Adopting an experimental learning approach, this book describes a practical forensic process to acquire and analyze databases from a given device and/or application. Databases hold important, sensitive, and/or confidential information and are a crucial source of evidence in any digital investigation. This also reinforces the importance of keeping up to date on the cyber-threat landscape as well as any associated database forensic challenges and approaches. The book also guides cyber-forensic researchers, educators, and practitioners through the process of conducting database forensics and investigations on mobile devices, Internet of Things (IoT) devices, web browsers, and end-to-end encrypted instant messaging applications. Given the fast-changing database forensics landscape, this book will be of interest to researchers, educators, and practitioners in the field, as well as students who want to learn about the database investigation.
Author(s): Nhien-An Le-Khac, Kim-Kwang Raymond Choo
Series: Studies in Big Data, 116
Publisher: Springer
Year: 2022
Language: English
Pages: 301
City: Cham
Foreword
Acknowledgements
Contents
About the Authors
1 Databases in Digital Forensics
1.1 Introduction
1.2 Organization of This Book
References
2 Database Forensics
2.1 Introduction to Databases
2.1.1 What Is a Database?
2.1.2 Database Management System (DBMS)
2.1.3 Database Types and Users
2.2 Relational Databases
2.2.1 Basic Concepts
2.2.2 Database Design
2.3 Structured Query Language (SQL)
2.3.1 SQL and SQLite
2.3.2 SQLite Basic Commands
2.4 Database Forensics
2.5 Examples
2.5.1 IOS Database Investigation
2.5.2 WhatsApp Database Forensics
2.6 Summary
References
3 Signal Instant Messenger Forensics
3.1 Introduction
3.2 Basic Features
3.2.1 Signal Messenger
3.2.2 Disappearing Messages
3.2.3 Delete for Everyone
3.2.4 View-Once Media
3.2.5 Mark as Unread
3.2.6 Show in Suggestions
3.2.7 Backup and Restore Messages
3.3 Related Work
3.4 Forensic Methods
3.4.1 Experimental Platforms
3.4.2 Datasets
3.4.3 Forensic Scenarios
3.4.4 Forensic Acquisition and Analysis of Signal
3.4.5 Forensic Analysis
3.5 Findings and Discussion
3.5.1 Signal Account Take Over
3.5.2 Signal Activity Monitoring with Linked Device
3.5.3 Signal Group Chat
3.5.4 Use Signal as Source of OSINT
3.5.5 Forensic Acquisition and Analysis of Signal
3.6 Discussion
3.6.1 General Process to Handle Signal
3.6.2 Signal Data and Database
3.6.3 Signal Investigation Without Physical Devices
3.7 Summary
References
4 Forensic Analysis of the qTox Messenger Databases
4.1 Introduction
4.2 Background Concepts
4.2.1 QTox Client
4.2.2 The Tox ID
4.3 Related Work
4.4 Why qTox Database Forensics?
4.5 Methodology
4.5.1 Artifact Definitions
4.5.2 Experimental Environments
4.5.3 Data Population
4.5.4 Acquisition of Data
4.5.5 Forensic Analysis of Data
4.6 Findings and Discussions
4.6.1 Recovered Artifacts Found in the Image Files
4.6.2 Recovered Artifacts Found in the Memory Dump
4.6.3 Recovered Artifacts Found in the Database Files
4.6.4 Discussion
4.7 Summary
References
5 PyBit Forensic Investigation
5.1 Introduction
5.2 Basic Features
5.2.1 Bitmessage Concept
5.2.2 Data Encryption
5.2.3 BitMessage Networking Concept
5.2.4 BitMessage Implementations and Applications
5.3 Criminal Usage of the BitMessage System and Investigation Challenges
5.3.1 Illegal Transactions
5.3.2 Blackmailing of Politicians and Celebrities
5.3.3 Command and Control Communication of the Chimera Malware
5.3.4 Investigation Issues
5.4 Adopted Approach
5.4.1 Identification of Recipients
5.4.2 Network Surveillance
5.4.3 Forensic Information Gathering
5.5 Summary
References
6 Database Forensics for Analyzing Data Loss in Delayed Extraction Cases
6.1 Introduction
6.2 Background
6.2.1 iOS SQLite Databases
6.2.2 SQLite Vacuuming
6.3 Methodology
6.4 Database Analyzing of iOS
6.4.1 iPhones for Conducting the Research
6.4.2 Platforms and Forensic Tools
6.4.3 Extraction Phase and Timeline
6.4.4 Artifacts of Interest
6.4.5 Analysis Approaches
6.5 Experiments and Findings
6.5.1 iOS Application and Database Analysis
6.5.2 Timeline and iOS Analysis
6.6 Discussion and Analysis
6.6.1 Comparison Analysis
6.6.2 iOS Application and Database Analysis
6.6.3 Timeline and iOS Analysis
6.7 Summary
References
7 IoT Database Forensics—A Case Study with Video Door Bell Analysis
7.1 Introduction
7.2 Related Work
7.3 Why Video Doorbell Analysis?
7.4 Methodology
7.5 Experiments and Evaluation
7.5.1 Experimental Platforms
7.5.2 Investigation of the Video Doorbell
7.5.3 Network Examination
7.5.4 Smartphone Application
7.5.5 Securing Data
7.5.6 Law and Guidelines
7.6 Conclusion
References
8 Web Browser Forensics—A Case Study with Chrome Browser
8.1 Introduction
8.1.1 Web Browser Forensics
8.1.2 Google Chrome
8.1.3 Forensic Tool Gone Wrong
8.1.4 Environment Variables
8.1.5 Epoch Time or WebKit Time
8.2 Chrome Artifacts Folder
8.3 Profiles
8.4 User Profile Preferences
8.5 Analyzing SQLite Files
8.5.1 Secure_Delete
8.5.2 Analysis Tools
8.6 History and Typed URLs
8.6.1 SQLite Tables of Interest
8.7 Downloads
8.8 Search Terms
8.9 Form Data
8.10 Bookmarks
8.11 Other
8.12 Summary
References
