400-6666-8888
Free trial
*First Name:
*Last Name:
*Agency/Organization/Company
*Email address:
Mobile:
What is your industry:
Country:
*Requested Product:
How do you know us:
Lets us know if you have additional comments:

[Case Study] Computer Forensics: Access Database Forensic Analysis

Editor’s note: In the information age, the importance of the database is beyond doubt. However, information security of database has always been a headache for us. Misoperation, man-made sabotage, hardware failure, many different reasons can lead to loss of valuable digital data.

Today, the SalvationDATA will share some of the ACCESS database file recovery and extraction technologies.

Access database introduction

Microsoft Access is a database management system (DBMS) from Microsoft that combines the relational Microsoft Jet Database Engine with a graphical user interface and software-development tools.

Microsoft Access stores data in its own format based on the Access Jet Database Engine. It can also import or link directly to data stored in other applications and databases. It is now widely used by personal developers, enterprises, government organizations or even military agencies. Access is not only a simple database, it is also equipped with powerful data managing capability, providing convenience for data storage, query, reporting, etc.

How does Access database store data

Access database stores data based on a sort of page structure. Each page contains 4096 Bytes, and the first byte of this page indicates its type. These types include:

00 – database info page, 01 – data page, 02 – table structure page, 04 – transition page

A typical Access database structure is shown in below picture. 02 page records management information for this database file, while 04 page records the page number of 01 page, and 01 pages are where the actual data is stored.

SalvationDATA Computer Forensics Database Extraction

When reading an Access database table, the structure is as below picture shows. 00 page is fixed as the first page, 02 is the second, 04 records the page number of 01 pages, and 01 are the data pages. However, this time it is not data that is stored in 01 pages but table inform of this database.

2

The structure of 00 page is as below, database basic info is recorded in this page.

3

The structure of 01 page is as below, user data is recorded in this page.

4
5

The structure of 02 page is as below.

6

The structure of 04 page is as below.

7

How to recover data from Access database?

According to our forensic expert’s analysis, when data is deleted from a database table, the raw data will not be erased. Only the management data recorded in 01 pages is

changed, at the offset position 0x0F we found that 0F has changed to CF.

8

However, after deletion, the raw user data still remains. As shown in the below picture:

9

And according to the data row structure, it is possible to recover deleted row data. The row structure is shown below:

10

Conclusion

Based on the analysis of Access database structure above, we now understand how the raw data changes when data is deleted from an Access database. And we discovered that no matter if a data row, a table, or even the database file is deleted, we can always recover the data by analyzing the page structure on the base level.

So in this article, we introduced a practical and efficient solution to recover deleted data from Microsoft Access database.

  • [Software Update] VIP 2.0 (Video Investigation Portable) 21.8.6.211 New Released now!


    The latest update of VIP 2.0 (Video Investigation Portable) is released now!

    Download or apply for a Free Trial Now!


    V21.8.6.2113 Version upgrade instructions:


    1.Added Walsh, Ezviz, xinhanshi, keshian and huiershi file system



    2. Optimized NVR analysis of glass particle, Zhiteng and Yushi technology


    3. Optimized the saving method of video files, and store the saved video files and corresponding verification files respectively


    4. Optimized the filtering of video retrieval objects and cancel the upper limit of displaying up to 99 retrieval results


    5. Optimized the scan result list and support inverse selection


    6. Optimized disk imaging


    7. Optimized batch transcoding tools and increase the upper limit of simultaneous transcoding


    8. Supported closing the video service after closing the program


    9. Supported the selection of mapped network disk path


    10. Optimized search tools


    11. Compatible with 2k and 4K resolution display

  • [Software Update] Mobile Forensics: SPF Pro V6.115.2 New Released now!

    SPF PRO V6.115.2

    The latest update of SPF Pro (SmartPhone Forensic System) is released now!

    Download or Contact us to apply for a Free Trial Now!


    V6.115.2 Version upgrade instructions:


    1. Added OPPO dual APPs data extraction, allow manually setup WIFI


    2. Optimized the scheme of copying media files for Android phones to improve the process speed of forensics


    3. Added the maintenance entry of “material information” during the process of extraction



    4. Optimized automatic extraction of Huawei mobile phone, supporting backup parsing to the latest version (11.0.0.530)


    5. Supported HarmonyOS data backup and parsing


    6. Updated some plug-ins


    Android: UC Browser, Quark; iOS: AKeyChat, Quark


    7. Added APPs search



    8. Added plug-in online upgrade function



    9. Bug fixed

  • HUAWEI Harmony OS – Firstly Supported by SPF Pro!


    Recently, Huawei announced that they plan to officially launch the long-awaited Harmony OS on June 2nd, by holding a product launch event.

    Before then, the operating system, which has only been used in products such as smart screens and wearable devices.



    Soon after the event, it’s expected to be used in more product categories including cellphones.

    Besides, they also released a video of the startup of the Harmony mobile OS on Weibo on May 27th.


    HUAWEI Harmony OS

    Due to chasing the most cutting-edge tech on mobile forensics, we made every efforts to obtain the qualification of the internal test long before so that we made great progress in advance for the upgrade of SPF Pro.


    SalvationDATA began to pay close attention to HarmonyOS at the very beginning of its emergence. Until now, we have obtained a preliminary technical breakthrough and we’re proud to say we’re capable of data extraction from devices that run HarmonyOS!

    After integrating the technology into Smartphone Forensics System(SPF Pro), it’ll officially meet with you guys in the next updated version (the new version is expected to be released on June 5th).



    SPF Pro is able to support the extraction and forensics investigation of normal data and deleted data of mobile phones equipped with HarmonyOS, including data of mobile phones themselves and data of third-party applications.

    The existing commonly used third-party applications are also supported, including but not limited to: QQ, WeChat, Yidui, Momo, Sina Weibo, QQ mailbox, Lianxin, Tantan, WhatsApp, Snapchat, and other mainstream apps.



    Customers who want to be the first to experience HarmonyOS smartphone forensics could download the next version of SPF Pro from our official website after the release on June 5.

  • [Software Update] Database Forensics: DBF 6300 V21.5.28.170 New Released now!


    The latest update of DBF 6300 (Database Forensic Analysis System) is released now!

    Download or Contact us to apply for a Free Trial Now!


    V6.113 Version upgrade instructions:


    1. Added online database for Oracle, PostgreSQL, support data parsing, analyzing and exporting



    2. Added file mode for CSV parsing, support CSV document parsing, analyzing, and exporting



    3. New online database collection tool, support MySQL, SQL Server, Oracle, PostgreSQL database online collection



    4. Rebuilt hierarchical analysis, added relationship chain marking, filtering deleted data, and improve the processing capacity of million-level hierarchical analysis



    5. Added functions of identification and conversion of special data for data statistical analysis (PRC Resident ID card, currency rate, etc.) and real-time editing of map data



    6. Added advanced query for filtering deleted data



    7. Bug fixed

  • [Software Update] Mobile Forensics: SPF Pro V6.113 New Released now!

    The latest update of SPF Pro (SmartPhone Forensic System Professional) is released now!

    Download or Contact us to apply for a Free Trial Now!

    V6.113 Version upgrade instructions:

    1. Optimized the automatic extraction of Huawei. Improved the backup speed, support to the latest HiSuite version backup analysis.

    2. Optimized the OPPO automatic extraction and backup tool. Improved the backup speed, allow users to try to continue the backup in the event of a backup failure, and improved stability.

    3. Optimized the automatic extraction of vivo. Solved the problem that some mobile phones cannot extract data from some third-party apps.

    4. Added “default iTunes backup password” setting, no need to manually enter when extracting.

    Salvationdata Mobile Forensics interface

    5. Added “Calculate MD5 value of file when extracting file” setting, support export to report.

    Salvationdata Mobile Forensics interface

    6. Optimized the analysis of iOS WeChat. Added group nickname, group joining method, and WeChat favorites data analysis.

    7. Upgraded the “photo/screenshot” function. Support to save screenshots and photos to a custom node, and synchronize to the extraction results.

    8. Updated some plugins:

    Android: Skype(Intl), Line, ArticleNews, KakaoTalk, NinthChat, OperaBrowser, OutlookMail, Snapchat, Whatsapp, XiaoMiBrowser

    iOS: Momo

  • [Software Update] DRS (Data Recovery System) V17.7.3.2.286 — Major improvements on flexibility & usability that makes your investigations easier and more efficient!

    As an integrated digital forensics & forensic data recovery solution provider, would never stop satisfying clients by keeping updated its software. Here we are excited to announce that newest version of DRS (Data Recovery System) is releasing today!

    Let’s have a look what new features have been added to this all-in-one forensic data recovery tool:

    1. Physical diagnostics is now available for all drives attached to the DRS hardware unit and your PC. Quick Diagnostics, Scan Bad Sector and Sector View are all accessible for drives plugged to the hardware unit or not.

    DRS Forensic data recovery

    2. New file system support: CDFS, UDF, F2FS are now supported for analysis (CDFS & UDF not supported for Pattern Scan).

    Image 2

    3. New image format support: VHD, VHDX.

    DRS Forensic data recovery

    4. New search options: folder name search and time search. Allow users to search for folders with certain keywords or specify a certain time period to narrow down their search.

    DRS Forensic data recovery

    5. New feature in Disk Imaging: large disk image to small disk.

    6. New feature in Hash Calculator: Hash calculation for physical drives.

    DRS Forensic data recovery

    7. New feature in imaging report: authentication of forensic image.

    DRS Forensic data recovery

    8. Multiple bugs fixed.

    Click HERE to learn more about DRS.

[Sassy_Social_Share title="Share To"]

Leave a Reply

  • Your email address will not be published. Required fields are marked*
  • code
    Type the text displayed above:
Previous post ran out of data

Contact us

+86 28 6873 1486
info@salvationdata.com
©Copyright 2004-2021, XLY Salvationdata Technology INC. All Rights Reserved. Terms of Use.