Ideal log setting for database forensics reconstruction

The ability to reconstruct the data stored in a database at an earlier time is an important aspect of database forensics. Past research shows that the log file in a database can be useful for reconstruction. However, in many database systems there are various options that control which information is included in the logs. This paper introduces the notion of the ideal log setting necessary for an effective reconstruction process in database forensics. The paper provides a survey of the default logging preferences in some of the popular database management systems and identifies the information that a database log should contain in order to be useful for reconstruction. The challenges that may be encountered in storing the information as well as ways of overcoming the challenges are discussed. Possible logging preferences that may be considered as the ideal log setting for the popular database systems are also proposed. In addition, the paper relates the identified requirements to the three dimensions of reconstruction in database forensics and points out the additional requirements and/or techniques that may be required in the different dimensions.