Three-Tier Database Forensic Model

Msongaleli D. L. , Mgembe I. P.

10th International Symposium on Digital Forensics and Security (ISDFS), Maltepe, Turkey, 6 - 07 June 2022 identifier identifier

  • Publication Type: Conference Paper / Full Text
  • Doi Number: 10.1109/isdfs55398.2022.9800755
  • City: Maltepe
  • Country: Turkey
  • Keywords: Database, Forensic, Cyber-attacks
  • Kocaeli University Affiliated: Yes


The evolution of information and communication technology has transformed our way of processing and storing information. Currently, a plethora of crucial data is held and processed in databases. Thus, a significant number of cyber-attacks target databases, thereby prompting the need for database forensics. Existing research publications on Database Forensic focus on two areas; (i) technology and (ii) Database forensic processes. Accordingly, current solutions are well suited to specific scenarios or technology. Hence, they cannot be relied upon in different technology scenarios. In addition, there are no clear procedures that should be adhered to during database forensics to make the best use of existing database forensic tools. We propose the Three-Tier Database Forensic (TT-DF) Model, a practical generic model that the examiner can use to examine incidents involving cyber-attacks against databases. The TT-DF model we present is a two-dimensional approach that considers stages and processes of investigation. It considers three investigation stages: application, database, and server investigation. Moreover, there are four processes at each stage, namely preparation, collection, analysis, and presentation. Our solution ensures that an investigator can efficiently discover and collect artefacts in the aftermath of cyber-attacks irrespective of compromised database audit trails, metadata and other potential artefacts within a reasonable time.