An approach to examine the Metadata and Data of a database Management System by making use of a forensic comparison tool

This paper will discuss how a forensic comparison tool can effectively assist in a forensic investigation of the metadata and data of a database installation, and an approach to handle the output of the forensic comparison tool in a forensic investigation. The metadata of a psql DBMS installation was compromised to support this statement. The relational database management system was divided into four abstract layers to separate various types of metadata and separate the metadata from the data. These four abstract layers are the data model, data dictionary, and application schema and application data layers. Code was implemented to construct a forensic tool that compares a suspect DBMS installation with a clean DBMS installation. Any discrepancies between the two DBMS installation are reported. The forensic tool considers two types of comparisons namely a file search and dump search. The file search has a three step procedure of (1) checking if all files in both installations are the same, (2) compare the md5 hashes of files that exist in both DBMS installations, (3) and compare the contents of files which are not the same. The dump search makes a dump of both DBMS installations and compares the output. The dump search is particular useful in managing discrepancies found with the file search. This paper proposes a way in which these discrepancies can be handled by considering various outcomes and scenarios. The four abstract layers make it easier to manage a forensic examination after discrepancies were reported by the forensic comparison tool. An approach is discussed on how to deal with add-ons and different versions of DBMS installations. Although the psql DBMS was used for the forensic tool, the concepts in this paper remain independent of DBMS. Keywords-component; database forensics; database metadata;