A method and tool to recover data deleted from a MongoDB

Jongseong Yoon, Sangjin Lee

Research output: Contribution to journalArticle

2 Citations (Scopus)

Abstract

DBMS stores an important data, which is one of the important analytical subjects for analysis in digital forensics. The technique of recovering deleted data from the DBMS plays an important role in finding the evidence in forensic investigation cases. Although relational DBMS is used as important data storage until now, NoSQL DBMSs is used more often due to the growing pursue of Big Data. This increases the potential to analyze a NoSQL DMBS in forensic cases. In reality, data from approximately 26,000 servers has been deleted by a massive ransom attack on vulnerable MongoDB server. Therefore, investigation of internal structure analysis and deleted data recovery techniques of NoSQL DBMS is essential.In this paper, we research the recovery method on deleted data in MongoDB that is widely used. We have analyzed the internal structures of the WiredTiger and MMAPv1 storage engines, which are the MongoDB's disk-based storage engines. Moreover, we have implemented the recovery algorithm as a tool as well as have evaluated its performance on real and self-generated experiment data.

Original languageEnglish
JournalDigital Investigation
DOIs
Publication statusAccepted/In press - 2017 Jan 1

Fingerprint

Information Storage and Retrieval
Research
Recovery
Servers
Engines
data storage
Data storage equipment
experiment
Experiments
performance
evidence

Keywords

  • Database forensics
  • MongoDB
  • NoSQL database forensics
  • Recovery of deleted data from database

ASJC Scopus subject areas

  • Computer Science Applications
  • Medical Laboratory Technology
  • Law

Cite this

A method and tool to recover data deleted from a MongoDB. / Yoon, Jongseong; Lee, Sangjin.

In: Digital Investigation, 01.01.2017.

Research output: Contribution to journalArticle

@article{a4f0d5210fc64a19a6998f49112d4d84,
title = "A method and tool to recover data deleted from a MongoDB",
abstract = "DBMS stores an important data, which is one of the important analytical subjects for analysis in digital forensics. The technique of recovering deleted data from the DBMS plays an important role in finding the evidence in forensic investigation cases. Although relational DBMS is used as important data storage until now, NoSQL DBMSs is used more often due to the growing pursue of Big Data. This increases the potential to analyze a NoSQL DMBS in forensic cases. In reality, data from approximately 26,000 servers has been deleted by a massive ransom attack on vulnerable MongoDB server. Therefore, investigation of internal structure analysis and deleted data recovery techniques of NoSQL DBMS is essential.In this paper, we research the recovery method on deleted data in MongoDB that is widely used. We have analyzed the internal structures of the WiredTiger and MMAPv1 storage engines, which are the MongoDB's disk-based storage engines. Moreover, we have implemented the recovery algorithm as a tool as well as have evaluated its performance on real and self-generated experiment data.",
keywords = "Database forensics, MongoDB, NoSQL database forensics, Recovery of deleted data from database",
author = "Jongseong Yoon and Sangjin Lee",
year = "2017",
month = "1",
day = "1",
doi = "10.1016/j.diin.2017.11.001",
language = "English",
journal = "Digital Investigation",
issn = "1742-2876",
publisher = "Elsevier Limited",

}

TY - JOUR

T1 - A method and tool to recover data deleted from a MongoDB

AU - Yoon, Jongseong

AU - Lee, Sangjin

PY - 2017/1/1

Y1 - 2017/1/1

N2 - DBMS stores an important data, which is one of the important analytical subjects for analysis in digital forensics. The technique of recovering deleted data from the DBMS plays an important role in finding the evidence in forensic investigation cases. Although relational DBMS is used as important data storage until now, NoSQL DBMSs is used more often due to the growing pursue of Big Data. This increases the potential to analyze a NoSQL DMBS in forensic cases. In reality, data from approximately 26,000 servers has been deleted by a massive ransom attack on vulnerable MongoDB server. Therefore, investigation of internal structure analysis and deleted data recovery techniques of NoSQL DBMS is essential.In this paper, we research the recovery method on deleted data in MongoDB that is widely used. We have analyzed the internal structures of the WiredTiger and MMAPv1 storage engines, which are the MongoDB's disk-based storage engines. Moreover, we have implemented the recovery algorithm as a tool as well as have evaluated its performance on real and self-generated experiment data.

AB - DBMS stores an important data, which is one of the important analytical subjects for analysis in digital forensics. The technique of recovering deleted data from the DBMS plays an important role in finding the evidence in forensic investigation cases. Although relational DBMS is used as important data storage until now, NoSQL DBMSs is used more often due to the growing pursue of Big Data. This increases the potential to analyze a NoSQL DMBS in forensic cases. In reality, data from approximately 26,000 servers has been deleted by a massive ransom attack on vulnerable MongoDB server. Therefore, investigation of internal structure analysis and deleted data recovery techniques of NoSQL DBMS is essential.In this paper, we research the recovery method on deleted data in MongoDB that is widely used. We have analyzed the internal structures of the WiredTiger and MMAPv1 storage engines, which are the MongoDB's disk-based storage engines. Moreover, we have implemented the recovery algorithm as a tool as well as have evaluated its performance on real and self-generated experiment data.

KW - Database forensics

KW - MongoDB

KW - NoSQL database forensics

KW - Recovery of deleted data from database

UR - http://www.scopus.com/inward/record.url?scp=85036650332&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85036650332&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2017.11.001

DO - 10.1016/j.diin.2017.11.001

M3 - Article

AN - SCOPUS:85036650332

JO - Digital Investigation

JF - Digital Investigation

SN - 1742-2876

ER -