A method and tool to recover data deleted from a MongoDB

• Published in: Digital investigation Vol. 24; pp. 106 - 120
• Main Authors: Yoon, Jongseong, Lee, Sangjin
• Format: Journal Article
• Language: English
• Published: Elsevier Ltd 01.03.2018
• Subjects: Database forensics; MongoDB; NoSQL database forensics; Recovery of deleted data from database; NoSQL database forensics; MongoDB; Recovery of deleted data from database; Database forensics
• ISSN: 1742-2876; 1873-202X
• DOI: 10.1016/j.diin.2017.11.001

DBMS stores an important data, which is one of the important analytical subjects for analysis in digital forensics. The technique of recovering deleted data from the DBMS plays an important role in finding the evidence in forensic investigation cases. Although relational DBMS is used as important data storage until now, NoSQL DBMSs is used more often due to the growing pursue of Big Data. This increases the potential to analyze a NoSQL DMBS in forensic cases. In reality, data from approximately 26,000 servers has been deleted by a massive ransom attack on vulnerable MongoDB server. Therefore, investigation of internal structure analysis and deleted data recovery techniques of NoSQL DBMS is essential. In this paper, we research the recovery method on deleted data in MongoDB that is widely used. We have analyzed the internal structures of the WiredTiger and MMAPv1 storage engines, which are the MongoDB's disk-based storage engines. Moreover, we have implemented the recovery algorithm as a tool as well as have evaluated its performance on real and self-generated experiment data.