evidence can be made in order to preserve that evidence for future presentation during a legal process. A forensic examination of a database may relate to the timestamps that apply to the update time of a row in a relational table being inspected and tested for validity in order to verify the actions of a database user. Alternatively, a forensic examination may focus on identifying transactions within a database system or application that indicate evidence of wrong doing, such as fraud. ~~When forensically analysing a database, consideration must be given to the software tools used to analyse the transactions. Fortunately, software~~Software tools such as ACL, Idea and Arbutus ~~can~~(which provide a ~~safe~~ read-only environment) can be used to to manipulate~~, join, sort~~ and analyse data. These tools also provide audit logging capabilities which provide documented proof of what tasks or analysis a forensic examiner performed on the database. Currently many database software tools are in general not reliable and precise enough to be used for forensic work as demonstrated in the first paper published on database forensics.<ref>[http://www.giac.org/certified_professionals/practicals/gcfa/0159.php Oracle Database Forensics using LogMiner - GIAC Certified Student Practical<!-- Bot generated title -->]</ref> Line 25 ⟶ 26: {{Reflist}} {{Digital forensics}} [[Category:Databases]]

Database forensics: Difference between revisions