• Publications
  • Influence
Database forensic analysis through internal structure carving
TLDR
We present a universal tool that seamlessly supports many different databases, rebuilding table and other data content from any remaining storage fragments on disk or in memory. Expand
  • 25
  • 4
  • PDF
Database Forensic Analysis with DBCarver
TLDR
We present DBCarver, a tool for reconstructing database content from a database image without using any log or system metadata. Expand
  • 18
  • 2
  • PDF
Carving database storage to detect and trace security breaches
TLDR
We present an approach that evaluates the integrity of a live database, identifying and reporting evidence for log tampering. Expand
  • 17
  • 2
  • PDF
Rapid forensic imaging of large disks with sifting collectors
TLDR
We present a new approach to digital forensic evidence acquisition and disk imaging called sifting collectors that images only those regions of a disk with expected forensic value. Expand
  • 24
  • 1
  • PDF
DB3F & DF-Toolkit: The Database Forensic File Format and the Database Forensic Toolkit
TLDR
We present a standard storage format, Database Forensic File Format (DB3F), for database forensic tools output that follows the guidelines established by other (file system) forensic tools, and 2) a view and search toolkit that enables the analysis of data stored in our database forensic format. Expand
  • 6
  • 1
  • PDF
Detecting data theft using stochastic forensics
TLDR
We present a method to examine a filesystem and determine if and when files were copied from it and identify emergent patterns in MAC timestamps unique to copying. Expand
  • 30
  • PDF
Database image content explorer: Carving data that does not officially exist
When a file is deleted, the storage it occupies is de-allocated but the contents of the file are not erased. An extensive selection of file carving tools and techniques is available to forensicExpand
  • 13
  • PDF
Detecting Database File Tampering through Page Carving
TLDR
We propose a system, DBStorageAuditor, that detects database file tampering by identifying inconsistencies in storage through a direct inspection of internal database structures. Expand
  • 7
  • PDF
Database image content explorer
TLDR
We use our Database Image Content Explorer tool, based on a universal database storage model, to recover a variety of phantom data: a)data that was actually deleted by a user, b) data that is marked as deleted, but was never explicitly deleted by any user and c) data That is not marked as deletion and had been de-allocated without anyone's knowledge. Expand
  • 4
...
1
2
...