# Memory-Driven Forensic Analysis of SQL Server: A Buffer Pool and Page Inspection Approach

**Authors:** Jiho Shin

PMC · DOI: 10.3390/s25113512 · Sensors (Basel, Switzerland) · 2025-06-02

## TL;DR

This paper introduces a new method for recovering deleted data in SQL Server by analyzing memory, which is useful for real-time forensic investigations in IoT and edge computing systems.

## Contribution

The paper introduces a memory-driven forensic methodology for real-time recovery of deleted data in SQL Server using buffer pool and transaction log analysis.

## Key findings

- Combining transaction log analysis and in-memory page inspection allows partial or full recovery of deleted data in a live SQL Server environment.
- The proposed method enables real-time forensic analysis without interrupting database operations, enhancing speed and accuracy in digital forensics.
- The approach is particularly effective in IoT environments for maintaining sensor data integrity and system resilience.

## Abstract

This study proposes a memory-based forensic procedure for real-time recovery of deleted data in Microsoft SQL Server environments. This approach is particularly relevant for sensor-driven and embedded systems—such as those used in IoT gateways and edge computing platforms—where lightweight SQL engines store critical operational and measurement data locally and are vulnerable to insider manipulation. Traditional approaches to deleted data recovery have primarily relied on transaction log analysis or static methods involving the examination of physical files such as .mdf and .ldf after taking the database offline. However, these methods face critical limitations in real-time applicability and may miss volatile data that temporarily resides in memory. To address these challenges, this study introduces a methodology that captures key deletion event information through transaction log analysis immediately after data deletion and directly inspects memory-resident pages loaded in the server’s Buffer Pool. By analyzing page structures in the Buffer Pool and cross-referencing them with log data, we establish a memory-driven forensic framework that enables both the recovery and verification of deleted records. In the experimental validation, records were deleted in a live SQL Server environment, and a combination of transaction log analysis and in-memory page inspection allowed for partial or full recovery of the deleted data. This demonstrates the feasibility of real-time forensic analysis without interrupting the operational database. The findings of this research provide a foundational methodology for enhancing the speed and accuracy of digital forensics in time-sensitive scenarios, such as insider threats or cyber intrusion incidents, by enabling prompt and precise recovery of deleted data directly from memory. These capabilities are especially critical in IoT environments, where real-time deletion recovery supports sensor data integrity, forensic traceability, and uninterrupted system resilience.

## Full-text entities

- **Genes:** VIP (vasoactive intestinal peptide) [NCBI Gene 7432] {aka PHM27}
- **Diseases:** LOP_DELETE_ROWS (MESH:D002872), IDENTITY (MESH:D009105), injury to (MESH:D014947), CUSTOMER_ID (MESH:C537985), STATUS (MESH:D013226), NULL (MESH:C564833), DML (MESH:D007806)
- **Chemicals:** AllocUnitName (-)
- **Species:** Homo sapiens (human, species) [taxon 9606]

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC12158317/full.md

## Figures

8 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12158317/full.md

## References

20 references — full list in the complete paper: https://tomesphere.com/paper/PMC12158317/full.md

---
Source: https://tomesphere.com/paper/PMC12158317