CIPM: Common Identification Process Model for Database Forensics Field

TL;DR

This paper proposes CIPM, a unified, metamodel-based identification process for database forensics, aiming to address the diversity and redundancy of existing models by integrating all processes into a single abstract framework.

Contribution

The study introduces CIPM, a comprehensive identification model that unifies and harmonizes existing database forensic processes using a metamodeling approach.

Findings

CIPM effectively consolidates multiple identification models.

The model assists practitioners and newcomers in controlling database crimes.

CIPM covers six key phases of database incident response.

Abstract

Database Forensics (DBF) domain is a branch of digital forensics, concerned with the identification, collection, reconstruction, analysis, and documentation of database crimes. Different researchers have introduced several identification models to handle database crimes. Majority of proposed models are not specific and are redundant, which makes these models a problem because of the multidimensional nature and high diversity of database systems. Accordingly, using the metamodeling approach, the current study is aimed at proposing a unified identification model applicable to the database forensic field. The model integrates and harmonizes all exiting identification processes into a single abstract model, called Common Identification Process Model (CIPM). The model comprises six phases: 1) notifying an incident, 2) responding to the incident, 3) identification of the incident source, 4) verification of the incident, 5) isolation of the database server and 6) provision of an investigation environment. CIMP was found capable of helping the practitioners and newcomers to the forensics domain to control database crimes.