Forensic investigation framework for the document store NoSQL DBMS: MongoDB as a case study

Jongseong Yoon, Doowon Jeong, Chul Hoon Kang, Sangjin Lee

Research output: Contribution to journalArticle

11 Citations (Scopus)

Abstract

The NoSQL DBMS provides an efficient means of storing and accessing big data because its servers are more easily horizontally scalable and replicable than relational DBMSs. Its data model lacks a fixed schema, so that users can easily dynamically change the data model of applications. These characteristics of the NoSQL DBMS mean that it is increasingly used in real-time analysis, web services such as SNS, mobile apps and the storage of machine generated data such as logs and IoT (Internet of Things) data. Although the increased usage of the NoSQL DBMS increases the possibility of it becoming a target of crime, there are few papers about forensic investigation of NoSQL DBMS. In this paper, we propose a forensic investigation framework for the document store NoSQL DBMS. It is difficult to cover all of the NoSQL DBMS, as 'NoSQL' includes several distinct architectures; our forensic investigation framework, however, is focused on the document store NoSQL DBMS. In order to conduct an evaluative case study, we need to apply it to MongoDB, which is, a widely used document store NoSQL DBMS. For this case study, a crime scenario is created in an experimental environment, and then we propose in detail a forensic procedure and technical methods for MongoDB. We suggested many substantial technical investigation methods for MongoDB, including identifying real servers storing evidences in a distributed environment and transaction reconstruction method, using log analysis and recovering deleted data from the MongoDB data file structure.

Original languageEnglish
Pages (from-to)53-65
Number of pages13
JournalDigital Investigation
Volume17
DOIs
Publication statusPublished - 2016 Jun 1

Fingerprint

Crime
Mobile Applications
Information Storage and Retrieval
Internet
offense
Data structures
Servers
transaction
reconstruction
Application programs
Web services
scenario
lack
evidence

Keywords

  • Database forensics
  • Digital forensics
  • Document store NoSQL DBMS
  • MongoDB
  • NoSQL DBMS

ASJC Scopus subject areas

  • Law
  • Computer Science Applications
  • Medical Laboratory Technology

Cite this

Forensic investigation framework for the document store NoSQL DBMS : MongoDB as a case study. / Yoon, Jongseong; Jeong, Doowon; Kang, Chul Hoon; Lee, Sangjin.

In: Digital Investigation, Vol. 17, 01.06.2016, p. 53-65.

Research output: Contribution to journalArticle

Yoon, Jongseong ; Jeong, Doowon ; Kang, Chul Hoon ; Lee, Sangjin. / Forensic investigation framework for the document store NoSQL DBMS : MongoDB as a case study. In: Digital Investigation. 2016 ; Vol. 17. pp. 53-65.
@article{90e95134375a4e5cb6c1f333311a4db5,
title = "Forensic investigation framework for the document store NoSQL DBMS: MongoDB as a case study",
abstract = "The NoSQL DBMS provides an efficient means of storing and accessing big data because its servers are more easily horizontally scalable and replicable than relational DBMSs. Its data model lacks a fixed schema, so that users can easily dynamically change the data model of applications. These characteristics of the NoSQL DBMS mean that it is increasingly used in real-time analysis, web services such as SNS, mobile apps and the storage of machine generated data such as logs and IoT (Internet of Things) data. Although the increased usage of the NoSQL DBMS increases the possibility of it becoming a target of crime, there are few papers about forensic investigation of NoSQL DBMS. In this paper, we propose a forensic investigation framework for the document store NoSQL DBMS. It is difficult to cover all of the NoSQL DBMS, as 'NoSQL' includes several distinct architectures; our forensic investigation framework, however, is focused on the document store NoSQL DBMS. In order to conduct an evaluative case study, we need to apply it to MongoDB, which is, a widely used document store NoSQL DBMS. For this case study, a crime scenario is created in an experimental environment, and then we propose in detail a forensic procedure and technical methods for MongoDB. We suggested many substantial technical investigation methods for MongoDB, including identifying real servers storing evidences in a distributed environment and transaction reconstruction method, using log analysis and recovering deleted data from the MongoDB data file structure.",
keywords = "Database forensics, Digital forensics, Document store NoSQL DBMS, MongoDB, NoSQL DBMS",
author = "Jongseong Yoon and Doowon Jeong and Kang, {Chul Hoon} and Sangjin Lee",
year = "2016",
month = "6",
day = "1",
doi = "10.1016/j.diin.2016.03.003",
language = "English",
volume = "17",
pages = "53--65",
journal = "Digital Investigation",
issn = "1742-2876",
publisher = "Elsevier Limited",

}

TY - JOUR

T1 - Forensic investigation framework for the document store NoSQL DBMS

T2 - MongoDB as a case study

AU - Yoon, Jongseong

AU - Jeong, Doowon

AU - Kang, Chul Hoon

AU - Lee, Sangjin

PY - 2016/6/1

Y1 - 2016/6/1

N2 - The NoSQL DBMS provides an efficient means of storing and accessing big data because its servers are more easily horizontally scalable and replicable than relational DBMSs. Its data model lacks a fixed schema, so that users can easily dynamically change the data model of applications. These characteristics of the NoSQL DBMS mean that it is increasingly used in real-time analysis, web services such as SNS, mobile apps and the storage of machine generated data such as logs and IoT (Internet of Things) data. Although the increased usage of the NoSQL DBMS increases the possibility of it becoming a target of crime, there are few papers about forensic investigation of NoSQL DBMS. In this paper, we propose a forensic investigation framework for the document store NoSQL DBMS. It is difficult to cover all of the NoSQL DBMS, as 'NoSQL' includes several distinct architectures; our forensic investigation framework, however, is focused on the document store NoSQL DBMS. In order to conduct an evaluative case study, we need to apply it to MongoDB, which is, a widely used document store NoSQL DBMS. For this case study, a crime scenario is created in an experimental environment, and then we propose in detail a forensic procedure and technical methods for MongoDB. We suggested many substantial technical investigation methods for MongoDB, including identifying real servers storing evidences in a distributed environment and transaction reconstruction method, using log analysis and recovering deleted data from the MongoDB data file structure.

AB - The NoSQL DBMS provides an efficient means of storing and accessing big data because its servers are more easily horizontally scalable and replicable than relational DBMSs. Its data model lacks a fixed schema, so that users can easily dynamically change the data model of applications. These characteristics of the NoSQL DBMS mean that it is increasingly used in real-time analysis, web services such as SNS, mobile apps and the storage of machine generated data such as logs and IoT (Internet of Things) data. Although the increased usage of the NoSQL DBMS increases the possibility of it becoming a target of crime, there are few papers about forensic investigation of NoSQL DBMS. In this paper, we propose a forensic investigation framework for the document store NoSQL DBMS. It is difficult to cover all of the NoSQL DBMS, as 'NoSQL' includes several distinct architectures; our forensic investigation framework, however, is focused on the document store NoSQL DBMS. In order to conduct an evaluative case study, we need to apply it to MongoDB, which is, a widely used document store NoSQL DBMS. For this case study, a crime scenario is created in an experimental environment, and then we propose in detail a forensic procedure and technical methods for MongoDB. We suggested many substantial technical investigation methods for MongoDB, including identifying real servers storing evidences in a distributed environment and transaction reconstruction method, using log analysis and recovering deleted data from the MongoDB data file structure.

KW - Database forensics

KW - Digital forensics

KW - Document store NoSQL DBMS

KW - MongoDB

KW - NoSQL DBMS

UR - http://www.scopus.com/inward/record.url?scp=84965161438&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84965161438&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2016.03.003

DO - 10.1016/j.diin.2016.03.003

M3 - Article

AN - SCOPUS:84965161438

VL - 17

SP - 53

EP - 65

JO - Digital Investigation

JF - Digital Investigation

SN - 1742-2876

ER -