Recovery method of deleted records and tables from ESE database

Jeonghyeon Kim, Aran Park, Sangjin Lee

Research output: Contribution to conferencePaper

Abstract

The Extensible Storage Engine (ESE) database is a data storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique, and assessed the performance of the proposed tool.

Original languageEnglish
PagesS118-S124
DOIs
Publication statusPublished - 2016 Jan 1
Event16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA - Seattle, United States
Duration: 2016 Aug 72016 Aug 10

Conference

Conference16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA
CountryUnited States
CitySeattle
Period16/8/716/8/10

Fingerprint

Engines
Recovery
Web browsers
Application programming interfaces (API)
Data storage equipment

Keywords

  • ESE database analysis
  • ESE database forensic
  • Windows forensic

ASJC Scopus subject areas

  • Information Systems

Cite this

Kim, J., Park, A., & Lee, S. (2016). Recovery method of deleted records and tables from ESE database. S118-S124. Paper presented at 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA, Seattle, United States. https://doi.org/10.1016/j.diin.2016.04.003

Recovery method of deleted records and tables from ESE database. / Kim, Jeonghyeon; Park, Aran; Lee, Sangjin.

2016. S118-S124 Paper presented at 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA, Seattle, United States.

Research output: Contribution to conferencePaper

Kim, J, Park, A & Lee, S 2016, 'Recovery method of deleted records and tables from ESE database', Paper presented at 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA, Seattle, United States, 16/8/7 - 16/8/10 pp. S118-S124. https://doi.org/10.1016/j.diin.2016.04.003
Kim J, Park A, Lee S. Recovery method of deleted records and tables from ESE database. 2016. Paper presented at 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA, Seattle, United States. https://doi.org/10.1016/j.diin.2016.04.003
Kim, Jeonghyeon ; Park, Aran ; Lee, Sangjin. / Recovery method of deleted records and tables from ESE database. Paper presented at 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA, Seattle, United States.
@conference{423dfd17fced4fac8be0bc3297bd8456,
title = "Recovery method of deleted records and tables from ESE database",
abstract = "The Extensible Storage Engine (ESE) database is a data storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique, and assessed the performance of the proposed tool.",
keywords = "ESE database analysis, ESE database forensic, Windows forensic",
author = "Jeonghyeon Kim and Aran Park and Sangjin Lee",
year = "2016",
month = "1",
day = "1",
doi = "10.1016/j.diin.2016.04.003",
language = "English",
pages = "S118--S124",
note = "16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA ; Conference date: 07-08-2016 Through 10-08-2016",

}

TY - CONF

T1 - Recovery method of deleted records and tables from ESE database

AU - Kim, Jeonghyeon

AU - Park, Aran

AU - Lee, Sangjin

PY - 2016/1/1

Y1 - 2016/1/1

N2 - The Extensible Storage Engine (ESE) database is a data storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique, and assessed the performance of the proposed tool.

AB - The Extensible Storage Engine (ESE) database is a data storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique, and assessed the performance of the proposed tool.

KW - ESE database analysis

KW - ESE database forensic

KW - Windows forensic

UR - http://www.scopus.com/inward/record.url?scp=85068653331&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85068653331&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2016.04.003

DO - 10.1016/j.diin.2016.04.003

M3 - Paper

AN - SCOPUS:85068653331

SP - S118-S124

ER -