RADAR: Exposing Unlogged NoSQL Operations

TL;DR

RADAR is a forensic framework that detects unlogged NoSQL operations by analyzing raw disk artifacts and reconciling them with application logs, effectively exposing hidden activities even when logs are manipulated or suppressed.

Contribution

RADAR introduces a novel approach combining low-level disk artifact analysis with high-level log reconciliation to uncover unlogged NoSQL operations, enhancing forensic capabilities.

Findings

Successfully detects unlogged operations across diverse NoSQL engines

Operates efficiently with 31.7-397 MB/min throughput

Effectively exposes log suppression and post-maintenance attacks

Abstract

The widespread adoption of NoSQL databases has made digital forensics increasingly difficult as storage formats are diverse and often opaque, and audit logs cannot be assumed trustworthy when privileged insiders, such as DevOps or administrators, can disable, suppress, or manipulate logging to conceal activity. We present RADAR (Record & Artifact Detection, Alignment & Reporting), a log-adversary-aware framework that derives forensic ground truth by cross-referencing low-level storage artifacts against high-level application logs. RADAR analyzes artifacts reconstructed by the Automated NoSQL Carver (ANOC), which infers layouts and carves records directly from raw disk bytes, bypassing database APIs and the management system entirely, thereby treating physical storage as the independent evidence source. RADAR then reconciles carved artifacts with the audit log to identify delta artifacts such as unlogged insertions, silent deletions, and field-level updates that exist on disk but are absent from the logical history. We evaluate RADAR across ten NoSQL engines, including BerkeleyDB, LMDB, MDBX, etcd, ZODB, Durus, LiteDB, Realm, RavenDB, and NitriteDB, spanning key-value and document stores and multiple storage designs, e.g., copy-on-write/MVCC, B/B+ tree, and append-only. Under log-evasion scenarios, such as log suppression and post-maintenance attacks, including cases where historical bytes are pruned, RADAR consistently exposes unattributed operations while sustaining 31.7-397 MB/min processing throughput, demonstrating the feasibility of log-independent, trustworthy NoSQL forensics.