Forensic Deconstruction of Databases through Direct Storage Carving

Dr. Alexander Rasin

Dr. Alexander Rasin

Speaker Bio

Dr. Alexander Rasin is an Assistant Professor in the College of Computing and Digital Media (CDM) at DePaul University. He received his Ph.D. and M.Sc. in Computer Science from Brown University, Providence. He is a co-Director of Data Systems and Optimization Lab at CDM and his primary research interest is in database forensics and cybersecurity applications of forensic analysis. Dr. Rasin’s other research projects focus on building and tuning performance of domain-specific data management systems — currently in the areas of computer-aided diagnosis and software analytics. Several of his research projects are supported by NSF.

Presentation

The increasing use of databases in the storage of critical and sensitive information in many organizations has lead to an increase in the rate at which databases are the target of computer crimes. While there are some techniques and tools available for database forensics, they typically assume apriori preparation (e.g., detailed logging) and rely on built-in database features working properly (e.g., no hacking). Investigators, alternatively, need forensic techniques that make no such assumptions and tools that can be applied to a damaged or an already-compromised database system.
In this talk we present DBCarver, a tool for reconstructing database content from database storage (disk, RAM, etc.) without relying on any metadata from the database, or needing metadata from the OS/file system. The tool uses database page carving to reconstruct both query-able data and non-query-able data (deleted and auxiliary data). We describe how the two kinds of data can be combined to enable a variety of forensic analysis questions hitherto unavailable to forensic investigators, including finding evidence of database tampering. We conclude with a brief demo of DBCarver.