Reconstruction Investigation Model for Database Management Systems

: There have been increased levels of cybercrime in the database industry, which has hurt the confidentiality, integrity, and availability of these systems. Most organizations apply several security layers to detect and prevent database crimes. For this reason, Database Forensics (DBF) plays a very important role in capturing and discovering, who the criminal is, when the crime was committed, and which part of the database the crime occurred. Several forensic models have been proposed for the DBF field, which can be used to identify, collect, preserve, examine, analyze, and document database crimes. However, most of these models focused on specific database systems due to the variety of the database infrastructure and the multidimensional nature of the database systems. The most important part of the DBF field is the analysis process used to investigate the captured data and discover the attack. Thus, this study proposes an Integrated Reconstruction Investigation Model (IRIM) for database forensics using a metamodeling method. It consists of two main processes: The examining process and the discovering and reporting process. A real scenario has been used to validate the effectiveness of the proposed model. According to the results, the proposed model could detect database cybercrimes and allow domain forensic practitioners to capture and analyze database crimes efficiently.