Advanced Forensic Recovery And Analysis Of MySQL Data In Deleted State

Johann Polewczyk:Welcome, with my colleagues from the University of Lausanne, we will present some advanced recovery and forensic analysis of MySQL data in digital states. So databases in general are widely used by organizations to store information that could be very relevant to a wide range of investigations such as criminal cases, civil disputes, or data breaches. And the idea of this work is to provide some guidance for investigations that involve databases. And we propose a multi-stage approach to the forensic recovery and the forensic analysis of deleted data in databases. And the idea is to have a more comprehensive reconstruction of [indecipherable] at the end.

So the first stage is to…the idea is to have multiple version of the database of interest and those version, to have them through time. So we will look at historical databases version. For this we can use backups of the database, audit logs, but also we can use some carving techniques to find deleted database files. So for instance, for MySQL it could be FRM files or MYD files, and we could also try to carve some backup files. Once we have those multiple versions of the database, the idea is to compare those different versions to find some record that could have been altered. And so we can find some records that are present in only one version of the database, or we could also find some records that have the same primary key but different values. And so the idea is really to target some records that could be of interest for more in-depth analysis.

The in-depth analysis, the idea is now to dive inside the record structure and inside the record data to find exactly what data have been altered. We can also look at deleted records, so a database engine usually work in the same way as a file system. So when a record is deleted, the data might still be present inside the file of the database, but it will just be marked as deleted. And so really these last…this third stage, the idea is to really identify what data exactly has been modified. And now the last stage, the idea is to find how. So for this we will use some contextual analysis of the altered or deleted records. So usually records are either in second [indecipherable] manner, and using timestamps of the record and also the position of the records inside the files, we can start to infer some possible alterations. So how the deletion occurred and also when.

So to sum up the idea of this multi-stage approach is first to find some element of comparison using different version of the database, then using some large screening comparison to try to identify some records of interest, then to look in-depth at those records to find what data was modified or deleted, and then using some contextual analysis, try to understand how the deletion or the alteration occurred.

Thank you for your attention and feel free to contact us if you have interest or any question.

Leave a Comment