Coronavirus (Covid-19): Latest updates and information
Skip to main content Skip to navigation

Proactive Database Forensics

Currently, one of the challenges in the cybersecurity field relies on adequate information security management since organisations must comply with requirements to justify a systematic and formal application of auditing and forensics, both being interdependent accountability characteristics for information security [1]. Whilst auditing must verify the existence of security controls to guarantee non-repudiation, illegal action deterrence and intrusion detection, forensics must ensure an adequate incident response and recovery, as well as identifying evidence to allow incident response teams to identify, and if possible, take legal actions against the intruders [2].

In recent years, there has been a lot of research in various areas of auditing and digital forensics; however, digital forensics applied to databases (Database Forensics) has been a problem with very little attention due to the inherent difficulties to analyse the complex structures (logs and queries) that a database is comprised of [3-5]. This complexity hinders incident response strategies due to the ineffectiveness of applying traditional-reactive digital forensic approaches in order to analyse suspicious actions on database files and structures [6]. Then, applying traditional reactive techniques on database digital investigations may be counterproductive, affecting incident response time and challenging digital evidence admissibility during legal proceedings [7].

Conversely, as data security breaches around the world have been mainly associated with cybercriminals (outsiders), insider activity (e.g. malicious employees) has been overlooked. For instance, by misusing or stealing database credentials, a reckless employee may cause damage to an organisation as retaliation for a sudden employment termination [8] or financial gain interests [9]. These issues and others are becoming dangerous threats to corporate information; particularly since the inception of Bring Your Own Device (BYOD) practices [10]. In fact, BYOD benefits for employees and organisations are also shadowed by potential security risks [11] due to uncontrolled mobile device activity [12], which may lead to unauthorised information disclosure [13] and contamination [14] from unhandled disperse evidence sources.

Therefore, as database forensics are challenged by the inadequacy of traditional-reactive forensic techniques, and the ever increasing BYOD risk of exposing corporate information to unauthorised disclosure and contamination, my research aims to define a proactive approach for database forensics in BYOD environments, considering accountability (auditing and forensics) requirements so that malicious insider activity can be investigated by using real-time generated evidence from different reliable sources. I expect that my research encourages future work in the field of proactive digital forensics in order to tackle incident response challenges either from BYOD, or any other emerging technological trend.

[1] J. Andress, "Chapter 4 - Auditing and Accountability," in The Basics of Information Security (Second Edition), ed Boston: Syngress, 2014, pp. 57-68.
[2] D. Takahashi and Y. Xiao, "Retrieving knowledge from auditing log‐files for computer and network forensics and accountability," Security and Communication Networks, vol. 1, pp. 147-160, 2008.
[3] P. Frühwirt, P. Kieseberg, S. Schrittwieser, M. Huber, and E. Weippl, "InnoDB database forensics: Enhanced reconstruction of data manipulation queries from redo logs," Information Security Technical Report, vol. 17, pp. 227-238, 5/1/May 2013 2013.
[4] B. Kovalerchuk, E. Vityaev, and R. Holtfreter, "Correlation of complex evidence in forensic accounting using data mining," Journal of Forensic Accounting, vol. 8, 2007.
[5] K. E. Pavlou and R. T. Snodgrass, "Generalizing Database Forensics," ACM Transactions on Database Systems, vol. 38, pp. 12-12:43, 2013.
[6] M. S. Olivier, "On metadata context in Database Forensics," Digital Investigation, vol. 5, pp. 115-123, 1/1/2009 2009.
[7] D. A. Flores, O. Angelopoulou, and R. J. Self, "Combining Digital Forensic Practices and Database Analysis as an Anti-Money Laundering Strategy for Financial Institutions," in 2012 Third International Conference on Emerging Intelligent Data and Web Technologies, 2012, pp. 218-224.
[8] S. Northcutt, "Logic Bombs, Trojan Horses, and Trap Doors," 2005.
[9] N. Bradley, "The Threat Is Coming From Inside the Network: Insider Threats Outrank External Attacks," 2015.
[10] J. Chang, P.-C. Ho, and T.-C. Chang, Securing IT Professional, vol. 16, no. 5, 2014, pp. 9-11. [Online]. Available:
[11] K. Downer and M. Bhattacharya, BYOD security: A new business challenge. 2016. [Online]. Available:
[12] M. Faulds, K. Bauchmuller, D. Miller, J. Rosser, K. Shuker, I. Wrench, P. Wilson, and G. Mills, The feasibility of using bring your own device BYOD) technology for electronic data capture in multicentre medical audit and research, in Anaesthesia, 2016, vol. 71, no. 1, pp. 58-66.
[13] N. Pohlmann, M. Hertlein, and P. Manaras, “Bring your own device for authentication (BYOD4A)-the Xign-System,in Information Security Solutions Europe (ISSE) 2015 Conference. Springer, 2015, pp. 240-250.
[14] K. Downer and M. Bhattacharya,BYOD security: A new business challenge.2016. [Online]. Available:


Dr. H. Arshad Jhumka

The University of Warwick

Department of Computer Science

arshad at dcs dot warwick dot ac dot uk



Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.