Date Published: February 1, 2017
Publisher: Public Library of Science
Author(s): Arafat Al-dhaqm, Shukor Razak, Siti Hajar Othman, Asri Ngadi, Mohammed Nazir Ahmed, Abdulalem Ali Mohammed, Kim-Kwang Raymond Choo.
Database Forensics (DBF) is a widespread area of knowledge. It has many complex features and is well known amongst database investigators and practitioners. Several models and frameworks have been created specifically to allow knowledge-sharing and effective DBF activities. However, these are often narrow in focus and address specified database incident types. We have analysed 60 such models in an attempt to uncover how numerous DBF activities are really public even when the actions vary. We then generate a unified abstract view of DBF in the form of a metamodel. We identified, extracted, and proposed a common concept and reconciled concept definitions to propose a metamodel. We have applied a metamodelling process to guarantee that this metamodel is comprehensive and consistent.
Database Forensics (DBF) is a field of digital forensic investigation that addresses database contents and their metadata . It is considered a significant field by which to identify, detect, acquire, analyse, and reconstruct database incidents and reveal intruders’ activities. DBF has suffered from several issues, which has resulted in it becoming a heterogeneous, confusing and unstructured domain. Examples of these issues include a variety of database system infrastructures; the multidimensional nature of database systems; and domain knowledge effectively being scattered in all directions [2,3]. A variety of database system infrastructures with multidimensional natures has enabled the DBF domain to address specific incidents. Therefore, each database management system (DBMS) has a specific forensic investigation model/approach. Consequently, the issues of different concepts and terminologies in terms of the forensic investigation process and the scattering of domain knowledge in all directions have produced other challenges for DBF investigators and practitioners. This knowledge (such as models, processes, techniques, tools, frameworks, methods, activities, approaches, and algorithms) is neither organized nor structured. Furthermore, it is universally dispersed, such as in the Internet, books, journals, conferences, online databases, book chapters, dissertations, reports, and organizations. Consequently, there is a lack of generic/standardized models by which to unify concepts and terminologies that may be used to reduce confusion and assist in organizing and structuring domain knowledge. This study discusses the DBF domain from several perspectives to highlight, extract, compare, merge and derive common concepts of the domain as well as to harmonize and reconcile concepts and definitions, such as i) the Database Dimensions perspective; ii) Database Forensic Technology perspective; and iii) Database Forensic Investigation process perspective.
Several types of modelling languages have been offered for various disciplines, including business process modelling ; systems engineering; and software engineering [6,7]. These languages are naturally used to identify systems that can provide a better understanding for stockholders. This study targets the emergence of a modelling language to define the domain of DBF. In addition, it draws on research from the field of metamodelling [8,9] to develop a process by which to create such a language. Generally, a metamodelling process aims to generate a group of classes to represent domain entities and define domain concepts, actions or states . This concept group is called the metamodel. The language that we look for is supported by the metamodel. It has the ability to generalize the domain by gathering all field/domain concepts and dividing the field/domain issues into sub-domain issues. A more difficult mission in the development of a domain description is to determine how the end user will form his/her own model with the concepts and notation from a domain language. In the field of software engineering, a metamodel targets the generation of portable software actions and components. Further, it is interoperable and reusable. A metamodel also contains the description of the particular modelling environment for a firm domain and describes the syntax and semantics of the domain. It can be viewed from the following three different perspectives: i) as a set of structuring blocks and rules used to construct and control new models; ii) as the model of a domain of interest; and iii) as an instance of another model. In our situation, a metamodel is an essential structuring block that creates statements about the possible structure of DBF models .
To construct DBFM, a group of common and repeatedly used DBF concepts is first determined. The concepts and their definitions of DBF are listed in the existing DBF literature. A survey of the DBF field/domain is first conducted by studying the huge amount of existing DBF models, frameworks, methods, approaches and techniques from three perspectives (60 in total). This gives us a broad knowledge of DBF actions, activities, and operations. The relationships are used with related common concepts. The metamodel construction development is iterative with nonstop modification of new concepts. To create the DBFM, we used the 8 steps Metamodelling Creation Process adapted from [87,88], which is described below.
We validate our DBFM for purposes of generality, expressiveness, and completeness. Validate generality ensures that the DBFM may cover whole DBF domain models, whereas validating the expressiveness ensures the degree to which it can directly model any particular real-world concept. This determines: that the theories and assumptions underlying the concepts in the metamodel are correct; and that the representation of the metamodel of the problem entity, the structure of the metamodel, and the logic and causal relationships are suitable for the intended purpose of the metamodel . We apply two commonly used validation techniques as follows:
In this study, a framework of a DBF language underlined by a DBF metamodel (DBFM) is created. This demonstrates the emergence of a DBF semantic modeling standard through the metamodel that allows the description of various DBF data models. For the purpose of developing the DBFM, general concepts used in DBF are identified and new ones synthesized as required. This process involves analyzing the domain models, management processes, domain phases, activities, roles, goals and all other elements in DBF. The successful creation of the metamodel generalizes metamodelling to solve problems in DBF. The study generalizes the metamodelling approach. It creates a synthesis and validation processes that are discipline agnostic. In other words, the metamodelling process used in this study will not demand domain expertise as is usually the case in software engineering. Rather, the adapted process will provide new guidelines on sourcing the knowledge required to drive and validate the metamodelling process.
Our Database Forensic metamodel (DBFM) has been developed based on a careful analysis of the existing literature and domain-specific database forensic models. It has been validated through a couple of iterations and applied to a specific case. While the DBFM is generic and domain-independent and can be instantiated for specific DBF scenarios, it has some limitations that need to be addressed, especially as the DBFM evolves.
This study has discussed the development of the Database Forensic Metamodel (DBFM). The metamodel presented is intended to become an effective platform for sharing and integrating DBF knowledge from varying sources. Existing database forensic models are not based on any metamodels or standards but rather constitute proprietary solutions that are mainly focused on frameworks and other model aspects. This is the first work that develops a DBF metamodel across the four established phases of the database forensic domains. Our DBFM can unify these works as a navigation metamodel. More importantly, the DBFM is the first step to allow interoperability of DBF solutions and effective transfer of knowledge across database boundaries. It may also be used as a tool to determine the completeness of any DBF solutions.