Simplified database forensic investigation using metamodeling approach

Database Forensic Investigation (DBFI) domain is a significant field used to identify, collect, preserve, reconstruct, analyze and document database incidents. However, it is a heterogeneous, complex, and ambiguous domain due to the variety and multidimensional nature of database systems. Numerous specific DBFI models and frameworks have been proposed to solve specific database scenarios but there is a lack of structured and unified frameworks to facilitate managing, sharing and reusing of DBFI tasks and activities. Thus, this research developed a DBFI Metamodel (DBFIM) to structure and organize DBFI domain. A Design Science Research Methodology (DSRM) to provide a logical, testable and communicable metamodel was applied in this study. In this methodology, the steps included problem identification, define objectives, design and development, demonstration and evaluation, and communication. The outcome of this study is a DBFIM developed for structuring and organizing DBFI domain knowledge that facilitates the managing, sharing and reusing of DBFI domain knowledge among domain practitioners. DBFIM identifies, recognizes, extracts and matches different DBFI processes, concepts, activities, and tasks from different DBFI models into a developed metamodel, thus, allowing domain practitioners to derive/instantiate solution models easily. The DBFIM was validated using qualitative techniques: comparison against other models; face validity (domain experts); and case study. Comparisons against other models and face validity were applied to ensure completeness, logicalness, and usefulness of DBFIM against other DBFI domain models. Following this, two case studies were selected and implemented to demonstrate the applicability and effectiveness of the DBFIM in the DBFI domain using a DBFIM Prototype (DBFIMP). The results showed that DBFIMP allowed domain practitioners to create their solution models easily based on their requirements

A generic database forensic investigation process model

Database Forensic investigation is a domain which deals with database contents and their metadata to reveal malicious activities on database systems. Even though it is still new, but due to the overwhelming challenges and issues in the domain, this makes database forensic become a fast growing and much sought after research area. Based on observations made, we found that database forensic suffers from having a common standard which could unify knowledge of the domain. Therefore, through this paper, we present the use of Design Science Research (DSR) as a research methodology to develop a Generic Database Forensic Investigation Process Model (DBFIPM). From the creation of DBFIPM, five common forensic investigation processes have been proposed namely, the i) identification, ii) collection, iii) preservation, iv) analysis and v) presentation process. From the DBFIPM, it allows the reconciliation of concepts and terminologies of all common databases forensic investigation processes. Thus, this will potentially facilitate the sharing of knowledge on database forensic investigation among domain stakeholders