Forensic analysis of SQL server transaction log in unallocated area of file system

Hoyong Choi, Sangjin Lee

Research output: Contribution to journalArticlepeer-review


The importance of database forensics is increasing day by day as the use of databases to store sensitive corporate and personal data increases. Database forensics is a field of digital forensics that deals with database-related incidents such as data corruption, breaches, and leaks. One of the key functions of database forensics is information reconstruction, which is the tracing of actions from the time of an event to the present based on various information stored in the database. This feature allows investigators to identify unauthorized user actions and data deletion or manipulation when an incident occurs. Database log data is primarily used to reconstruct information. Database logs include transaction logs, error logs, event logs, and trace logs. Among them, we focus on the transaction log of Microsoft SQL Server (MSSQL), one of the most popular database management systems in the world. Raw-level studies have been conducted on the transaction logs of Oracle and MySQL, other databases used at the enterprise level. However, there is very little research on MSSQL transaction logs. For this reason, we analyze the internal structure of the MSSQL transaction log. Based on these finding, we present an empirical method to identify and extract transaction log records in unallocated area.

Original languageEnglish
Article number301605
JournalForensic Science International: Digital Investigation
Publication statusPublished - 2023 Oct

Bibliographical note

Publisher Copyright:
© 2023 The Author(s)


  • Database
  • Database forensics
  • Digital forensics
  • SQL server
  • Transaction log

ASJC Scopus subject areas

  • Pathology and Forensic Medicine
  • Information Systems
  • Computer Science Applications
  • Medical Laboratory Technology
  • Law


Dive into the research topics of 'Forensic analysis of SQL server transaction log in unallocated area of file system'. Together they form a unique fingerprint.

Cite this