Memory-Driven Forensic Analysis of SQL Server: A Buffer Pool and Page Inspection Approach
This study proposes a memory-based forensic procedure for real-time recovery of deleted data in Microsoft SQL Server environments. This approach is particularly relevant for sensor-driven and embedded systems—such as those used in IoT gateways and edge computing platforms—where lightweight SQL engin...
Saved in:
| Main Author: | |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-06-01
|
| Series: | Sensors |
| Subjects: | |
| Online Access: | https://www.mdpi.com/1424-8220/25/11/3512 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849722460520316928 |
|---|---|
| author | Jiho Shin |
| author_facet | Jiho Shin |
| author_sort | Jiho Shin |
| collection | DOAJ |
| description | This study proposes a memory-based forensic procedure for real-time recovery of deleted data in Microsoft SQL Server environments. This approach is particularly relevant for sensor-driven and embedded systems—such as those used in IoT gateways and edge computing platforms—where lightweight SQL engines store critical operational and measurement data locally and are vulnerable to insider manipulation. Traditional approaches to deleted data recovery have primarily relied on transaction log analysis or static methods involving the examination of physical files such as .mdf and .ldf after taking the database offline. However, these methods face critical limitations in real-time applicability and may miss volatile data that temporarily resides in memory. To address these challenges, this study introduces a methodology that captures key deletion event information through transaction log analysis immediately after data deletion and directly inspects memory-resident pages loaded in the server’s Buffer Pool. By analyzing page structures in the Buffer Pool and cross-referencing them with log data, we establish a memory-driven forensic framework that enables both the recovery and verification of deleted records. In the experimental validation, records were deleted in a live SQL Server environment, and a combination of transaction log analysis and in-memory page inspection allowed for partial or full recovery of the deleted data. This demonstrates the feasibility of real-time forensic analysis without interrupting the operational database. The findings of this research provide a foundational methodology for enhancing the speed and accuracy of digital forensics in time-sensitive scenarios, such as insider threats or cyber intrusion incidents, by enabling prompt and precise recovery of deleted data directly from memory. These capabilities are especially critical in IoT environments, where real-time deletion recovery supports sensor data integrity, forensic traceability, and uninterrupted system resilience. |
| format | Article |
| id | doaj-art-4c3547c5f35e4113a6a47af7585a2b26 |
| institution | DOAJ |
| issn | 1424-8220 |
| language | English |
| publishDate | 2025-06-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Sensors |
| spelling | doaj-art-4c3547c5f35e4113a6a47af7585a2b262025-08-20T03:11:20ZengMDPI AGSensors1424-82202025-06-012511351210.3390/s25113512Memory-Driven Forensic Analysis of SQL Server: A Buffer Pool and Page Inspection ApproachJiho Shin0Police Science Institute, Korean National Police University, Asan 31539, Republic of KoreaThis study proposes a memory-based forensic procedure for real-time recovery of deleted data in Microsoft SQL Server environments. This approach is particularly relevant for sensor-driven and embedded systems—such as those used in IoT gateways and edge computing platforms—where lightweight SQL engines store critical operational and measurement data locally and are vulnerable to insider manipulation. Traditional approaches to deleted data recovery have primarily relied on transaction log analysis or static methods involving the examination of physical files such as .mdf and .ldf after taking the database offline. However, these methods face critical limitations in real-time applicability and may miss volatile data that temporarily resides in memory. To address these challenges, this study introduces a methodology that captures key deletion event information through transaction log analysis immediately after data deletion and directly inspects memory-resident pages loaded in the server’s Buffer Pool. By analyzing page structures in the Buffer Pool and cross-referencing them with log data, we establish a memory-driven forensic framework that enables both the recovery and verification of deleted records. In the experimental validation, records were deleted in a live SQL Server environment, and a combination of transaction log analysis and in-memory page inspection allowed for partial or full recovery of the deleted data. This demonstrates the feasibility of real-time forensic analysis without interrupting the operational database. The findings of this research provide a foundational methodology for enhancing the speed and accuracy of digital forensics in time-sensitive scenarios, such as insider threats or cyber intrusion incidents, by enabling prompt and precise recovery of deleted data directly from memory. These capabilities are especially critical in IoT environments, where real-time deletion recovery supports sensor data integrity, forensic traceability, and uninterrupted system resilience.https://www.mdpi.com/1424-8220/25/11/3512database forensicstransaction logcachebuffer poolSQL serverdeleted data recovery |
| spellingShingle | Jiho Shin Memory-Driven Forensic Analysis of SQL Server: A Buffer Pool and Page Inspection Approach Sensors database forensics transaction log cache buffer pool SQL server deleted data recovery |
| title | Memory-Driven Forensic Analysis of SQL Server: A Buffer Pool and Page Inspection Approach |
| title_full | Memory-Driven Forensic Analysis of SQL Server: A Buffer Pool and Page Inspection Approach |
| title_fullStr | Memory-Driven Forensic Analysis of SQL Server: A Buffer Pool and Page Inspection Approach |
| title_full_unstemmed | Memory-Driven Forensic Analysis of SQL Server: A Buffer Pool and Page Inspection Approach |
| title_short | Memory-Driven Forensic Analysis of SQL Server: A Buffer Pool and Page Inspection Approach |
| title_sort | memory driven forensic analysis of sql server a buffer pool and page inspection approach |
| topic | database forensics transaction log cache buffer pool SQL server deleted data recovery |
| url | https://www.mdpi.com/1424-8220/25/11/3512 |
| work_keys_str_mv | AT jihoshin memorydrivenforensicanalysisofsqlserverabufferpoolandpageinspectionapproach |