Stochastic Analysis through Database Storage Carving

Alexander Rasin (DePaul University)

Abstract:  Forensic tools assist analysts with recovery of data, even from a corrupted storage. These tools rely on "file carving" techniques to restore content after metadata loss by analyzing the remaining raw file content. As a significant amount of organization data is stored and processed in relational databases, there is a need for database "carving" tools that extend file carving solutions to the database realm. Raw database storage is partitioned into individual "pages" that normally cannot be read or presented to the analyst without the help of the database itself. Furthermore, by directly accessing raw database storage, we can reveal things that are normally hidden from database users.
There are a number of database-specific tools developed for emergency database recovery, though not for forensic analysis of a database. In this work, we present a universal tool that seamlessly supports many different databases, rebuilding table and other data content from any remaining storage fragments on disk or in RAM. We define an approach for automatically (with minimal user intervention) reverse engineering storage in new databases, for detecting volatile data changes and discovering user action artifacts. Finally, we verify our tool's ability to recover both deleted and partially corrupted data and present some preliminary results for future research directions.

Bio: Alexander Rasin is an Assistant Professor in the College of Computing and Digital Media (CDM) at DePaul University. He received his Ph.D. and M.Sc. in Computer Science from Brown University, Providence. His current research centers on high-performance data warehouses and large scale data analytics. Dr. Rasin’s other research interests include resource provisioning, high availability guarantees in distributed systems and database forensics.