It is a branch of digital forensics relating to the study and examination of databases and their related metadata.
| Name | Platform | License | Description |
| Software Tools | |||
| Autopsy | Windows, Linux | Open Source | Digital forensics platform with database analysis capabilities. |
| EnCase Forensic | Windows | Commercial | Comprehensive digital forensic investigation software. |
| FTK Imager | Windows | Freeware | Disk imaging tool with support for various database formats. |
| SQL Power Tools | Windows | Commercial | Suite of tools for database analysis, including forensics tasks. |
| Axiom | Windows, macOS | Commercial | Digital forensics tool with advanced database recovery features. |
| DBVisualizer | Windows, macOS, Linux | Commercial | Universal database tool with capabilities for forensic analysis. |
| Hardware Tools | |||
| Tableau Forensic Imager | Windows | Commercial | Hardware device for fast and reliable digital forensics imaging. |
| Logicube OmniClone | Windows | Commercial | High-speed forensic hard drive duplicator with database support. |
| DeepSpar Disk Imager | Windows | Commercial | Specialized hardware imager for damaged or unstable database media. |
| Write Blocker | N/A | N/A | Hardware device preventing data modification during analysis. |
| Forensic Ultraviolet Light | N/A | N/A | Tool used for physical inspection of hard drives and other media. |
Database Forensics involves identifying, extracting, and analyzing data from databases to investigate security incidents or criminal activities. It helps uncover unauthorized changes, deleted records, and tampering with critical data.
1. Preserve and Secure Evidence
- Create a forensic image or backup of the database to avoid data loss.
- Use write-blocking techniques and secure the database server.
- Tools: FTK Imager (Download)
2. Extract Data
- Retrieve tables, logs, and records without modifying the database.
- Tools: DB Browser for SQLite (Download), SQLRecon (Download)
3. Analyze Database Records
- Inspect data, schemas, and logs to detect anomalies, suspicious activities, or unauthorized access.
- Tools: Autopsy (Download)
4. Recover Deleted Data
- Restore deleted or corrupted records using specialized recovery tools.
- Tools: Stellar Repair for MS SQL (Download))
5. Authenticate and Verify Integrity
- Validate the integrity of data and logs to detect manipulation or tampering.
- Tools: Log Parser Studio (Download), DBF Recovery (Download)
6. Document and Report
- Record investigation findings, timestamps, modified records, and query history.
- Present a detailed forensic report with supporting evidence.
Open-Source Tools:
- DB Browser for SQLite: View and analyze SQLite database files. Download
- SQLRecon: Discover and enumerate SQL Server instances. Download
- Autopsy: Digital forensics tool with database analysis features. Download
Commercial Tools: