What Is Forensically Sound Data Collection?

Forensically sound data collection refers to the process by which data is collected for ediscovery
without any changes to the data or its metadata. Collection itself is part of the second stage of
the ediscovery process, in which data marked for preservation is collected into a repository for
later processing, review, analysis, and production. Collection supports the earlier stage of
preservation, as collected data is available for later stages of discovery and will not be
inadvertently deleted or modified.

To be forensically sound, a data collection process must be defensible, meaning that it is

consistent, repeatable, and well documented. A forensically sound data collection process
should be accompanied by an audit trail describing every step that was taken in collecting
electronically stored information (ESI). The process should be subject to authentication, or proof
that the collected data is the same data that a litigant used, unchanged from its original state. In
short, the entire data collection process should be correct and explainable so that it can
withstand scrutiny in a court of law.

One common method of forensically sound data collection involves the forensic imaging of a
subject drive or storage device. While terminology may vary, generally a logical copy of a folder
or drive includes only accessible files. This is the copy that a regular user would make; it
doesn’t capture deleted or hidden files. Physical imaging, on the other hand, is more rigorous.
This method produces a bitstream or bit-by-bit copy of an entire drive, including any deleted or
hidden files that were missed in a logical copy.

In small, straightforward cases, self-collection by the owner of the data may be appropriate and
even preferable to a more expensive forensically sound data collection. But merely accessing a
file can be sufficient to modify its metadata, which may raise doubts about the validity of the
production.

Therefore, forensically sound data collection is preferred in high-stakes cases or those where a
party may be accused of spoliation. Additionally, complex ESI—including website information,
encrypted data, and archived data—should be forensically collected by the IT department or a
specialized vendor or partner to ensure that data and metadata are not inadvertently modified.

For an example of how not to conduct a forensically sound data collection, see Leidig v.
BuzzFeed, Inc., No. 16 Civ. 542 (VM) (GWG) (S.D.N.Y. Dec. 19, 2017). In that case, the plaintiffs
produced screenshots of websites and other documents with incorrect or missing metadata. The
plaintiffs’ witness admitted that he “inadvertently changed or deleted the metadata” for some
files when he tried to move them to a hard drive for production. The court imposed sanctions
on the plaintiffs for their “amateurish collection” efforts.

Database forensics is a branch of digital forensic science relating to the forensic study
of databases and their related metadata.[1]
The discipline is similar to computer forensics, following the normal forensic process and applying
investigative techniques to database contents and metadata. Cached information may also exist in a
servers RAM requiring live analysis techniques.
A forensic examination of a database may relate to the timestamps that apply to the update time of a
row in a relational table being inspected and tested for validity in order to verify the actions of a
database user. Alternatively, a forensic examination may focus on identifying transactions within a
database system or application that indicate evidence of wrongdoing, such as fraud.
Software tools can be used to manipulate and analyse data. These tools also provide audit logging
capabilities which provide documented proof of what tasks or analysis a forensic examiner
performed on the database.
Currently many database software tools are in general not reliable and precise enough to be used for
forensic work as demonstrated in the first paper published on database forensics.[2] There is
currently a single book published in this field,[3] though more are destined.[4] Additionally there is a
subsequent SQL Server forensics book by Kevvie Fowler named SQL Server Forensics which is well
regarded also.[5]
The forensic study of relational databases requires knowledge of the standard used to encode data
on the computer disk. A documentation of standards used to encode information in well-known
brands of DB such as SQL Server and Oracle has been contributed to the public domain.[6][7] Others
include Apex Analytix.[8]
Because the forensic analysis of a database is not executed in isolation, the technological framework
within which a subject database exists is crucial to understanding and resolving questions of data
authenticity and integrity especially as it relates to database users.

What Is Database Forensics?

This question is often asked by new students who are thinking about entering this exciting and
dynamic subset of computer forensics. The answer is quite detailed, but we can go into a few
basics and give you an overview to help explain some key fundamentals of database forensic
analysis.

Some free resources can be found in this informative article.

For other forensic courses, please take a look at our boot-camp section, found here.

Forensic database specialists have quite a difficult task when it comes to working through
corrupted databases, as opposed to standard digital forensics, which deal with fragmented
“normal” data as it is found on a conventional hard drive. This is because standard file systems
allocate a header and a footer bit to a file, allowing for the reconstruction of the file, in some
cases, by using information from the metadata in the file system. However, databases do not
have static headers or footers, and are in fact scattered across multiple different identifiers. As a
result, special tools and techniques are required for this highly specialized forensic work, and
the Certified Computer Forensics Examiner (CCFE) is an excellent certification to help you get
there.
Database forensics is not the same as database recovery. This is an important concept to
understand for those who wish to get into this field. Database forensics concentrates on
scientifically interrogating the failed database and by trying to reconstruct the metadata and
page information from within a data set, whereas database recovery implies some kind of
restorative process that will enable the database to become viable enough to re-enter a
production environment, or become healthy enough to provide a backup that can be used in a
database restore.

Sometimes, a database may be perfectly healthy but suspicious activities and results may have
raised questions from a customer that prompted a forensic investigation.

The following scenarios would require the intervention of a database forensic specialist:

 Failure of a database

 Deletion of information from database

 Inconsistencies in the data of a database

 Detection of suspicious behavior of users

A database forensics expert will normally use a read-only method or an identical forensic copy
of the data when interfacing with a database to ensure that no data is compromised. They will
run a series of diagnostic tools to help them to:

 Create a forensic copy of a database for analysis

 Reconstruct missing data and/or log files associated with the deletion

 Decipher data and ascertain possible causes of corruption

 Audit user activities and isolate suspicious and illegal behavior

This helps you as an investigator to gain the information that the affected party requires, and
can help in the investigation and prosecution of the perpetrators if criminal proceedings are
initiated against guilty parties.

What Are the Types of Database Models That Are Important in Forensics?

As database technologies were developed and utilized over the past few decades, newer
approaches to storing, locating, and retrieving data were created. These different approaches
are also known as database models, and understanding each one ensures maximum efficacy
when dealing with instances where your database forensic expertise may be required. While
each of these database implementations was important during the development of
interconnected services in the early days of corporate and commercial computer services, some
have fallen by the wayside, and others have fallen into virtual obscurity.
You will be taught about database types, such as hierarchical, network, relational, object-
oriented, and hybrid, how to diagnose and identify issues, and how to identify the appropriate
course of action, based on the scenario that you are faced with. Depending on your needs, each
one of these types of database is covered in detail, with examples from each for you to learn
from as well as hands-on modules and labs for you to get involved with.

Generally speaking, today’s modern database systems tend to run on relational database
structures, which is ideal for many business applications and can handle simple transactions
and queries simultaneously, as well as more advanced functions and table joins. It is an efficient
method of designing databases and can be considered one of the most popular forms of
database structure currently in use.

As systems become more integrated within businesses and in-house developers become more
commonplace, it is a growing trend that more and more object-oriented database design is
being employed in applications. This is largely because database functionality is very similar to
programming methodologies and the object-oriented database type is very well suited to highly
complex data operations, with multiple functions being performed on stored data quickly and
almost simultaneously.

What Database Systems Are Mostly Commonly Used in Forensics?

This comes down to database popularity among businesses, companies and individuals. There
are hundreds of different DBMS systems to choose from, but the five most popular database
companies are listed below, as per DB-ENGINES.COM . Here are the top five, along with their
DB schema types:

 Oracle (Relational Database Management System)

 MySQL (Relational Database Management System)

 Microsoft SQL Server (Relational Database Management System)

 PostgresSQL (Relational Database Management System)

 MongoDB (Document Stores)

As you can see, relational database management systems hold the lion’s share of the top spots
in the DBMS stakes, and one can therefore infer that there is indeed healthy demand for these
DB types. This is primarily because of the ease with which applications and web interfaces can
interact with these data stores, with ODBC drivers being made publicly available for most of the
DBMS systems listed here.

For this reason, as a qualified CCFE, you will find yourself in the enviable position of being
suited to any situation where a forensic specialist is required in the field of IT. You will be
briefed on the best legal and ethical principles, how to conduct yourself during an investigation,
the basics of forensic science and scientific principles, digital forensics, application forensics (in
which you will find database forensics) and hybrid and emerging technologies.

The CCFE therefore offers you a great entry point into the world of cybersecurity and forensics,
and is a must for anyone looking to further their understanding of digital forensics in an IT-
heavy environment.

Tired of searching through digital forensics training courses? Look no further than InfoSec
Institute’s award-winning computer forensics training boot camp. With nearly twenty years in
the industry and a student exam pass rate of 94%, InfoSec offers the best computer forensics
training in the industry. Fill out the brief form below to receive course pricing details.