Forensic Recovery of SQL Server Database: Practical Approach

Database forensics is becoming more important for investigators with the increased use of information system. Although various database forensic methods such as log analysis and investigation model development have been studied, among methods, recovering deleted data a key technique in DB tampering anti-forensics. Previous studies mainly focused on transaction or journal to recover data, but if logs are set be periodically containing critical evidence overwritten by new logs, log-based recovery method can not used practically. For this reason, an engine-based that analyzes file at raw level has also introduced. There research small-sized databases SQLite EDB, there no prior work describing structure technology large enterprises organizations. In context, we investigate Microsoft SQL Server (MSSQL), which one most databases. Our focuses storage engine MSSQL. Through analyzing engine, identify internal MSSQL files mechanism. Based these findings, tables records presented empirical examination. It compatible versions because it accesses level. proposed verified comparative experiment tools implemented data. The experimental results show our recovers all from unallocated area. types including multimedia called Large Objects (LOB) field. To contribute digital community, provide source code implementation; facilitates knowledge sharing forensics.