Recovery method of deleted records and tables from ESE database

Jeonghyeon Kim; Aran Park; Sangjin Lee

doi:10.1016/j.diin.2016.04.003

Recovery method of deleted records and tables from ESE database

Jeonghyeon Kim, Aran Park, Sangjin Lee

School of Cybersecurity

Research output: Contribution to conference › Paper › peer-review

9 Citations (Scopus)

Abstract

The Extensible Storage Engine (ESE) database is a data storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique, and assessed the performance of the proposed tool.

Original language	English
Pages	S118-S124
DOIs	https://doi.org/10.1016/j.diin.2016.04.003 https://doi.org/10.1016/j.diin.2016.04.003
Publication status	Published - 2016 Aug 7
Event	16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA - Seattle, United States Duration: 2016 Aug 7 → 2016 Aug 10

Conference

Conference	16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA
Country/Territory	United States
City	Seattle
Period	16/8/7 → 16/8/10

Keywords

ESE database analysis
ESE database forensic
Windows forensic

ASJC Scopus subject areas

Information Systems

Access to Document

Cite this

@conference{f0d118146baa4ac79127c26cea260bec,

title = "Recovery method of deleted records and tables from ESE database",

abstract = "The Extensible Storage Engine (ESE) database is a data storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique, and assessed the performance of the proposed tool.",

keywords = "ESE database analysis, ESE database forensic, Windows forensic",

author = "Jeonghyeon Kim and Aran Park and Sangjin Lee",

year = "2016",

month = aug,

day = "7",

doi = "10.1016/j.diin.2016.04.003",

language = "English",

pages = "S118--S124",

note = "16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA ; Conference date: 07-08-2016 Through 10-08-2016",

}

TY - CONF

T1 - Recovery method of deleted records and tables from ESE database

AU - Kim, Jeonghyeon

AU - Park, Aran

AU - Lee, Sangjin

PY - 2016/8/7

Y1 - 2016/8/7

N2 - The Extensible Storage Engine (ESE) database is a data storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique, and assessed the performance of the proposed tool.

AB - The Extensible Storage Engine (ESE) database is a data storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique, and assessed the performance of the proposed tool.

KW - ESE database analysis

KW - ESE database forensic

KW - Windows forensic

UR - http://www.scopus.com/inward/record.url?scp=85068653331&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85068653331&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2016.04.003

DO - 10.1016/j.diin.2016.04.003

M3 - Paper

AN - SCOPUS:84982787180

SP - S118-S124

T2 - 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA

Y2 - 7 August 2016 through 10 August 2016

ER -

Recovery method of deleted records and tables from ESE database

Abstract

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this