Forensic analysis of SQL server transaction log in unallocated area of file system

The importance of database forensics is increasing day by day as the use of databases to store sensitive corporate and personal data increases. Database forensics is a field of digital forensics that deals with database-related incidents such as data corruption, breaches, and leaks. One of the key functions of database forensics is information reconstruction, which is the tracing of actions from the time of an event to the present based on various information stored in the database. This feature allows investigators to identify unauthorized user actions and data deletion or manipulation when an incident occurs. Database log data is primarily used to reconstruct information. Database logs include transaction logs, error logs, event logs, and trace logs. Among them, we focus on the transaction log of Microsoft SQL Server (MSSQL), one of the most popular database management systems in the world. Raw-level studies have been conducted on the transaction logs of Oracle and MySQL, other databases used at the enterprise level. However, there is very little research on MSSQL transaction logs. For this reason, we analyze the internal structure of the MSSQL transaction log. Based on these finding, we present an empirical method to identify and extract transaction log records in unallocated area.