Many of our data records are stored in database management systems (DBMS) and in the event of a mishap or data breach or theft incident, there is both a legal and technical requirement need to adopt a database forensics investigation process using specialized tools to carefully uncover what had happened.
Most of the common DBMS are;
- MySQL
- Oracle
- PostgresSQL
- Microsoft SQL Server
- MongoDB
Before we look at Database Forensics, we have to understand what is Digital forensics. it is a scientific application of analysing digital evidence, mainly used in a court of law and has several sub-disciplines such as cloud forensics, mobile phone forensics, etc.
Digital forensics is not to be confused with the concept of data recovery, although both are similar in many ways. Forensics, as a whole, is used for investigation purposes.
What is Database Forensics?
Database forensics is a sub-field of the digital forensics discipline that deals with the preservation, extraction, analysis and presentation of digital evidence and findings.
With scientific forensics in mind, it is often used in litigation, criminal investigation and organisational inquiry purposes. However, it can also be used as a specialized database extraction skill to query the database and find out what happened.
Examiners using database forensics tools can expect to be looking more in-depth, such as analysing file metadata, record timestamps, database artefacts and system artefacts.
Which are the Best Database Forensics Software?
Here are the seven (7) BEST Database Forensics software tools that you can use to analyse and recover deleted database entries.
1. DB Browser for SQLite
Popular among users and developers who want to create, search and edit databases compatible with SQLite, DB Browser for SQLite is a free, lightweight open-source tool with a clean interface.
The database software supports Windows, macOS and Linux operating systems. One prominent feature of this tool is the ability to export multiple tables to CSV, all in a single group, to analyse together.
Suitable for database forensics, the program comes with a Windows portable app version that does not require installation. You can run this program from an external USB flash drive when examining computer systems.
Some of the useful features are;
- Create and compact database files
- Create, define, modify and delete tables
- Import and export tables from/to CSV files
- Import and export databases from/to SQL dump files
- Examine a log of all SQL commands issued by the application
- Plot simple graphs based on table or query data
2. Database Forensic Analysis System
Database Forensic Analysis System is a commercial software that supports multiple relational and non-relational databases such as Oracle, SQLite, MySQL, mongoDB, redis and Cassandra.
The database forensic software assist in resolving the problems about the deleted /corrupted/fragmented database files, false file system, restriction of application system accessibility, etc.
Some of the main features include;
- Unrestricted Accessibility to the database files – no need for password or account info from the application system
- Extraction and Recovery for the normal/deleted/damaged database files – e.g. tables, views, triggers
- Multiple Analysis Functions – e.g. .keyword searching, SQL statement query, visual connection analysis
- Patent File Craving Technology – extract, analyze and reorganize the fragmented database files
3. Forensic Toolkit for SQLite
This commercial forensic software suite is a must-have for any forensic investigators to make the tasks of recovering SQLite records from disk, image and database simpler.
The Forensic Toolkit for SQLite is a suite of three (3) comprehensive software tools namely;
- The Forensic Browser for SQLite
- Forensic Recovery for SQLite
- SQLite Forensic Explorer
It is an investigative tool designed to show every single byte of an SQLite database, journal or WAL file along with its decoded data. It is also an forensic tool to aid in the recovery of databases, tables and records.
Some of the features include;
- examining unused spaces in tables and indexes,
- viewing how each record in encoded and stored in a table or index,
- exploring the free list and every page within it
- Overview of the type and content of the database, which can be SMS, passwords or any other valuable evidence
4. Log Analyzer for SQL
This commercial forensic tool was designed specifically for database administrators to analyze log files transactions of MySQL Server databases and recover deleted transaction logs.
Log Analyzer for SQL scans the forensic details of Redo, General, and Binary logs to identify abnormalities in the MySQL database.
The forensic tool helps you preview the type of transaction (insert, delete, and update), the time of the transaction, the name of the transaction, and the table name involved in the query.
Some of the features include;
- Saving of logs in multiple formats, such as MySQL, CSV, HTML, and XLS format.
- Date filters on log transactions and log transaction data to analyze the data for a particular time period
- Option to save log report of the MySQL log file analysis process
5. SQLite Forensics Explorer
SQLite forensics explorer is designed for investigators and administrators to restore lost and deleted databases and exporting these entries in different formats.
The forensic tool reveals the intention of the user who deletes the database records by not only recovering the deleted data but also highlights the data which is deleted or secure deleted.
Some of the main features are;
- Sort data with colour schema – different colours for normal data, deleted data, unallocated data, etc
- Manage multiple custodians
- Recover associated journal files
- Indexing of SQLite databases for further investigation or judicial proceeding
- Mutiple options for export, e.g. csv/pdf
6. SQLite Viewer
Foxton forensics has a free tool called SQLite Viewer that is used for inspecting the contents of SQLite databases.
The forensic software has a database searcher that automatically load all SQLite databases from folder and subfolders. Images are stored in the database are also automatically extracted and viewable by examiners in the built-in gallery interface.
SQLite Viewer has a hex viewer to examine BLOBs and export them to a file for further analysis.
7. dbResponder
dbResponder is a free, SQL Server forensics tool that is capable of automated preservation and advanced analysis of database artefacts.
The forensic tool is useful for data breaches preparation & response and is developed by Kevvie Fowler who is a partner and National Cyber Response leader for KPMG.
The software can acquire database artefacts from a single or multiple SQL servers. All artefacts collected are forensically preserved with timestamps, metadata and hashes.
