Database Forensics is a branch of digital forensic science relating to the forensic study of databases and their related metadata.[1]
Computer forensics principles can be applied to a database, which is a persistent data store, often relational. This means that sufficient due care by forensic technology professionals is given to how databases are first acquired and then analysed, as not to compromise their integrity. Forensic technology professionals may acquire whole desktops, laptops, servers and mobile devices for forensic examination as part of an ongoing investigation, but database applications may also contain vital evidence. Therefore, when applying computer forensic principles to databases, the database itself must be forensically acquired. This means that forensic copies of database evidence can be made in order to preserve that evidence for future presentation during a legal process.
A forensic examination of a database may relate to the timestamps that apply to the update time of a row in a relational table being inspected and tested for validity in order to verify the actions of a database user. Alternatively, a forensic examination may focus on identifying transactions within a database system or application that indicate evidence of wrong doing, such as fraud.
When forensically analysing a database, consideration must be given to the software tools used to analyse the transactions. Fortunately, software tools such as ACL, Idea and Arbutus can provide a safe read-only environment to manipulate, join, sort and analyse data. These tools also provide audit logging capabilities which provide documented proof of what tasks or analysis a forensic examiner performed on the database.
Currently many database software tools are in general not reliable and precise enough to be used for forensic work as demonstrated in the first paper published on database forensics.[2] There is currently a single book published in this field,[3] though more are destined.[4] Additionally there is a subsequent SQL Server forensics book by Kevvie Fowler named SQL Server Forensics which is well regarded also. [5]
The forensic study of relational databases requires a knowledge of the standard used to encode data on the computer disk. A documentation of standards used to encode information in well known brands of DB such as SQL Server and Oracle has been contributed to the public ___domain.[6][7]
Further reading
- Farmer and Venema, 1999, http://www.porcupine.org/forensics/forensic-discovery/appendixB.html
- Sarbanes Oxley section 404 – enforce financial standards to limit chance of fraud. http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/
- HIPAA – Health and Portability Act http://www.cms.hhs.gov/hipaa/
- Sarbanes Oxley section 404 – enforce financial standards to limit chance of fraud http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/
- Fair Credit Reporting Act (FCRA) http://www.gao.gov/new.items/d06674.pdf
- Oracle Forensics In a Nutshell, Paul M. Wright (May 2007) http://www.oracleforensics.com/wordpress/wp-content/uploads/2007/03/OracleForensicsInANutshell.pdf
- Oracle Forensics, Paul Wright, Rampant Techpress, ISBN 0977671526, May 2008. http://www.rampant-books.com/book_2007_1_oracle_forensics.htm
References
- ^ Olivier, Martin S. (2009). "On metadata context in Database Forensics". Science Direct. doi:10.1016/j.diin.2008.10.001. Retrieved 2 August 2010.
{{cite web}}: Check|doi=value (help); Unknown parameter|month=ignored (help) - ^ Oracle Database Forensics using LogMiner - GIAC Certified Student Practical
- ^ Oracle Forensics ISBN 0977671526 (May 2008)
- ^ Oracle Forensics Using Quisix ISBN 047019118X (Dec 2008)
- ^ SQL Server Forensics ISBN 0321544366 (Dec 2008)
- ^ SANS Institute - Forensic Analysis of a SQL Server 2005 Database Server
- ^ Oracle Forensics and Incident Response - databasesecurity.com