Research Article
On the Completeness of Reconstructed Data for Database Forensics
@INPROCEEDINGS{10.1007/978-3-642-39891-9_14, author={Oluwasola Adedayo and Martin Olivier}, title={On the Completeness of Reconstructed Data for Database Forensics}, proceedings={Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2013}, month={10}, keywords={Digital forensics Database forensics Database reconstruction algorithm Digital evidence Forensic science}, doi={10.1007/978-3-642-39891-9_14} }- Oluwasola Adedayo
Martin Olivier
Year: 2013
On the Completeness of Reconstructed Data for Database Forensics
ICDF2C
Springer
DOI: 10.1007/978-3-642-39891-9_14
Abstract
Databases are often used to store critical and sensitive information in various organizations and this has led to an increase in the rate at which databases are exploited in computer crimes. Even though various investigations involving databases have been explored, very little amount of research has been done on database forensics. This paper briefly describes a database reconstruction algorithm presented in an earlier work and shows the limitation that can be encountered when the algorithm has to deal with partially reconstructed relations or the deletion of tuples in a relation. Since reconstructed data can often be used as the evidence to support or refute claims about the data in a database, the inability to reconstruct necessary data may imply the absence of evidence. However, according to an axiom from forensic science, this does not mean an evidence of absence. As such, this paper presents two different techniques that can be used in reconstructing more tuples in a relation and provide corroborating evidence to claims about the data on a database. A typical example is used to describe the limitation of the database reconstruction algorithm and how the limitation can be overcomed by using the techniques described in the paper.