Sunkyung Kim, Ji Su Park, Jin Gon Shon

KIPS Transactions on Software and Data Engineering, Vol. 9, No. 4, pp. 123-128, Apr. 2020
https://doi.org/10.3745/KTSDE.2020.9.4.123,   PDF Download:
Keywords: Digital Forensics, Database Forensics, Metadata, Block Size
Abstract

As the use of digital devices is becoming more commonplace, digital forensics techniques recover data to collect physical evidence during the investigation. Among them, the file forensics technique recovers deleted files, therefore, it can recover the database by recovering all files which compose the database itself. However, if the record is deleted from the database, the modified record contents will not be restored even if the file is recovered. For this reason, the database forensics technique is required to recover deleted records. Database forensics obtains metadata from database configuration files and recovers deleted records from data files. However, record recovery is difficult if database metadata such as block size cannot be obtained from the database. In this paper, we propose three methods for obtaining block size, which is database metadata. The first method uses the maximum size of free space in the block, and the second method uses the location where the block appears. The third method improves the second method to find the block size faster. The experimental results show that three methods can correctly find the block size of three DBMSes.

Statistics
Cite this article