What Is Database Forensics?

This question is often asked by new students who are thinking about entering this exciting and dynamic subset of computer forensics. The answer is quite detailed, but we can go into a few basics and give you an overview to help explain some key fundamentals of database forensic analysis.

Some free resources can be found in this informative article.

For other forensic courses, please take a look at our boot-camp section, found here.

Forensic database specialists have quite a difficult task when it comes to working through corrupted databases, as opposed to standard digital forensics, which deal with fragmented “normal” data as it is found on a conventional hard drive. This is because standard file systems allocate a header and a footer bit to a file, allowing for the reconstruction of the file, in some cases, by using information from the metadata in the file system. However, databases do not have static headers or footers, and are in fact scattered across multiple different identifiers. As a result, special tools and techniques are required for this highly specialized forensic work, and the Certified Computer Forensics Examiner (CCFE) is an excellent certification to help you get there.

Database forensics is not the same as database recovery. This is an important concept to understand for those who wish to get into this field. Database forensics concentrates on scientifically interrogating the failed database and by trying to reconstruct the metadata and page information from within a data set, whereas database recovery implies some kind of restorative process that will enable the database to become viable enough to re-enter a production environment, or become healthy enough to provide a backup that can be used in a database restore.

Sometimes, a database may be perfectly healthy but suspicious activities and results may have raised questions from a customer that prompted a forensic investigation.

The following scenarios would require the intervention of a database forensic specialist:

  • Failure of a database
  • Deletion of information from database
  • Inconsistencies in the data of a database
  • Detection of suspicious behavior of users

A database forensics expert will normally use a read-only method or an identical forensic copy of the data when interfacing with a database to ensure that no data is compromised. They will run a series of diagnostic tools to help them to:

  • Create a forensic copy of a database for analysis
  • Reconstruct missing data and/or log files associated with the deletion
  • Decipher data and ascertain possible causes of corruption
  • Audit user activities and isolate suspicious and illegal behavior

This helps you as an investigator to gain the information that the affected party requires, and can help in the investigation and prosecution of the perpetrators if criminal proceedings are initiated against guilty parties.

What Are the Types of Database Models That Are Important in Forensics?

As database technologies were developed and utilized over the past few decades, newer approaches to storing, locating, and retrieving data were created. These different approaches are also known as database models, and understanding each one ensures maximum efficacy when dealing with instances where your database forensic expertise may be required. While each of these database implementations was important during the development of interconnected services in the early days of corporate and commercial computer services, some have fallen by the wayside, and others have fallen into virtual obscurity.

You will be taught about database types, such as hierarchical, network, relational, object-oriented, and hybrid, how to diagnose and identify issues, and how to identify the appropriate course of action, based on the scenario that you are faced with. Depending on your needs, each one of these types of database is covered in detail, with examples from each for you to learn from as well as hands-on modules and labs for you to get involved with.

Generally speaking, today’s modern database systems tend to run on relational database structures, which is ideal for many business applications and can handle simple transactions and queries simultaneously, as well as more advanced functions and table joins. It is an efficient method of designing databases and can be considered one of the most popular forms of database structure currently in use.

As systems become more integrated within businesses and in-house developers become more commonplace, it is a growing trend that more and more object-oriented database design is being employed in applications. This is largely because database functionality is very similar to programming methodologies and the object-oriented database type is very well suited to highly complex data operations, with multiple functions being performed on stored data quickly and almost simultaneously.

What Database Systems Are Mostly Commonly Used in Forensics?

This comes down to database popularity among businesses, companies and individuals. There are hundreds of different DBMS systems to choose from, but the five most popular database companies are listed below, as per DB-ENGINES.COM . Here are the top five, along with their DB schema types:

  • Oracle (Relational Database Management System)
  • MySQL (Relational Database Management System)
  • Microsoft SQL Server (Relational Database Management System)
  • PostgresSQL (Relational Database Management System)
  • MongoDB (Document Stores)

As you can see, relational database management systems hold the lion’s share of the top spots in the DBMS stakes, and one can therefore infer that there is indeed healthy demand for these DB types. This is primarily because of the ease with which applications and web interfaces can interact with these data stores, with ODBC drivers being made publicly available for most of the DBMS systems listed here.

For this reason, as a qualified CCFE, you will find yourself in the enviable position of being suited to any situation where a forensic specialist is required in the field of IT. You will be briefed on the best legal and ethical principles, how to conduct yourself during an investigation, the basics of forensic science and scientific principles, digital forensics, application forensics (in which you will find database forensics) and hybrid and emerging technologies.

The CCFE therefore offers you a great entry point into the world of cybersecurity and forensics, and is a must for anyone looking to further their understanding of digital forensics in an IT-heavy environment.

Computer Forensics Training

What Are Record Carving and Database Reconstruction?

Record carving is an attempt by a forensics specialist to obtain valid rows of data from within a damaged or corrupt database. While this has not been possible traditionally, there are new software tools that have been developed in recent years that allow for some of this data to be reconstructed from within the metadata of the database that you are interrogating. This is different from file carving, where deleted blocks of data are recovered by using the header information that is encoded into the file. Database stings of data are far more complex, and can even be encrypted with metadata at this level, making recovery and analysis extremely difficult.

Database reconstruction is a process whereby a forensics professional attempts to repair a database well enough to get some rudimentary information from it, allowing for further repair and interrogation. This is usually done by analyzing log files of the database system and running the activities through an algorithm that restores records to their previous state at the time of the log creation. This is not always successful, however, and the science of database forensics remains a slightly neglected field in the computer sciences; but, with more professionals gaining their CCFE, this could change as more people become involved with database forensics.

Both of these skills are elaborated on within the CCFE training material and will help you on your journey towards becoming a highly skilled, highly sought-after forensic investigator in the field of digital forensics. Take a look at our pricing by filling in the submission form above, and if you have any queries, please feel free to contact us here.

Be Safe

Section Guide


View more articles from Graeme

You'll leave InfoSec Institute's Computer Forensics course with 3 industry certifications!

Section Guide


View more articles from Graeme