A Recovery Method of Deleted Records in The SQLite Database Using Schema Information
- 주제(키워드) SQLite , Database , Recovery , Record , SQLite Database Forensic
- 발행기관 고려대학교 정보보호대학원
- 지도교수 이상진
- 발행년도 2016
- 학위수여년월 2016. 2
- 학위구분 석사
- 학과 정보보호대학원 정보보호학과
- 원문페이지 46 p
- 실제URI http://www.dcollection.net/handler/korea/000000065045
- 본문언어 영어
- 제출원본 000045866941
초록/요약
SQLite is an open source database managing system such as MySQL and PostgreSQL. It is a database exclusively for local use in which all records are stored in a single file. It is used by numerous embedded devices due to its characteristics such as small size file, rapid processing speed, and utility in use. As utilizing of SQLite has steadily increased, forensic detectives are required to attain database analyzing skills. Furthermore, regarding the fact that SQLite manages effective storage space and maintains up to date data, it frequently deletes data. Therefore, recovering deleted data is highly critical. There has been a number of researches on recovering data regarding SQLite, however, they often committed false positive and false negative, and the progressed researches were mainly on methods of recovering deleted data regarding transaction log files such as a simple database of single file or journal files. For this thesis, by suggesting a method of recovering deleted records in SQLite database files using Schema information, it allows to increase a rate of recovering and decrease a rate of committing false negative. At the same time, not only deleted records in database, but journal files like WAL and remained records of unused area can also be recovered by this method.
more목차
1 Introduction 1
2 Related Works 3
2.1 Recovering Method Using Journal Files 3
2.2 Recovering Method Using File Structure Analysis 3
2.3 Recovering Method by Analyzing Schema Pattern 4
3 SQLite Database 5
3.1 SQLite Database File Structure 5
3.1.1 Schema Table 7
3.1.2 Page Structure 8
3.1.2.1 Page Header 9
3.1.2.2 Cell Structure in Internal Page 10
3.1.2.3 Cell Structure in Leaf Page 10
3.2 Journal(WAL) File Structure of SQLite Database 12
4 Recovering Deleted Record Method 14
4.1 Changes When Data Deleted 14
4.2 Algorithm of Recovering Deleted Data Method 16
4.2.1 Acquirement of Schema Information 18
4.2.2 Page Searching 20
4.2.2.1 SQLite Database Normal File 20
4.2.2.2 Damaged SQLite Database File 22
4.2.2.3 SQLite Database Journal(WAL) File 23
4.2.3 Extracting Unlocated Space in Database 24
4.2.4 Recovering Deleted Record 28
5 Implementation and Experiments 32
5.1 Introduction of Recovering Tool 32
5.2 Performance Evaluation #1 33
5.3 Performance Evaluation #2 35
6 Conclusion 36
References 37
