Database Forensics

Database Investigation and Evidence Recovery

Data Diddling Process

What is Database Forensics?

Database Forensics: The process of identifying, extracting, preserving, and analyzing data stored in database systems to support forensic investigations and legal proceedings.
  • Data Recovery: Retrieving deleted or hidden records
  • Transaction Analysis: Examining database operations
  • Schema Investigation: Understanding database structure
  • Log Analysis: Reviewing transaction and audit logs

Database Types and Forensics

Relational Databases

  • MySQL, PostgreSQL
  • Microsoft SQL Server
  • Oracle Database
  • IBM Db2

NoSQL Databases

  • MongoDB (Document)
  • Cassandra (Column)
  • Redis (Key-Value)
  • Neo4j (Graph)

Cloud Databases

  • Amazon RDS/DynamoDB
  • Google Cloud SQL
  • Azure SQL Database
  • Snowflake

Embedded Databases

  • SQLite
  • Berkeley DB
  • Apache Derby
  • Mobile app databases

Database Forensics Process

Investigation Methodology:

  1. Preparation: Understand database architecture and access requirements
  2. Identification: Locate database files, logs, and configurations
  3. Preservation: Create forensic copies with integrity verification
  4. Collection: Extract data, metadata, and transaction logs
  5. Examination: Analyze structure, content, and relationships
  6. Analysis: Identify evidence and reconstruct events
  7. Documentation: Report findings and maintain chain of custody

Database File Types

Common Database Files: • .mdf/.ldf (SQL Server data/log files) • .frm/.ibd/.ibdata (MySQL table/data files) • .db/.sqlite/.sqlite3 (SQLite database files) • .dbf (Oracle data files) • .bson (MongoDB BSON files)

File Location Strategies:

  • Default Locations: Check standard installation directories
  • Configuration Files: Parse config files for custom paths
  • Registry Analysis: Windows registry for database settings
  • File Signature Search: Scan for database file headers
  • Process Memory: Extract database paths from running processes

Data Recovery Techniques

Deleted Record Recovery

  • Transaction log analysis
  • Unallocated space examination
  • Shadow copy analysis
  • Rollback segment inspection

Corrupted Data Recovery

  • Page-level reconstruction
  • Backup file analysis
  • Binary log parsing
  • Consistency check utilities
SQL Server Recovery Example: SELECT * FROM fn_dblog(NULL, NULL) -- View transaction log DBCC PAGE(database, file, page, 3) -- Examine data pages RESTORE DATABASE FROM DISK = 'backup.bak' WITH REPLACE

Transaction Log Analysis

Transaction Logs: Sequential records of all changes made to the database, crucial for forensic reconstruction of events.

Log Analysis Benefits:

  • Timeline Reconstruction: Chronological sequence of database changes
  • User Activity Tracking: Identify who made specific changes
  • Data Modification History: Before and after values
  • Rollback Information: Understand undone transactions
  • Security Event Detection: Unauthorized access attempts

Log Types:

  • Redo Logs: Forward recovery operations
  • Undo Logs: Rollback information
  • Binary Logs: MySQL replication logs
  • Archive Logs: Historical transaction records

SQL Injection Forensics

SQL Injection Evidence:

  • Web Server Logs: Suspicious HTTP requests with SQL syntax
  • Database Logs: Malformed or unusual SQL queries
  • Error Logs: Database errors revealing schema information
  • Performance Logs: Unusually long-running queries
  • Access Logs: Privilege escalation attempts
Common SQLi Patterns: • ' OR '1'='1 (Authentication bypass) • UNION SELECT (Data exfiltration) • ; DROP TABLE (Destructive attacks) • xp_cmdshell (Command execution) • INTO OUTFILE (File writing)

Database Schema Analysis

Schema Investigation Components:

  • Table Structure: Column definitions, data types, constraints
  • Relationships: Foreign keys and table associations
  • Indexes: Performance optimization structures
  • Views: Virtual tables and data presentation
  • Stored Procedures: Embedded business logic
  • Triggers: Automated database responses
Schema Discovery Queries: -- MySQL SHOW TABLES; DESCRIBE table_name; -- PostgreSQL \dt \d+ table_name -- SQL Server SELECT * FROM INFORMATION_SCHEMA.TABLES

Database Security Analysis

Access Control Analysis

  • User account enumeration
  • Permission and role analysis
  • Privilege escalation detection
  • Default account identification

Security Configuration

  • Authentication mechanisms
  • Encryption implementation
  • Audit logging settings
  • Network security configuration

Security Indicators:

  • Weak or default passwords
  • Excessive user privileges
  • Disabled security features
  • Unencrypted sensitive data
  • Missing security patches

NoSQL Database Forensics

NoSQL Challenges: Document-based, schema-less databases require specialized forensic approaches compared to traditional relational databases.

MongoDB Forensics:

  • BSON Analysis: Binary JSON document format
  • Collection Examination: Document groups analysis
  • GridFS Investigation: Large file storage system
  • Replica Set Analysis: Distributed data examination
  • Oplog Analysis: Operation log for replication
MongoDB Investigation Commands: db.runCommand({listCollections: 1}) db.collection.find().pretty() db.oplog.rs.find().limit(10) db.stats()

Cloud Database Forensics

Cloud-Specific Challenges:

  • Limited Physical Access: Virtual infrastructure constraints
  • Shared Tenancy: Multi-tenant security isolation
  • API-Based Access: Programmatic investigation methods
  • Geographic Distribution: Data spread across regions
  • Provider Cooperation: Legal and technical coordination

Cloud Investigation Strategies:

  • API-based data extraction
  • Cloud audit log analysis
  • Snapshot and backup examination
  • Network traffic analysis
  • Identity and access management review

Database Forensic Tools

Commercial Tools

  • AccessData FTK Database
  • Magnet AXIOM Database
  • Oxygen SQLite Viewer
  • Stellar Phoenix Database Recovery

Open Source Tools

  • SQLite Browser
  • phpMyAdmin
  • DBeaver
  • MySQL Workbench

Command Line Tools

  • sqlite3 (SQLite CLI)
  • mysql (MySQL client)
  • psql (PostgreSQL client)
  • sqlcmd (SQL Server client)

Specialized Utilities

  • Log analysis tools
  • Hex editors for low-level analysis
  • Data recovery utilities
  • Schema comparison tools

Data Privacy and Legal Issues

Privacy Considerations:

  • GDPR Compliance: European data protection regulations
  • HIPAA Requirements: Healthcare data privacy
  • PCI DSS Standards: Payment card data protection
  • SOX Compliance: Financial data integrity
  • Industry-Specific Regulations: Sector-based requirements

Legal Best Practices:

  • Obtain proper legal authorization
  • Minimize data exposure during investigation
  • Implement strong access controls
  • Document all investigation procedures
  • Follow data retention and disposal policies

Database Timeline Reconstruction

Timeline Creation Process:

  1. Transaction Log Parsing: Extract timestamped events
  2. Audit Trail Analysis: Correlate security events
  3. Backup Analysis: Identify data state at specific times
  4. User Activity Correlation: Link actions to specific users
  5. Cross-System Correlation: Integrate with other log sources
Timeline Reconstruction Example: 2023-10-15 14:30:15 - User 'admin' logged in 2023-10-15 14:32:22 - SELECT query on customer table 2023-10-15 14:33:45 - DELETE 15000 records from customer table 2023-10-15 14:35:12 - User 'admin' logged out

Database Backup Analysis

Backup Types:

  • Full Backups: Complete database snapshots
  • Differential Backups: Changes since last full backup
  • Transaction Log Backups: Point-in-time recovery data
  • Incremental Backups: Changes since last backup

Forensic Value of Backups:

  • Historical data state analysis
  • Deleted data recovery
  • Change comparison and tracking
  • Attack timeline reconstruction
  • Data integrity verification

Database Incident Response

Immediate Response Actions:

  • Isolation: Disconnect compromised databases
  • Preservation: Create immediate backups
  • Documentation: Record current system state
  • Log Collection: Gather all relevant logs
  • Access Control: Secure administrator accounts

Investigation Coordination:

  • Coordinate with system administrators
  • Engage database vendors if needed
  • Coordinate with legal and compliance teams
  • Maintain detailed investigation logs
  • Plan for business continuity

Best Practices and Challenges

Best Practices

  • Maintain database expertise across platforms
  • Develop standard operating procedures
  • Regular training on new database technologies
  • Coordinate with database administrators
  • Maintain current forensic tools

Common Challenges

  • Encryption and access controls
  • Large dataset volumes
  • Complex database schemas
  • Distributed database architectures
  • Real-time data changes

Key Takeaways

Critical Points:

  • Multi-Platform Expertise: Understanding diverse database systems
  • Systematic Approach: Following structured investigation methodology
  • Legal Compliance: Adhering to privacy and data protection laws
  • Evidence Integrity: Maintaining chain of custody for database evidence
  • Continuous Learning: Keeping pace with database technology evolution
Database Forensics Success: Combine deep database knowledge, proper investigation methodology, and legal compliance to effectively analyze database systems and extract valuable digital evidence.