Anda di halaman 1dari 17

This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 1

CDBFIP: Common Database Forensic


Investigation Processes for Internet of Things
Arafat Al-dhaqm1,2, Shukor Razak1, Siti Hajar Othman1, Kim-Kwang Raymond Choo4 , William Bradley Glisson3,
Abdulalem Ali1, Mohammad Abrar1
1
Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, Skudai, Johor, Malaysia
2
Department of Computer Science, Aden Community College, Aden, Yemen
3
Department of Information Systems and Cyber Security, The University of Texas at San Antonio, San Antonio, TX
78249-0631, USA
4
School of Computing, University of South Alabama, Alabama, USA

Abstract: Database forensics is a domain that uses Internet of Military Things), we would need to collect
database content and metadata to reveal malicious activities evidential data from a wide range of sensors installed on
on database systems in an Internet of Things environment. military vehicles, cameras (e.g. IP-based CCTV feeds), road
Although the concept of database forensics has been around side units, etc. These data are also likely to be in different
for a while, investigation of cyber crime activities and cyber
formats (e.g. proprietary formats) and of different sizes. While
breaches in an Internet of Things environment would benefit
from the development of a common investigative standard that files are often abstracted as streams of bytes, a database is a
unifies knowledge in the domain. Therefore, this paper collection of data where data elements are related to one
proposes Common Database Forensic Investigation another. Hence, the process or procedures that are used in a
Processes (CDBFIP) using a Design Science Research (DSR) digital investigation directly impact the results of the
approach. The proposed process comprises four phases, examination. Selecting investigative processes that do not fit,
namely: I) Identification, II) Artefact collection, III) Artefact potentially, leads to incomplete and/or loss of evidence
analysis, and IV) the Documentation and Presentation
(Adedayo and Olivier, 2015). This incomplete or missing data
process. It allows reconciliation of the concepts and
terminologies of all common database forensic investigation may lead to indecisive consequences and give invalid
processes; hence, it facilitates the sharing of knowledge on conclusions. In other words, evidence that is not acquired in a
database forensic investigation among domain newcomers, forensically sound manner may risk being inadmissible in a
users, and practitioners. court of law (Hooper et al., 2013).

I. INTRODUCTION Thus, several database forensic investigation models have been

T he integration of apps on mobile devices, software used on


Internet of Things (IoT) devices, along with the need to
improve functionality in numerous business applications,
proposed in the literature. The proposed models range in focus
from specific scenarios to generic applications and, in doing so,
provide a variety of details as a result. The diversity in scenarios
continue to motivate interest in the area of database forensics. and resulting details perceivably make it challenging, or even
Coupling this information with increasing interest in residual complicated, particularly for newer forensic investigators, to
data in legal environments (Berman et al., 2015; McMillan et adopt accurate or proper investigation models. Due to the lack
al., 2013), necessitates research in this relatively understudied of a generic/common database forensic investigation process
area. Database forensics is a branch of digital forensics that model (Beyers, 2014), this study provides a structure, referred
uses database content, metadata, log files, data files, and to as the Common Database Forensic Investigation Process
memory data to create timelines, establish relationships and (CDBFIP), which unifies, facilitates, and shares knowledge of
recover relevant data (Khanuja and Adane, 2012b). database forensic investigation processes among database users
and practitioners. Unifying these processes in a single abstract
The numerous pieces of input that potentially impact a digital diagram increases the knowledge available to users,
forensic investigation involving a Database Management newcomers, and practitioners. Additionally, it reduces the
System (DBMS) is inherently more complex than that of a complexity and ambiguity of the investigation.
traditional file system (Wagner et al., 2015), particularly in an
IoT environment that is likely to comprise a wide range of This paper is organized as follows. Section II presents works
heterogeneous devices. For example, in an IoT deployment in related to this research. Section III describes the actual
battlefields (also referred to as Internet of Battlefield Things or development process of our CDBFIP based on the Design

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 2

Science Research (DSR) methodology. While it would be ideal incident verification, artefact collection, and artefact analysis,
to evaluate CDBFIP using real-world IoT cases, it is dealing specifically with an SQL server database (Fasan and
challenging to obtain access to such cases partly due to the Olivier, 2012a; Wagner et al., 2015). A Detection and
sensitive nature of forensic investigations. Therefore, in Section investigation model was developed by Son, et. al., (Son et al.,
IV, we use a set of nine database forensic models to validate 2011) to detect the database server and collect data. Fowler
CDBFIP. Finally, we conclude the paper in Section V with (Fowler et al., 2007) also proposed an approach to gather and
recommendations for possible future work. analyze data in practical and real-world scenarios. Their
approach covers technical concepts that investigators use to
II. BACKGROUND AND RELATED WORK investigate compromised databases. An approach for detecting
The database forensics domain uses database content and the tampering of forensic evidence in an SQL server was
metadata to identify, collect, preserve, reconstruct, analyse and proposed by Basu (Basu, 2006a); the proposed technique shows
document evidence of crime. Owing to the complexity and how tampering can be detected and how to localize the affected
multidimensional nature of DBMS, database forensics has data but does not provide tamper-prevention measures (Pavlou
received little attention from researchers (Adedayo and Olivier, and Snodgrass, 2012; 2013). A methodology to distinguish
2015; Beyers, 2014; Fowler, 2008; Khanuja and Adane, 2012b; suspicious transactions from legitimate transactions among the
Olivier, 2009; Wagner et al., 2015). Existing works in database SQL Server artefacts, in order to eliminate irrelevant data, was
forensics can be viewed from three perspectives, namely: proposed by Khanuja and Adane (Khanuja and Adane, 2013).
technology (tools, algorithms, and methods, etc), investigation This methodology specifically considered the investigation
process (e.g. identification, collection, analysis, and processes, technology, and database dimension in its solution.
presentation) and the database forensic dimension (destroyed
dimension, compromised dimension, changed dimension, etc) Relatively few studies have been conducted that investigate a
(Fasan and Olivier, 2012a). MySQL database in reference to database forensics. A study by
Khanuja and Adane (Khanuja and Adane, 2012b) did develop a
A number of studies have been conducted on Oracle databases; framework for MySQL database forensic analysis. The
these works encompass specific Oracle investigation tasks, proposed framework focuses on discovering malicious
activities, processes, techniques, concepts and terminologies. tampering in My SQL database. The authors further highlighted
For instance, a forensic investigation model was developed by the database server artefacts that were employed for the
Wong and Edwards (Wong and Edwards, 2004) that consists of investigation.
generic steps to discover information about an operation
performed on the database (Olivier, 2009). A Log Miner tool It is worth noting that a model for detecting database
was developed by Wright (Wright-GSEC and GCFW, 2005) inconsistencies was proposed by Fruhwirt, et. al., (Fruhwirt et
that allows a Data Base Administrator (DBA) or forensic al., 2010); nevertheless, there was no knowledge discovered for
analyst to reconstruct actions taken on a database (Fasan and multiple log files or cache for further analysis (Frhwirt et al.,
Olivier, 2012a). Seven practical investigation forensic models 2012). To address the limitations of the model proposed by
were developed by Litchfield (Litchfield, 2007b). The author Frhwirt, et. al., (Frhwirt et al., 2012), another model was
addressed information available from redo logs, dropped proposed by Frhwirt, et. al., (Frhwirt et al., 2013) to
objects, authentication, flashback, and a recycle bin. Wright and reconstruct the basic SQL statements from InnoDBs redo logs.
Burleson (Wright and Burleson, 2008) published a forensic However, this model focuses on the Data Manipulation
textbook on Oracle RDBMS; however, the book was written as Language (DML) statements and ignores the Data Definition
a guide and intended for database administrators (Olivier, Language (DDL) statements. To address situations where the
2009). A block diagram to collect evidence was developed by user is unavailable or where the user is under investigation,
Tripathi and Meshram (Tripathi and Meshram, 2012b) that is Lawrence (Lawrence, 2014) proposed a technical investigation
based on a series of practical methods developed to analyse method to gain access to users MySQL database without user
database tampering in an Oracle database (Litchfield, 2007b). consent. According to Adedayo (Adedayo, 2015), several
works have been conducted in digital forensics. However, they
In addition, a number of practical studies have been carried out largely focus on cloud forensics and smartphone forensics (Ab
on Microsoft SQL Database Server (MSSQL Database Server). Rahman et al., 2016a; Ab Rahman et al., 2016b; Azfar et al.,
These studies covered database investigation tasks, activities, 2016a; Azfar et al., 2016b; Cahyani et al., 2016; Daryabar et
processes, techniques, concepts and terminologies. A al., 2016; Do et al., 2015a; 2015b; Do et al., 2016; Immanuel
methodology for an SQL Server Forensic Analysis was et al., 2015; Martini and Choo, 2014a; 2014b; Quick and Choo,
proposed by Fowler (Fowler, 2008); the proposed methodology 2013; 2014; 2016; Quick et al., 2013; Teing et al., 2016; Yang
involves four processes, namely, investigation preparation, et al., 2016). They do not directly mention ddatabase forensics.

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 3

While certain aspects of database forensics have been were identified and selected for developing CDBFIP. However,
investigated over the years (Adedayo, 2015; Al-Dhaqm et al., models that covered only specific database forensics
2014a; Beyers, 2014; Fasan and Olivier, 2012a; Hauger and perspectives (i.e., one or two perspectives) were identified and
Olivier, 2015), there has been minimal research into the selected for validation purposes. For example, a System and
development of a standard/common approach for unifying Method for Investigating a Data Operation Performed on a
investigation tasks and activities among investigators. Database Model, which is proposed by Wong and Edwards
(Wong and Edwards, 2004), covered three perspectives of the
III. METHODOLOGY database forensics domain. In addition, the SQL Server
This study embraces a Design Science Research (DSR) Forensic Analysis Methodology approach that is proposed by
methodology to design the proposed process artefact, hereafter Fowler (Fowler, 2008) covered the three database forensics
referred to as the Common Database Forensic Investigation perspectives. Table 1 displays thirty-eight (38) database
Processes (CDBFIP) (Othman and Beydoun, 2010; Von Alan forensic models that were identified and selected from forty
et al., 2004). DSR is a research methodology that is used to (40) existing database forensic models. Fig 2 displays the
create new and persistent artefacts for a special problem domain models that cover both generic and specific database forensic
that enables analytics to be examined (March and Smith, 1995). perspectives. Group A refers to models that cover the all
This particular implementation of DSR concentrates on database forensic perspectives. Group B refers to models that
Information Technology (IT) artefacts that significantly impact cover only two database forensic perspectives. Group C
the application domain. According to March and Smith (March refers to models that cover a single database forensic
and Smith, 1995), the creation of DSR can be explained in terms perspective. Step 3.2 concentrates on recognizing and
of four kinds of artefacts which include the following: extracting investigation processes from the eighteen (18)
constructs that organize the language to identify problems and selected database forensics models.
solutions, models that use this language to describe problems
and solutions, methods that define processes that offer
assistance on how to answer problems and the final artefact A database forensic investigation process was derived from
instantiations which are defined as combinations of constructs, eighteen (18) selected models. During the course of the
models, and methods. The DSR life-cycle embraces repetitious extraction, certain criteria were adhered to in order to identify a
assessment of produced artefacts. The execution of the DSR relevant and proper investigation process. The criteria used to
life-cycle necessitates that the building and assessment of the identify the database forensic investigation processes are as
artefact are completed before the artefact is offered to users. follows:
The design science process includes six steps, which are C1. Titles, abstracts, related works and conclusions were
illustrated in Fig 1 (Al-Dhaqm et al., 2014b; Beydoun et al., excluded; the investigation process was either extracted
2009). from the diagram or from the main textual model.
C2. The investigation process must have a definition or
A. Identify and Select Database Forensic Investigation activity; the investigation process must have a definition
Models or activity to recognize the purpose, meaning, and
Several database forensic models were discussed and analyzed functioning of the process.
in the literature review. Model selection for this research was C3. Irrelevant investigation processes not related to
based on coverage factors that were identified in previous conducting database forensics were excluded.
research (Al-Dhaqm et al., 2014b; Kelly and Pohjonen, 2009). C4. Include explicit and implicit investigation processes from
A wide coverage of perspectives, concepts, and terminologies models.
that are broadly applicable is required to fulfill the aim of
proposing a common investigation process for database The above criteria were utilized in an attempt to avoid any
forensics. Using coverage metric quickly provides an indication missing or random process selections. For example, the
of sourced model applicability. The model is said to have a high investigation process model to reveal malicious database
coverage value, if the model can cover all database forensic activities for an Oracle database was proposed by Wong and
perspectives (i.e., a general model). The model has a reduced Edwards (Wong and Edwards, 2004). Their solution consists of
amount of coverage value, if the model only describes a specific four investigation processes, namely: Suspending database
database forensic perspective, such as the technology operation, collecting data, reconstructing a database, and
perspective (i.e., a specific model). Therefore, models that restoring database integrity. Another model was developed by
cover at least two database forensic dimensions, two databases Wright (Wright-GSEC and GCFW, 2005) to discover and
forensic investigation processes, and at least one database analyze intruder activities in an MSSQL server database.
forensic investigation technology (tool, method, or algorithm) Wrights solution consists of four investigation processes,

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 4

namely: Verification, Evidence Collection, Timeline Creation, A framework proposed by Khanuja and Adane (Khanuja and
and Media Analysis. In addition, two investigation processes Adane, 2012a) deals with the forensic analysis of a MySQL
were extracted from Litchfields (Litchfield, 2007c) model, server database. It consists of four main investigation processes:
which were Identification and Collection, to identify and collect Identification, Artefact collection, Artefact analysis and Final
volatile and non-volatile data. forensic report. Another framework was offered by
Susaimanickam (Susaimanickam, 2012) to analyze database
Additionally, four investigation processes have been extracted incidents. It consists of four investigation processes:
from Fowlers (Fowler, 2008) model to identify, verify, collect Examination preparation, Collection phase, Reconstruction
and analyze MSSQL server database incidents: Investigation phase, and Documentation and presentation. In addition, six
preparation, Incident verification, Artefact collection, and investigative processes were advocated by Fasan and Oliver
Artefact analysis. In addition, two investigation processes were (Fasan and Olivier, 2012b) to investigate database incidents,
extracted from a model to detect and extract malicious relations namely: Determine database dimension, Determination of
among tables that were proposed by Lee and Lee (Lee et al., acquisition method, Collection of volatile artefacts, Collection
2009): Preparation of database environment and data of non-volatile artefacts, Preservation and authentication of
extraction. The other three investigation processes, Data collected data, and Analysis of collected data. Another forensic
acquisition, Financial data analysis, Final report and court analysis model was proposed by Khanuja and Adane
submission, were proposed by Choi, et. al., (Choi et al., 2009) (Khanuja and Adane, 2013) for combining multiple pieces of
to detect fraud statements. Furthermore, Oliver (Olivier, 2009) evidences. Their solution offers two general processes for this
proposed three investigation processes to extract, search and purpose: Artefact collection and Forensic analysis.
restore metadata that are used for investigative purposes: Additionally, a model was proposed by Beyers (Beyers, 2014)
Metadata extraction, Restoration, and Searchability. to investigate a compromised database management system.
Generally, it consists of two main investigation processes: the
In addition, a process investigation model was introduced by Identification process and the Collection process. In addition,
Son, et. al., (Son et al., 2011) for enterprise environments. The another process model was proposed by Khanuja and Suratkar
investigation process involves three steps: server process (Khanuja and Suratkar, 2014) to collect, preserve and analyze
detection subsequent to an incident report, followed by data database metadata against database attacks. Three main
collection and an investigation on the data collected. investigation processes were proposed by Khanuja and
Suratkar: Collection of metadata, Preservation of metadata,
and Analysis of database attacks.

Fig.1. Database Forensic models covering different


perspectives

In addition, a tamper detection model was proposed by Tripathi


and Meshram (Tripathi and Meshram, 2012a) to introduce the
concept of tamper detection for digital evidence stored in a
database. Thus, the two investigation processes highlighted in
Tripathi and Meshrams model are Setup evidence collection
server and file collection. Fig.2. Method for proposing a common investigation process
for database forensics, adapted from existing research (Al-
Dhaqm et al., 2014b; Beydoun et al., 2009).

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 5

activities through internal structure carving, via Reconstructing


The model proposed by Frhwirt, et. al., (Frhwirt et al., 2014) volatile artefacts, and recovering database schema.
is designed to reconstruct database events to detect intruder
activities, via the following: a Collection process to gather Therefore, as an output of this section, fifty-four (54)
evidence by replicating sources and a Reconstructing evidence investigation processes were identified and extracted from these
process that is necessary to rebuild user activities and detect eighteen (18) database forensic models. The proposed
malicious activities. Similarly, an investigation process model investigation processes are interlinked activities and tasks to
was proposed by Adedayo and Oliver (Adedayo and Olivier, achieve the goal of the Database Forensic activity. Thus, the
2015) to reconstruct and analyse database activity using log next step merged and extracted investigation processes that
files via the Reconstruction process and Analysis process. were grouped based on their activities and meaning. Table 2
Finally, Wagner, et. al., (Wagner et al., 2015) proposed a presents the extracted database forensic investigation process
database forensic analysis model to reconstruct database from the eighteen (18) models.

Table 1. Database Forensic investigation models


ID Year Database Forensic Models Group A Coverage
1 2004 System and method for investigating a data operation performed on a database (Wong and Edwards, 2004)
2 2005 Forensic Analysis of a SQL Server 2005 Database Server
3 2007 Oracle Forensics Live Response (Litchfield, 2007c)
4 2008 SQL Server Forensic Analysis Methodology (Fowler, 2008)
5 2009 Database forensic investigation based on table relationship analysis techniques (Lee et al., 2009)
6 2009 Evidence Investigation Methodologies for Detecting Financial Fraud based on Forensic Accounting (Choi et al., 2009)
7 2009 On metadata context in Database Forensics (Olivier, 2009)
8 2011 The Method of Database Server Detection and Investigation in the Enterprise Environment (Son et al., 2011)
9 2012 Digital Evidence for Database Tamper Detection (Tripathi and Meshram, 2012a)
10 2012
Framework for Database Forensic Analysis (Khanuja and Adane, 2012a)

11 2012 A Workflow to Support Forensic Database Analysis (Susaimanickam, 2012)
12 2012 On Dimensions of Reconstruction in database forensic (Fasan and Olivier, 2012b)
13 2013 Forensic Analysis of Databases by Combining Multiple Evidences (Khanuja and Adane, 2013)
14 2014 Database Forensic :Investigating Compromised Database Management Systems (Beyers, 2014)
15 2014 Role of metadata in forensic analysis of database attacks (Khanuja and Suratkar, 2014)
16 2014 Towards a forensic-aware database solution: Using a secured database replication protocol and transaction management for digital
investigations (Frhwirt et al., 2014)
17 2015 Ideal log setting for database forensics reconstruction (Adedayo and Olivier, 2015)
18 2015 Database forensic analysis through internal structure carving (Wagner et al., 2015)
Database Forensic Models Group B
1 2006 Forensic tamper detection in SQL server (Basu, 2006b)
2 2007 Finding Evidence of Data Theft in the Absence of Auditing (Litchfield, 2007d)
3 2007 Discovering Methodology and Scenario to Detect Covert Database System (Lee et al., 2007)
4 2012 RECONSTRUCTION IN DATABASE FORENSICS (Fasan and Olivier, 2012a)
5 2012 Enriching Forensic Analysis process for Tampered Data in Database (Abhonkar and Kanthe)
6 2012 Arguments and Methods for Database Data Model Forensics (Beyers et al., 2012)
7 2013 InnoDB database forensics: Enhanced reconstruction of data; manipulation of queries from redo logs (Frhwirt et al., 2013)
8 2015 An Improved Framework for Tamper Detection in Databases (Kambire et al.)
Database Forensic Models Group C
1 2004 Oracle database forensics using LogMiner (Wright, 2005)
2 Efficient model for detection data and data scheme tempering with purpose of valid forensic analysis (Azemovi and Mui,
2009
2009)
3 Methods for Efficient Digital Evidence of Collection of Business Processes and Users Activity in eLearning
2010
Environments(Azemovic and Music, 2010)
4 Detecting Database Attacks Using Computer Forensics Tools
2011
(Fatima, 2011)
5 An approach to examine the Metadata and Data of a Database Management System by making use of a forensic comparison tool
2011
(Beyers et al., 2011b)
6 2011 A framework for discovering internal financial fraud using analytics (Panigrahi, 2011)
7 Combining Digital Forensic Practices and Database Analysis as an Anti-Money-Laundering Strategy for Financial Institutions
2012
(Flores et al., 2012)
8 2012 Reconstructing Android User Behavior Approach Based on YAFFS2 and SQLite (Xu et al., 2014)
9 2014 Forensic Investigation of MySQL Database Management System (Lawrence, 2014)

Table 2. Extracted Database Forensic Investigation Process from 18 models

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 6

ID Extracted Investigation Processes Extracted C1 C2 C3 C4


process
1. Suspend database operation, Collect data, Reconstruct database, Restore database 4
integrity
2. Evidence verification, Evidence Collection, Timeline Creation, Media Analysis 4
3. Identification process, Collection process 2
4. Investigation preparation, Incident verification, Artefact collection, Artefact analysis 4
5. Prepare Database Environment, Extract Data process 2
6. Data Acquisition, Financial Data Analysis, final report and court submission 3
7. Metadata extraction, Restoration, Searchability 3
8. Server detection, Data Collection, Investigation on Data Collected 3
9. Setup evidence collection server, Collect files 2
10. Identification, Artefact collection, Artefact analysis, Final Forensic Report 4
11. Examination preparation, Collection phase, Reconstruction phase, Documentation & 4
Presentation,
12. Determine database dimension, determining acquisition method, collection of volatile 6
artefacts, collection of non-volatile artefacts, preservation and authentication of collected
data, and analysis of collected data
13. Artefact collection, Forensic analysis 2
14. Identification process, Collection process 2
15. Collection metadata, Preservation metadata, Analysis database attacks 3
16. Collection evidence, Reconstructing evidence 2
17. Reconstruction process, Analysis process 2
18. Reconstructing volatile artefacts, Recovering database schema 2

database and execute required commands. Additionally, the


Data Acquisition process necessitates securing the location of
B. Merging and Grouping of the Extracted Database
Forensic Investigation Processes evidence and extracting evidence that relates to a crime or an
incident (Choi et al., 2009). Another process of interest is
The fifty-four (54) extracted database forensic investigation
Server Detection which is used to identify and detect the victim
processes are merged and grouped together based on similar
database server (Son et al., 2011). Furthermore, the Setup
activities and concepts (Selamat et al., 2008; Yusoff et al.,
Evidence Collection Server process described in Tripathi and
2011). All investigation processes having similar activities and
Meshrams model (Tripathi and Meshram, 2012a) is used to
concepts are organised, merged and grouped into separate
prepare the investigation environment to store incidents, while
collections. The first grouping scrutinized processes that
the Identification process described in Khanuja and Adanes
broadly dealt with investigation preparation, incident
model (Khanuja and Adane, 2012a) identifies relevant MySQL
identification, and verification. The initial merging and
database files (text files, log files, binary files) and utilities.
grouping of the extracted database forensic investigation
processes is demonstrated as follows.
Similarly, Susaimanickam (Susaimanickam, 2012) proposed a
model for the Examination Preparation process, which is used
The Suspension of Database Operation in the model of Wong
to detect database incidents by cutting off the network,
and Edwards (Wong and Edwards, 2004) isolates the database
configuring the investigation environment, identifying policies,
server from the users in order to capture database activities,
preparing the proper tools and also informing decision making.
while the Verification process in the model of Fowler, et. al.
(Fowler et al., 2007) verifies and checks incidents, isolates the
In addition, Fasan and Oliver (Fasan and Olivier, 2012b)
database server, and confirms the incident. In addition, the
proposed a model for Determining Database Dimension and
Identification process in Litchfields (Litchfield, 2007c) model
Acquisition Method, which is used for identifying which
deals with disconnecting database servers from the network in
dimension of the database has been attacked or hacked. Once
order to capture volatile data. Likewise, the purpose of the
this has been achieved, the proper acquisition methods for that
Investigation preparation and Incident verification in Fowlers
dimension are then identified. An identification process model
(Fowler, 2008) model is to identify and verify database
is proposed by Beyers (Beyers, 2014) that is aimed at the
incidents through a preliminary investigation, prepare forensic
database forensic layers, methods and environment. Therefore,
workstations and forensic toolkits to respond to incidents and
fourteen (14) investigation processes have been organized,
then disconnect the database server. Furthermore, the
merged and grouped based on their activities and congruent
Preparation of the Database Environment proposed in Lee, et.
concepts. Table 3 presents the first group of organized, merged
als. (Lee et al., 2009) model is used to prepare the investigation
and grouped investigation processes.
environment and to obtain necessary permission to access the

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 7

Table 3. The first group of organized, merged and grouped investigation processes.

Model Similar Processes Activity and Meaning

M1 Suspend Database Operations Database operations are suspended, at least long enough to capture evidence of the intruders actions.
This may entail disabling new logins, terminating any or all existing sessions and disconnecting the
database from users.
M2 Verification Verifies and checks incident, isolates database server and confirms the incident.
M3 Identification Identification process that deals with disconnecting database server from network to capture volatile
data as well as prepare forensic environment and forensic techniques used to move captured data.
M10 Identification Identification process is used to identify MySQL database files (text files, log files, binary files) and
also identify MySQL utilities.
M14 Identification The identification process is going to prepare database forensic layers and forensic methods, as well
as prepare the forensic environment.
M4 Investigation Preparation Investigation preparation identifies and prepares forensic workstations and forensic toolkits to
respond to an incident and then disconnect from the database server.
M4 Incident Verification Verifies the database incident through preliminary investigation.
M5 Prepare Database Environment Prepares the investigation environment and obtains the right to access the database and execute the
command.
M6 Data Acquisition Secure the location of evidence and extract evidence that relates to the accounting fraud. The
examiner should identify the target and verify where it is.
M8 Server Detection Server detection is used to identify and detect the victim database server.
M9 Setup Evidence Collection Server Preparing the investigation environment to reveal an incident.
M11 Examination Preparation Examination preparation is used to detect a database incident, isolate a network, configure an
investigation environment, identify policies, and prepare proper forensic tools as well as making a
decision (TO DO WHAT).
M12 Determine Database Dimension Identifies which dimension of the database has been attacked or hacked.
M12 Determining Acquisition Method Identifies the proper acquisition methods for that dimension.

The second grouping inspected processes from the data Artefact Collection process was proposed by Khanuja and
collection perspective. Wong and Edwards (Wong and Adane (Khanuja and Adane, 2012a) to collect and extract
Edwards, 2004) proposed a model for the data collection database files and metadata from compromised MySQL Server
process aimed at assembling data metadata and intruder databases. Similarly, Susaimanickam (Susaimanickam, 2012)
activity. Similar processes are introduced by Fowler, et. al., proposed a Collection process as a sub-process of physical and
(Fowler et al., 2007) that include Evidence Collection to collect digital examination to collect physical and digital data.
evidence from the victim database server and an Evidence Moreover, the Collection of Volatile Artefacts and Non-Volatile
Collection process proposed by Litchfield (Litchfield, 2007c) Artefacts processes were proposed by Fasan and Oliver (Fasan
to collect volatile data from compromised database servers. and Olivier, 2012b) to collect database files, log files, log
Fowler (Fowler, 2008) proposed an Artefact Collection model transactions and also volatile artefacts such as data caches, redo
(Fowler, 2008) that is used to collect volatile and non-volatile log, and undo log.
MSSQL Server database artefacts such as log files, data files, a
data cache, transaction logs, and log files. Similar to the Artefact Collection process presented by Fowler
(Fowler, 2008), an Artefact Collection process was proposed
Additionally, a data Extraction process is proposed by Lee, et. by Khanuja and Adane (Khanuja and Adane, 2013). The
al., (Lee et al., 2009) to extract data on relationships that Collection process introduced by Beyers (Beyers, 2014) allows
connect columns in database tables. In addition, the Data one to collect and extract suspected database management
Acquisition process, proposed by Choi, et. al., (Choi et al., system data and move it to a secure area for further forensic
2009), has similar activities designed to extract fraud data from investigation, and the Metadata Collection process proposed by
a database server. Additionally, the Metadata Extraction Khanuja and Suratkar (Khanuja and Suratkar, 2014) allows
process offered by Oliver (Olivier, 2009) to extract the one to collect detailed multiple logs of SQL, MySQL and
metadata of the database dimension is used to determine who operating systems.
was authorized to perform a certain action. In addition, the Data
Collection process presented by Son, et.al., (Son et al., 2011) is Implicitly, the preservation process is mentioned by Wong and
subdivided into two stages that consist of a stage dedicated to Edwards (Wong and Edwards, 2004) under the Collecting Data
selectively files and another stage that focuses on collecting process to protect the integrity of data by hashing collected data.
entire files. In addition, a file collection model was introduced It is also mentioned in Fowlers (Fowler, 2008) model under the
by Tripathi (Tripathi and Meshram, 2012a) to collect Oracle Artefact Collection process to prevent any modification of
files from specific locations and move them to the evidence collected data. In addition, Choi, et al., (Choi et al., 2009)
collection server for further investigation. Furthermore, the mentioned implicitly as Secure data sources under the Data

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 8

Acquisition process. In Olivers (Olivier, 2009) model, it was preservation process was grouped with the collection process.
mentioned as an integrity measure to provide an exact copy of Therefore, sixteen (16) investigation processes have been
the original data. In the model proposed by Susaimanickam organized, merged and grouped based on their activities and
(Susaimanickam, 2012), it was described as the main meaning. Table 4 presents the second grouping of organized,
preservation process in the Physical & Digital Examination merged and grouped investigation processes having similar
process. Explicitly, it was mentioned in Fasan and Olivers activities and concepts.
(Fasan and Olivier, 2012b) model along with the Collecting
Metadata process as the preservation of metadata. Thus, the
Table 4. The second group of organized merged and grouped investigation processes.
Model Process Activity and Meaning

M1 Collecting Data Collecting data is going to assemble data, metadata and intruder activities from the database server.
M2 Evidence Collection Collects evidence from victim database server.
M3 Collection Collection process uses collected volatile data from compromised database server.
M4 Artefact Collection Artefact collection is used to collect volatile and nonvolatile MSSQL Server database artefacts such
as log files, data files, a data cache, transaction logs, and log files.
M5 Extracting Data Extraction data process is used to extract data about relationships that connect columns in database
tables.
M6 Data Acquisition Extract fraud data from the database server.
M7 Metadata Extraction Metadata Extraction is used to extract the metadata of database dimensions that are used to
determine who was authorized to perform a certain action.
M8 Data Collection Data Collection is divided into a stage of selectively collecting files and a stage of collecting the
entire files.
M9 Collecting Files Collecting files process is used to collect Oracle files from specific locations and move them to the
evidence collection server for further investigation.
M10 Artefact Collection Artefact collection is used to collect and extract database files and metadata from compromised
databases.
M11 Collection Collect physical and digital data.
M12 Collection of Non- Collection of nonvolatile artefacts such as database files, log files, and log transactions.
volatile Artefacts
M12 Collection of Volatile Collect volatile artefacts such as data caches, redo log and undo log
Artefacts
M13 Artefact Collection Artefact collection is used to collect volatile and nonvolatile MSSQL Server database artefacts such
as log files, data files, data cache, transaction logs, log files and so on
M14 Collection The collection process is used to collect and extract suspected database management system data
and move them for further examination.
M15 Collection Metadata This is used to collect detailed logs of SQL, MySQL, and the operating system.

The third grouping broadly focused on database reconstruction, Khanuja and Adanes (Khanuja and Adane, 2012a) model
artefact analysis and overall forensic analysis. For example, an mentioned it explicitly as Artefact Analysis. It is mentioned
Analysis process has been mentioned in several models. In the implicitly as part of the Reconstruction phase along with the
model of Wong and Edwards (Wong and Edwards, 2004), it physical and digital examination process in Susaimanickam's
was used to Reconstruct a Database and Restore Database (Susaimanickam, 2012) model. Other models referred to the
Integrity after collecting data to rebuild intruder activities along Analysis process as Forensic Analysis (Khanuja and Adane,
with revealing malicious actions and restoring database 2013), Analysing Database Attacks (Khanuja and Suratkar,
consistency. In addition, Fowler mentioned it as different 2014), Reconstructing Evidence (Frhwirt et al., 2014),
names in two models. For example, in the model of Folwer Reconstruction (Adedayo and Olivier, 2015) , and
(Fowler et al., 2007), it was mentioned as part of the Timeline Reconstructing Volatile Artefacts (Wagner et al., 2015).
Creation and Media Analysis processes, while Fowler (Fowler,
2008) described it as part of the Artefact Analysis process to Some models highlighted certain investigation processes
reconstruct timeline events and analyse malicious activity. In explicitly or implicitly. For example, the Reconstruction
addition, Choi, et. als., (Choi et al., 2009) model referred to the process was mentioned explicitly in several models (Adedayo
analysis process as Financial Data Analysis and used it to and Olivier, 2015; Frhwirt et al., 2014; Wagner et al., 2015;
reveal fraudulent transactions. Other models referred to the Wong and Edwards, 2004), while it was mentioned implicitly
analysis process as Restoration and Searchability (Olivier, under the Artefact analysis process in Fowlers model (Fowler,
2009), where Son, et. als., (Son et al., 2011) model referred to 2008) and also mentioned implicitly in Choi, et. al.s, (Choi et
it as the Investigation on Data Collected process. Furthermore, al., 2009) model under the Financial Data Analysis process. In

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 9

addition, it is mentioned as the Restoration process in Olivers


(Olivier, 2009) model, which used it to refer to the recreation of An additional refinement of the identified processes examined
data that have been (partially) destroyed or only partially the similarities from the broad perspective of documentation
recovered by a forensic capture process. Moreover, it is which would include presentation and reporting. The
mentioned implicitly under the Physical & digital examination Documentation and Presentation process was mentioned by
process in Susaimanickams (Susaimanickam, 2012) model. Susaimanickam (Susaimanickam, 2012) to document and
Therefore, it will be merged and grouped along with the present whole investigation stages and submit the results to the
Analysis process because it is part of the process that is used to court. In addition, Choi, et. al., (Choi et al., 2009) offered it as
rebuild timeline events during the analysis process. Therefore, a final report and court submission, whereas Khanuja and
seventeen (17) investigation processes have been organized, Adane (Khanuja and Adane, 2012a) mentioned it as a final
merged and grouped based on their activities and concepts. forensic report. Table 6 displays the fourth group of organized
Table 5 presents the third grouping of organized, merged and and merged investigation processes.
grouped investigation processes with similar concepts and
activities.
Table 5. The third group of organized, merged and grouped investigation processes.
Model Process Activity and Meaning
M1 Reconstructing Database Reconstructing database is used to rebuild intruder activities and reveal malicious actions.
M1 Restoring Database Restoring database integrity is used to restore database consistency.
Integrity
M2 Media Analysis Focuses on analyzing activities and revealing malicious intruders.
M4 Artefact Analysis Artefact analysis focuses on analyzing authentication and authorization artefacts as well as configuring and
versioning artefacts. Furthermore, it analyzes activity reconstruction and data recovery artefacts, which makes up
the largest grouping of artefacts.
M6 Financial Data Analysis Deep analysis of the account data and other related business data should be executed. It is used to reveal fraudulent
transactions.
M7 Restoration and Recreation of data that have been (partially) destroyed or only partially recovered.
Searchability
M8 Investigation on Data Methods of investigating data can be largely divided into three types, such as investigating data collected by using
Collected an agent remotely, investigating data collected by using backup commands and investigating data collected by
using the entire files.
M10 Artefact Analysis All data acquired through incident verification and collection phases are consolidated and analyzed.

M11 Reconstruction Rebuild database events.


M12 Analysis of Collected Data Analyse collected data using forensic analysis tools.
M13 Forensic Analysis Forensic analysis involves temporal detection, the determination of the time. It also involves spatial detection, the
determination of where the location of the data in the database was altered.
M15 Analysis Database Attacks Reconstruct and analyse database attacks to reveal who the attacker is., when the attack happened, where it
happened and how it happened.
M16 Reconstructing Evidence Reconstructing evidence is used to rebuild user activities and detect malicious activities.
M17 Reconstruction Identifying changes made to a database, identifying who may be responsible for the changes, confirming what we
expect to see in the database, and determining the timeline of events in the database.
M17 Analysis Use of log analysis and/or log management tools to enhance the analysis of the volume of information that may be
retrieved from log files during database forensics; the analysis process should be automated.
M18 Reconstructing Volatile Recover the newly introduced data from inserts and updates. Also, recover recently performed user actions (i.e.,
Artefacts reconstructing the fact that data were inserted, deleted or updated). Additionally, discover information about
changes that were canceled and undone (i.e., aborted transactions).
M18 Recovering Database Discovering the original schema, structure identifier, identify pages from the same structure, and discover other
Schema components of the schema.

Table 6: The fourth group of organized merged and grouped investigation processes.

Model Process Activity and Meaning


M11 Documentation and Presentation Document and present whole investigation stage and submit the results to the court.
M6 Final Report and Court Submission The investigation results should be reconstructed and written up as a report to submit to the court.
M10 Final Forensic Report Includes the investigation results and investigation steps.

In the summary of this section, fifty-four (54) extracted regardless of actual naming. Every group has a common
database forensic investigation processes have been organized, investigation process amongst other processes. Therefore, the
merged, and grouped based on their activities and concepts. common investigation process for every group will be proposed
Four forensic investigation groups have been highlighted. in the next section.
Every group has similar processes in meaning and activities,

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 10

C. Proposed Common Investigation Process for to not rely solely on naming conventions (Selamat et al., 2008;
Database Forensic Examination. Yusoff et al., 2011). The mapping process is adopted to select
Four forensic investigation groups have been highlighted in the more frequent investigation process for every forensic
Section 3.3 based on similarities in concept and activities. This investigation group. Identification process was identified as an
section aims to propose a common investigation process for investigation process by fifteen (15) investigation processes in
every group. The mapping process has been adopted to propose Group 1. It appears three times in three models (Beyers, 2013;
common investigation processes. The investigative process, Khanuja and Adane, 2012a; Litchfield, 2007c). Table 7 shows
which has a higher frequency in the group, will be a candidate the mapping process of forensic investigation in Group 1.
and be referred to as a common investigation process. From In addition, Artefact Collection was identified as an
these phases, four common database forensic investigation investigative process by sixteen (16) investigation processes in
processes were derived: Identification process, Artefact Group 2. It appears three times in three models (Fowler, 2008;
Collection & Preservation, Artefact Analysis, and Khanuja and Adane, 2012a; 2013). Table 8 shows the mapping
Documentation and presentation process. Since some of these process of forensic investigation in Group 2.
processes overlap, it was necessary to take into account the
activities performed in each of the investigative processes and
Table 7. Mapping process of Forensic Investigation Group 1
Models\Process M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M13 M14 M15 M16 M17 M18
Suspend database
operation
Verification
Identification
Investigation
preparation
Incident verification
Prepare Database
Environment
Data Acquisition
Server detection
Setup evidence
collection server
Examination preparation
Determine database
dimension
Determining acquisition
method

The Artefact analysis process was identified as a common Artefact Analysis). However, the Documentation and
Identification
investigation process among seventeen (17) investigation Presentation process has been proposed based on its generality.
processes in forensic investigation Group 2. It appears two It is more general than other investigation processes in the
times in two different models (Fowler, 2008; Khanuja and forensic investigation. The next section will combine the
Artifact Collection
Adane, 2012a). Table 9 shows the mapping process of forensic various definitions of database forensic investigation processes
& Preservation
Recollects

investigation in Group 3. and reconcile them to the abstract definition.

In addition, the Documentation and Presentation process was


identified as a common investigation process from forensic Artifact Analysis
investigation Group 4. This process has rarely been mentioned
by researchers. Therefore, the author suggests using this
process due to its generality. Fig 3 displays the proposed
common investigation process for a database forensic
investigation. Presentation & Documentation

In summary, four (4) common investigation processes have


been proposed based on their frequency or generality. Three
common investigation processes have been proposed based on
their frequency (Identification, Artefact Collection, and

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 11

D. Reconciliation of Investigation Process Definitions


Fig.3. Proposed common database forensic investigation Explicit definitions are important in science. . Precise
processes (CDBFIP) definitions help to give a clear meaning of concepts.
Differences between definitions are reconciled in this phase.
Table 8: Mapping process of Forensic Investigation Group 2
M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M13 M14 M1 M16 M17 M18
Models\Process 5
Collecting data
Evidence Collection
Collection process
Artefact collection
Extraction data process
Data Acquisition
Metadata Extraction
Data Collection
Collect files
Collection phase
a collection of non-
volatile artefacts
a collection of volatile
artefacts
Collection metadata

Table 9: Mapping process of Forensic Investigation Group 3


Models\Process M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M13 M14 M1 M16 M17 M1
5 8
Reconstructing d0atabase
Restoring database
integrity
Media Analysis
Artefact analysis
Financial Data Analysis
Restoration and
Searchability
Investigation on Data
Collected
Reconstruction phase
Analysis of collected
data
Forensic analysis
Analysis of database
attacks
Reconstructing evidence
Reconstruction process
Analysis process
Reconstructing volatile
artefacts
Recovering database
schema

In choosing or synthesizing, the common investigation process to harmonize and reconcile the investigation process shortlisted
definitions to be used are shortlisted in this phase. If there is a definition. The same reconciliation approach process has been
conflict in the definition between two or more sources, then the implemented in previous research (Al-Dhaqm et al., 2014b;
definitions are reconciled based on common definitions and Beydoun et al., 2009). Similar definitions are reconciled and
environment applicability. Some models explicitly omit harmonized into one abstract definition.
defining their concept; in such cases, they do not provide any
input to the reconciliation process. Therefore, this section aims

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 12

For example, the proposed Identification process defined by artefacts. Furthermore, analysing activity reconstruction and
Litchfield (Litchfield, 2007c) deals with disconnecting the data recovery artefacts, which make up the largest grouping of
database server from the network to capture volatile data as well artefacts, whereas Khanujha and Adane (Khanuja and Adane,
as prepare forensic environment and forensic techniques to 2012a) defined it as analysing all data that are acquired
moved captured data in, whereas Khanuja and Adane through the incident verification and collection phases.
(Khanuja and Adane, 2012a) defined it as Identification Clearly, Fowlers definition is broader than Khanujas
process used to identify MySQL database files (text files, log definition. Thus, we harmonize and reconcile these definitions
files, binary files) and also identify MySQL utilities. On the as Artefact Analysis process is the third Database Forensic
other hand, Beyers (Beyers, 2013) defined it as Identification investigation process that is used to analyze acquired data,
process for preparing database forensic layers and forensic activity reconstruction and data recovery using special forensic
methods, as well as preparing forensic environment (found techniques to reveal who is tampering, when and where the
environment, clean environment). Therefore, Litchfields tampering happened and how the tampering happened.
definition is specific to isolating the database server along with
preparing the forensic environment and forensic techniques, Finally, the Documentation and Presentation process was
whereas Khanujas definition is too specific to deal with defined by Susaimanickam (Susaimanickam, 2012) as
preparing MySQL database files and utilities. However, Documents and presents whole investigation stages, and
Beyerss definition is similar to Litchfields definition. Thus, submit the results to the court. However, the authors
Byerss definition and Litchfields definition will be reconciled reconciled it as Documentation and Presentation investigation
and harmonized in one abstract definition: process is the fourth Database Forensic investigation process
Identification process is the first Database Forensic that is used to document and present the investigation stages
investigation process that is used to prepare a clean and submit the results to the court.
database forensic investigation environment and trust
forensic techniques, as well as allow the investigation team In summary, the proposed common investigation process
to isolate the database server enough from the network to definitions have been reconciled and harmonized into abstract
prevent users from tampering and capturing volatile and definitions. The next section concentrates on comparing the
non-volatile data. proposed common investigation processes against other
existing database forensic models to validate and verify the
In addition, Artefact Collection was defined by three different completeness and generality of proposed common investigation
researchers. Fowler (Fowler, 2008) defined it as collection of processes.
volatile and non-volatile MSSQL Server database artefacts such
as log files, data files, data cache, transaction logs, and log IV. VALIDATION OF PROPOSED COMMON INVESTIGATION
files. Whereas, Khanuja and Adane (Khanuja and Adane, PROCESSES
2012a) defined it as collection and extraction of database files The version of the proposed common investigation process will
and metadata from a compromised database. In addition, now be validated and improved to make it complete and
Khanuja and Adane (Khanuja and Adane, 2013) defined it as a coherent.
collection of volatile and nonvolatile MSSQL Server database
artefacts such as log files, data files, a data cache, transaction The derived processes, of the proposed common investigation
logs, and log files. From an analysis viewpoint, Fowlers process, are validated and compared to processes from other
definition is too specific to MSSQL server database, whereas similar existing domain models (Sargent, 2005; Sargent, 2013;
Khanujas defined the Artefact Collection process from two 2015). For this purpose, we used a set of nine popular and
perspectives. The first definition focused on non-volatile widely used database forensic models in a validation set. Every
artefacts, whereas the second definition was borrowed from investigation process, in each of the models, can be
Fowler (Fowler, 2008). Consequently, a harmonized and appropriately derived from an investigation process. Where
reconciled version of this definition is as follows: Artefact required, we modified the proposed investigation process to
Collection process is the second Database Forensic ensure that it can represent all models in the validation set. This
investigation process that is used to collect and preserve volatile validation ensures that the database forensics domain can be
and non-volatile artefacts from the suspect database using trust represented in each of the models in the validation set. Where
forensic techniques. applicable, proposed investigation processes were modified to
ensure that every model can be represented. No processes were
Additionally, the Artefact Analysis process has two definitions. changed, e.g., Identification-process, Artefact Collection-
Fowler (Fowler, 2008) defined it as analysing authentication process, Artefact Analysis process, and Documentation &
and authorization events, as well as configuring and versioning

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 13

Presentation process in the proposed common investigation D. Comparison against Oracle Forensics Part 2:
processes. Locating dropped objects
The model offered by Litchfield (Litchfield, 2007a) allows the
A. Comparison against Efficient model for detecting investigator to recover evidence directly from the data files of
data and data schemes tampering for the purpose of the compromised server, although an attacker may drop objects.
valid forensic analysis
Several Oracle views and tables assist the investigator in
A detection model, proposed by Azemovi and Mui locating dropped objects such as OBJ$, SOURCE$,
(Azemovi and Mui, 2009), aimed at detecting database IDL_UB1$, IDL_CHAR$, and RECYCLEBIN$ tables.
system tampering. It offered an efficient approach to providing Therefore, the proposed investigation process Artefact
audit logs for transaction processing systems that can analysis has been covered by the Recover evidence process
effectively and efficiently detect tampering. SQL coding and that is offered in this model. In addition, the activities of this
cryptographic techniques such as strong cryptographic hashing process, such as reconstructing events and timelines, are
were used to provide authentication codes on collected data. covered as well.
Thus, this model implicitly provides collection process. the
collection process is used to extract data from log files and
secure the validity of the collected data. Therefore, the proposed E. Comparison against On the Completeness of
common investigation process Artefact Collection covered Reconstructed Data for Database Forensics
the existing investigation process in the model Collection A specific reconstruction process was offered by (Adedayo and
process. Olivier, 2012) to rebuild deleted relations or deleted records
from the database to introduce evidence against database
B. Comparison against Methods for Efficient Digital incidents. A reconstruction algorithm is used through a
Evidence Collection of Business Processes reconstruction process to allow the investigators to provide
Three techniques were proposed by Azemovi and Mui evidence against database modifications. Thus, this process and
(Azemovic and Music, 2010) to collect digital evidence from its activities were enclosed by the proposed investigation
database systems: Triggers, Log file backup, and Replications. process Artefact Analysis.
Triggers are very powerful elements in a database system that,
F. Comparison against Database Tampering and
if used properly, can be very helpful in detecting data
Detection of Data Fraud
modifications. In addition, the log file backup concept can be
Analysis process was proposed by Adedayo and Oliver (Gawali
used on a regular basis for collecting and keeping digital
and Gupta) to detect and analyze malicious activity. Therefore,
evidence of users activity. Additionally, the replication method
the forensic detection algorithm and forensic analysis algorithm
is a set of technologies for copying and distributing data and
have been offered in this model to detect corruption events and
database objects from one environment to another; it then
determine when and where database tampering occurred. The
synchronizes between databases to maintain consistency.
outcome of this model has covered the proposed investigation
Therefore, this model offered a Collection process to collect
process Artefact Analysis.
evidence using three methods against user behavior. Thus, the
proposed Artefact collection process has covered the Collection
process. G. Comparison against Enriching Forensic Analysis
process for Tampered data in database
A forensic analysis process for tampered data in the database
C. Comparison with Assembling Metadata for Database
was offered by Abhonkar and Kanthe (Abhonkar and Kanthe)
Forensics
to detect and analyze database tampering. The Tiled Bitmap
A collection process model has been offered by Beyers, et. al.,
Algorithm was used to reveal when the tampering occurred and
(Beyers et al., 2011a) to locate the key evidence and maintain
what data were altered. The outcome of this model covered the
the integrity and reliability of the evidence. This model
proposed investigation process Artefact Analysis with
describes a database forensic method that transforms a DBMS
respect to activities and tasks.
into the required state for a database forensic investigation. The
method segments a DBMS into four abstract layers that separate
the various levels of DBMS metadata and data. Therefore, the H. Comparison against An approach to examining the
proposed common investigation process Artefact Collection Metadata and Data of a database Management
covered the existing investigation process Collection process System
in this model. This process model was proposed by Beyers, et. al., (Beyers et
al., 2011b) to conduct a forensic examination on a DBMS. A
Preparation process was offered in this model. The investigator

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 14

prepares the forensic examination environment, for example, The escalating dependency of IoT devices to retain and
setting up the Ubuntu operating system and PostgreSQL manipulate data stored in databases emphasizes the need to
DBMS, and also prepares the forensic comparison tool, which develop an in-depth understanding of the nuances associated
can be used by the investigator to reveal database tampering. with conducting a database forensic investigation (Kebande and
Therefore, the preparation process was covered by the proposed Ray, 2016; Teing et al., 2017). This need will be more
common investigation process Identification process. pronounced as IoT becomes the norm in both civilian and
military settings, such as Internet of Battlefield / Military
Things.
I. Comparison against Forensic Analysis of Database
Tampering
In this paper, we identified fifty-four (54) investigation
The forensic analysis process model of database tampering was processes that were extracted from eighteen (18) database
proposed by Pavlou and Snodgrass (Pavlou and Snodgrass, forensic models. These processes were then grouped and
2008) to analyze corruption events in database systems. Several refined based on common objectives to identify mutual
forensic analysis algorithms were introduced in this model and investigation processes for the database forensic domain. This
are to be applied after detecting a database intrusion in order to analysis resulted in the Common Database Forensic
answer questions regarding when and where tampering Investigation Processes (CDBFIP). Based on a thorough
occurred. Therefore, the forensic analysis process that was investigation of identified processes and models, the CDBFIP
proposed in this model, along with the activities, has been reveals that the database forensic investigation process has four
covered by the proposed common investigation process common processes: identification, artefact collection and
Artefact Analysis. preservation process, artefact analysis process, and
documentation and presentation process. We then used nine
In summary, the proposed common investigation processes for existing database forensic investigation models to validate the
database forensics was validated against nine existing database completeness of the CDBFIP model..
forensic models. The proposed common investigation process
covers the investigation processes that are derived from the Future work will include examining the concepts and
compared models. Table 10 displays the proposed common relationships in each of the identified processes in the CDBFIP
investigation process in comparison to the database forensic by applying a software engineering approach known as a meta-
models. model, as well as evaluating the CDBFIP using real-world IoT
datasets. Future work will also investigate the application of
probabilistic and measurement science techniques into specific
Table 10: A Comparative Summary: Proposed common IoT database extraction solutions. The idea is to start to be able
investigation process and existing database forensic models to quantify confidence in terms of data relevance, origination
and tool extraction performance. We will also be seeking out
ID Processes in Processes in Status
Compared Model Proposed Model
opportunities to implement and evaluate the proposed CDBFIP
[68-76] Process in a real-world IoT infrastructures, which will allow us to
M1 Collection process Artefact Collection Supported validate and refine the model.
M2 Collection process Artefact Collection Supported
M3 Collection process Artefact Collection Supported
M4 Recover evidences Artefact Analysis Supported
Acknowledgements
process
M5 Reconstruction Artefact Analysis Supported
process
We acknowledge the experts at Cybersecurity Malaysia for
M6 Analysis process Artefact Analysis Supported their assistance and evaluation of this work. We also
M7 Forensic analysis Artefact Analysis Supported acknowledge Professor John Walker for his assistance and
process evaluation of this work.
M8 Preparation Identification Supported
process process

M9 Forensic analysis Artefact Analysis Supported


References
process

Ab Rahman, N. H., Cahyani, N. D. W. and Choo, K. K. R.


(2016a). Cloud incident handling and forensicby
design: cloud storage as a case study. Concurrency
V. CONCLUSION
and Computation: Practice and Experience.

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 15

Ab Rahman, N. H., Glisson, W. B., Yang, Y. and Choo, K.-K. Beyers, H., Olivier, M. and Hancke, G. (2011a). Assembling
R. (2016b). Forensic-by-design framework for cyber- metadata for database forensics Advances in Digital
physical cloud systems. IEEE Cloud Computing, Forensics VII (pp. 89-99): Springer.
3(1), 50-59. Beyers, H., Olivier, M. S. and Hancke, G. P. (2011b). An
Abhonkar, P. D. and Kanthe, A. Enriching Forensic Analysis approach to examine the Metadata and Data of a
process for Tampered Data in Database. database Management System by making use of a
Adedayo, O. M. (2015). Reconstruction in Database forensic comparison tool. Proceedings of the 2011b
Forensics. University of Pretoria. ISSA,
Adedayo, O. M. and Olivier, M. S. (2012). On the Beyers, H., Olivier, M. S. and Hancke, G. P. (2012).
completeness of reconstructed data for database Arguments and Methods for Database Data Model
forensics Digital Forensics and Cyber Crime (pp. Forensics. Proceedings of the 2012 WDFIA, 139-149.
220-238): Springer. Beyers, H. Q. (2013). DATABASE FORENSICS:
Adedayo, O. M. and Olivier, M. S. (2015). Ideal log setting INVESTIGATING COMPROMISED DATABASE
for database forensics reconstruction. Digital MANAGEMENT SYSTEMS.
Investigation, 12, 27-40. Beyers, H. Q. (2014). Database forensics: Investigating
Al-Dhaqm, A. M. R., Othman, S. H., Razak, S. A. and Ngadi, compromised database management systems.
A. (2014a). Towards adapting metamodelling Cahyani, N. D. W., Martini, B., Choo, K. K. R. and Al
technique for database forensics investigation
Azhar, A. (2016). Forensic data acquisition from
domain. Proceedings of the 2014a Biometrics and
Security Technologies (ISBAST), 2014 International cloudofthings devices: windows Smartphones as
Symposium on, 322-327. a case study. Concurrency and Computation:
Al-Dhaqm, R., Mohammed, A., Othman, S. H., Abd Razak, S. Practice and Experience.
and Ngadi, A. (2014b). Towards adapting Choi, J., Choi, K. and Lee, S. (2009). Evidence Investigation
metamodelling technique for database forensics Methodologies for Detecting Financial Fraud Based
investigation domain. Proceedings of the 2014b on Forensic Accounting. Proceedings of the 2009
Biometrics and Security Technologies (ISBAST), Computer Science and its Applications, 2009.
2014 International Symposium on, 322-327. CSA'09. 2nd International Conference on, 1-6.
Azemovic, J. and Music, D. (2010). Methods for Efficient Daryabar, F., Dehghantanha, A. and Choo, K.-K. R. (2016).
Digital Evidences Collecting of Business Proceses Cloud storage forensics: MEGA as a case study.
and Users Activity in eLearning Enviroments. Australian Journal of Forensic Sciences, 1-14.
Proceedings of the 2010 e-Education, e-Business, e- Do, Q., Martini, B. and Choo, K.-K. R. (2015a). A Cloud-
Management, and e-Learning, 2010. IC4E'10. Focused Mobile Forensics Methodology. IEEE Cloud
International Conference on, 126-130. Computing, 2(4), 60-65.
Azemovi, J. and Mui, D. (2009). Efficient model for Do, Q., Martini, B. and Choo, K.-K. R. (2015b). A
detection data and data scheme tempering with forensically sound adversary model for mobile
purpose of valid forensic analysis. Proceedings of the devices. PloS one, 10(9), e0138449.
2009 2009 International Conference on Computer Do, Q., Martini, B. and Choo, K. K. R. (2016). Is the data on
Engineering and Applications (ICCEA 2009), your wearable device secure? An Android Wear
Azfar, A., Choo, K.-K. R. and Liu, L. (2016a). Forensic smartwatch case study. Software: Practice and
taxonomy of android productivity apps. Multimedia Experience.
Tools and Applications, 1-29. Fasan, O. M. and Olivier, M. (2012a). Reconstruction in
Azfar, A., Choo, K. K. R. and Liu, L. (2016b). An android database forensics Advances in Digital Forensics VIII
communication app forensic taxonomy. Journal of (pp. 273-287): Springer.
Forensic Sciences, 61(5), 1337-1350. Fasan, O. M. and Olivier, M. S. (2012b). On Dimensions of
Basu, A. (2006a). Forensic tamper detection in SQL server. Reconstruction in Database Forensics. Proceedings of
Retrieved form: http://www. sqlsecurity. the 2012b WDFIA, 97-106.
com/chipsblog/archivedposts. Fatima, F. (2011). Detecting Database Attacks Using
Basu, A. (2006b). Forensic tamper detection in SQL server. Computer Forensics Tools. Texas A&M University-
Berman, K., Glisson, W. B. and Glisson, L. M. (2015). Corpus Christi.
Investigating the Impact of Global Positioning Flores, D., Angelopoulou, O. and Self, R. J. (2012).
System (GPS) Evidence in Court Cases. Paper Combining Digital Forensic Practices and Database
presented at the Hawaii International Conference on Analysis as an Anti-Money Laundering Strategy for
System Sciences (HICSS-48), Kauai, Hawaii Financial Institutions. Proceedings of the 2012
http://www.hicss.hawaii.edu/hicss_48/apahome48.ht Emerging Intelligent Data and Web Technologies
m (EIDWT), 2012 Third International Conference on,
Beydoun, G., Low, G., Henderson-Sellers, B., Mouratidis, H., 218-224.
Gomez-Sanz, J. J., Pavon, J., et al. (2009). FAML: a Fowler, K. (2008). SQL server forenisc analysis: Pearson
generic metamodel for MAS development. IEEE Education.
Transactions on Software Engineering, 35(6), 841- Fowler, K., Gold, G. and MCSD, M. (2007). A real world
863. scenario of a SQL Server 2005 database forensics

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 16

investigation. Information security reading room International Journal Of Computers & Technology,
paper, SANS Institute. 7(3), 654-663.
Fruhwirt, P., Huber, M., Mulazzani, M. and Weippl, E. R. Khanuja, H. K. and Adane, D. D. (2012b). A Framework For
(2010). Innodb database forensics. Proceedings of the Database Forensic Analysis. Published in Computer
2010 Advanced Information Networking and Science & Engineering: An International Journal
Applications (AINA), 2010 24th IEEE International (CSEIJ), 2(3).
Conference on, 1028-1036. Lawrence, A. C. (2014). Forensic Investigation of MySQL
Frhwirt, P., Kieseberg, P., Krombholz, K. and Weippl, E. Database Management System.
(2014). Towards a forensic-aware database solution: Lee, D., Choi, J. and Lee, S. (2009). Database forensic
Using a secured database replication protocol and investigation based on table relationship analysis
transaction management for digital investigations. techniques. Proceedings of the 2009 2009 2nd
Digital Investigation, 11(4), 336-348. International Conference on Computer Science and
Frhwirt, P., Kieseberg, P., Schrittwieser, S., Huber, M. and Its Applications, CSA 2009,
Weippl, E. (2012). InnoDB database forensics: Lee, G. T., Lee, S., Tsomko, E. and Lee, S. (2007).
reconstructing data manipulation queries from redo Discovering Methodology and Scenario to Detect
logs. Proceedings of the 2012 Availability, Reliability Covert Database System. Proceedings of the 2007
and Security (ARES), 2012 Seventh International Future Generation Communication and Networking
Conference on, 625-633. (FGCN 2007), 130-135.
Frhwirt, P., Kieseberg, P., Schrittwieser, S., Huber, M. and Litchfield, D. (2007a). Oracle forensics part 2: Locating
Weippl, E. (2013). InnoDB database forensics: dropped objects. NGSSoftware Insight Security
Enhanced reconstruction of data manipulation queries Research (NISR).
from redo logs. Information Security Technical Litchfield, D. (2007b). Oracle forensics part 2: Locating
Report, 17(4), 227-238. dropped objects. NGSSoftware Insight Security
Gawali, P. P. and Gupta, D. S. R. Database Tampering and Research (NISR) Publication, Next Generation
Detection of Data Fraud by Using the Forensic Security Software.
Scrutiny Technique. International Journal of Litchfield, D. (2007c). Oracle forensics part 4: Live response.
Emerging Technology and Advanced Engineering. Litchfield, D. (2007d). Oracle forensics part 5: Finding
Hauger, W. K. and Olivier, M. S. (2015). The state of evidence of data theft in the absence of auditing.
Database Forensic research. Proceedings of the 2015 NGSSoftware Insight Security Research (NISR), Next
Information Security for South Africa (ISSA), 2015, Generation Security Software Ltd., Sutton.
1-8. March, S. T. and Smith, G. F. (1995). Design and natural
Hooper, C., Martini, B. and Choo, K.-K. R. (2013). Cloud science research on information technology. Decision
computing and its implications for cybercrime support systems, 15(4), 251-266.
investigations in Australia. Computer Law & Security Martini, B. and Choo, K.-K. R. (2014a). Distributed filesystem
Review, 29(2), 152-163. forensics: XtreemFS as a case study. Digital
Immanuel, F., Martini, B. and Choo, K.-K. R. (2015). Android Investigation, 11(4), 295-313.
cache taxonomy and forensic process. Proceedings of Martini, B. and Choo, K.-K. R. (2014b). Remote
the 2015 Trustcom/BigDataSE/ISPA, 2015 IEEE, programmatic vCloud forensics: a six-step collection
1094-1101. process and a proof of concept. Proceedings of the
Kambire, M. K., Gaikwad, P. H., Gadilkar, S. Y. and Funde, 2014b 2014 IEEE 13th International Conference on
Y. A. An Improved Framework for Tamper Detection Trust, Security and Privacy in Computing and
in Databases. Communications, 935-942.
Kebande, V. R. and Ray, I. (2016). A generic digital forensic McMillan, J., Glisson, W. B. and Bromby, M. (2013).
investigation framework for internet of things (iot). Investigating the Increase in Mobile Phone Evidence
Proceedings of the 2016 Future Internet of Things in Criminal Activities. Paper presented at the Hawaii
and Cloud (FiCloud), 2016 IEEE 4th International International Conference on System Sciences
Conference on, 356-362. (HICSS-46), Wailea, Hawaii.
Kelly, S. and Pohjonen, R. (2009). Worst practices for Olivier, M. S. (2009). On metadata context in database
domain-specific modeling. IEEE software, 26(4), 22- forensics. Digital Investigation, 5(3), 115-123.
29. Othman, S. H. and Beydoun, G. (2010). Metamodelling
Khanuja, H. and Suratkar, S. S. (2014). Role of metadata in approach to support disaster management knowledge
forensic analysis of database attacks. Proceedings of sharing.
the 2014 Advance Computing Conference (IACC), Panigrahi, P. K. (2011). A framework for discovering internal
2014 IEEE International, 457-462. financial fraud using analytics. Proceedings of the
Khanuja, H. K. and Adane, D. (2012a). A framework for 2011 Communication Systems and Network
database forensic analysis. Computer Science & Technologies (CSNT), 2011 International Conference
Engineering: An International Journal (CSEIJ), 2(3), on, 323-327.
27-41. Pavlou, K. E. and Snodgrass, R. T. (2008). Forensic analysis
Khanuja, H. K. and Adane, D. (2013). Forensic Analysis of of database tampering. ACM Transactions on
Databases by Combining Multiple Evidences. Database Systems (TODS), 33(4), 30.

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2762693, IEEE Access

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 17

Pavlou, K. E. and Snodgrass, R. T. (2012). Achieving Wagner, J., Rasin, A. and Grier, J. (2015). Database forensic
database information accountability in the cloud. analysis through internal structure carving. Digital
Proceedings of the 2012 Data Engineering Investigation, 14, S106-S115.
Workshops (ICDEW), 2012 IEEE 28th International Wong, D. and Edwards, K. (2004). System and method for
Conference on, 147-150. investigating a data operation performed on a
Pavlou, K. E. and Snodgrass, R. T. (2013). Generalizing database: Google Patents.
database forensics. ACM Transactions on Database Wright-GSEC, P. M. and GCFW, G. (2005). Oracle Database
Systems (TODS), 38(2), 12. Forensics using LogMiner.
Quick, D. and Choo, K.-K. R. (2013). Forensic collection of Wright, P. M. (2005). Oracle database forensics using
cloud storage data: Does the act of collection result in LogMiner. Proceedings of the 2005 June 2004
changes to the data or its metadata? Digital Conference, SANS Institute,
Investigation, 10(3), 266-277. Wright, P. M. and Burleson, D. (2008). Oracle Forensics:
Quick, D. and Choo, K.-K. R. (2014). Impacts of increasing Oracle Security Best Practices: Rampant TechPress.
volume of digital forensic data: A survey and future Xu, M., Yao, J., Ren, Y., Xu, J., Zhang, H., Zheng, N., et al.
research challenges. Digital Investigation, 11(4), (2014). A Reconstructing Android User Behavior
273-294. Approach based on YAFFS2 and SQLite. Journal of
Quick, D. and Choo, K.-K. R. (2016). Big forensic data Computers, 9(10), 2294-2302.
reduction: digital forensic images and electronic Yang, T. Y., Dehghantanha, A., Choo, K.-K. R. and Muda, Z.
evidence. Cluster Computing, 1-18. (2016). Windows instant messaging app forensics:
Quick, D., Martini, B. and Choo, R. (2013). Cloud storage Facebook and Skype as case studies. PloS one, 11(3),
forensics: Syngress. e0150300.
Sargent, R. G. (2005). Verification and Validation of Yusoff, Y., Ismail, R. and Hassan, Z. (2011). Common phases
Simulation Models. Paper presented at the of computer forensics investigation models.
Proceedings of the 37th Conference on Winter International Journal of Computer Science &
Simulation, Orlando, Florida. Information Technology (IJCSIT), 3(3), 17-31.
Sargent, R. G. (2013). Verification and validation of
simulation models. Journal of simulation, 7(1), 12-
24.
Sargent, R. G. (2015). Model Verification and Validation
Modeling and Simulation in the Systems Engineering
Life Cycle (pp. 57-65): Springer.
Selamat, S. R., Yusof, R. and Sahib, S. (2008). Mapping
process of digital forensic investigation framework.
International Journal of Computer Science and
Network Security, 8(10), 163-169.
Son, N., Lee, K.-g., Jeon, S., Chung, H., Lee, S. and Lee, C.
(2011). The Method of Database Server Detection
and Investigation in the Enterprise Environment
Secure and Trust Computing, Data Management and
Applications (pp. 164-171): Springer.
Susaimanickam, R. (2012). A workflow to support forensic
database analysis. Murdoch University.
Teing, Y.-Y., Dehghantanha, A., Choo, K.-K. R. and Yang, L.
T. (2016). Forensic investigation of P2P cloud
storage services and backbone for IoT networks:
BitTorrent Sync as a case study. Computers &
Electrical Engineering.
Teing, Y.-Y., Dehghantanha, A., Choo, K.-K. R. and Yang, L.
T. (2017). Forensic investigation of P2P cloud
storage services and backbone for IoT networks:
BitTorrent Sync as a case study. Computers &
Electrical Engineering, 58, 350-363.
Tripathi, S. and Meshram, B. B. (2012a). Digital Evidence for
Database Tamper Detection.
Tripathi, S. and Meshram, B. B. (2012b). Digital Evidence for
Database Tamper Detection. Journal of Information
Security, 3, 113.
Von Alan, R. H., March, S. T., Park, J. and Ram, S. (2004).
Design science in information systems research. MIS
quarterly, 28(1), 75-105.

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.