Recovery method of deleted records and tables from ESE database

Jeonghyeon Kim, Aran Park, Sangjin Lee

Research output: Contribution to conferencePaper

Abstract

The Extensible Storage Engine (ESE) database is a data storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique, and assessed the performance of the proposed tool.

Original languageEnglish
PagesS118-S124
DOIs
Publication statusPublished - 2016 Jan 1
Event16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA - Seattle, United States
Duration: 2016 Aug 72016 Aug 10

Conference

Conference16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA
CountryUnited States
CitySeattle
Period16/8/716/8/10

    Fingerprint

Keywords

  • ESE database analysis
  • ESE database forensic
  • Windows forensic

ASJC Scopus subject areas

  • Information Systems

Cite this

Kim, J., Park, A., & Lee, S. (2016). Recovery method of deleted records and tables from ESE database. S118-S124. Paper presented at 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA, Seattle, United States. https://doi.org/10.1016/j.diin.2016.04.003