Database forensics

Forensic science
Physiological sciences
Forensic anthropology Forensic archaeology Forensic dentistry Forensic entomology Forensic pathology Forensic botany
Social sciences
Forensic psychology Forensic psychiatry
Forensic criminalistics
Ballistics Ballistic fingerprinting Body identification DNA profiling Fingerprint analysis Forensic accounting Forensic arts Forensic footwear evidence Forensic toxicology Questioned document examination Vein matching
Digital forensics
Computer forensics Database forensics Mobile device forensics Network forensics Forensic video
Related disciplines
Fire investigation Detection of fire accelerants Forensic engineering Forensic linguistics Forensic materials engineering Forensic polymer engineering Vehicular accident reconstruction
People
Auguste Ambroise Tardieu Edmond Locard William M. Bass Juan Vucetich
Related articles
Crime scene CSI effect Perry Mason syndrome Pollen calendar Skid mark Trace evidence Use of DNA in forensic entomology
v · d · e

Database Forensics is a branch of digital forensic science relating to the forensic study of databases and their related metadata.^[1]

The discipline is similar to computer forensics, following the normal forensic process and applying investigative techniques to database contents and metadata. Cached information may also exist in a servers RAM requiring live analysis techniques.

A forensic examination of a database may relate to the timestamps that apply to the update time of a row in a relational table being inspected and tested for validity in order to verify the actions of a database user. Alternatively, a forensic examination may focus on identifying transactions within a database system or application that indicate evidence of wrong doing, such as fraud.

Software tools such as ACL, Idea and Arbutus (which provide a read-only environment) can be used to manipulate and analyse data. These tools also provide audit logging capabilities which provide documented proof of what tasks or analysis a forensic examiner performed on the database.

Currently many database software tools are in general not reliable and precise enough to be used for forensic work as demonstrated in the first paper published on database forensics.^[2] There is currently a single book published in this field,^[3] though more are destined.^[4] Additionally there is a subsequent SQL Server forensics book by Kevvie Fowler named SQL Server Forensics which is well regarded also.^[5]

The forensic study of relational databases requires a knowledge of the standard used to encode data on the computer disk. A documentation of standards used to encode information in well known brands of DB such as SQL Server and Oracle has been contributed to the public domain.^[6][7]

Further reading

• Farmer and Venema, 1999, http://www.porcupine.org/forensics/forensic-discovery/appendixB.html
• Sarbanes Oxley section 404 – enforce financial standards to limit chance of fraud. http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/
• HIPAA – Health and Portability Act http://www.cms.hhs.gov/hipaa/
• Sarbanes Oxley section 404 – enforce financial standards to limit chance of fraud http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/
• Fair Credit Reporting Act (FCRA) http://www.gao.gov/new.items/d06674.pdf
• Oracle Forensics In a Nutshell, Paul M. Wright (May 2007) http://www.oracleforensics.com/wordpress/wp-content/uploads/2007/03/OracleForensicsInANutshell.pdf
• Oracle Forensics, Paul Wright, Rampant Techpress, ISBN 0977671526, May 2008. http://www.rampant-books.com/book_2007_1_oracle_forensics.htm

References