The Examination of Questioned Digital Documents Customized From a Database
Adedayo and Olivier
2022
Citation information
O. M. Adedayo and M. S. Olivier. “The Examination of Questioned Digital Documents Customized From a Database”. In: AAFS 73rd Annual Scientific Meeting. (Oral presentation; abstract included in proceedings). Seattle, WA, USA, Feb. 2022Abstract
The trend towards digitalisation means that digital documents with intrinsic value are continually created. Whereas questioned document examination often relies on the examination of physical artefacts, approaches for examining questioned digital documents need to be improved.
Questioned digital documents may originate from different sources. A possible scenario is where a customized or personalized document derived from a database is questioned. Often an original document is created via a template that is populated with information in the database and is deemed to be the authoritative version of the document. Someone who can access the DBMS directly, may, for example, be able to modify document content, or document content may be modified due to data dependencies after creation of the document. The examiner is faced with the challenge of determining whether the document was derived from the template, and the database instance at the time the document was created. Examination is based on comparing the document to the template, dependence of document fields on other database fields and reconstruction of the database to the creation time of the document (if necessary).
The examination process may depend on the size and quantity of documents to be examined. Examination of isolated documents with minimal content may be performed manually by attempting to determine the values extracted from the database at the time of interest. Examination of multiple documents and/or documents with large amounts of data (e.g., account statements listing many transactions) will benefit from techniques to recreate the documents for comparison. This presentation discusses some approaches and challenges that apply to such a context.
The complexity of recreating the original document(s) from the database depends on the availability of the template from which the document was derived and the ability to determine the content of the database at the time the document was derived. Three possibilities were considered: 1) Where the template previously used for the document creation exists, the original document(s) can be reconstructed if the database can be reverted to the same instance as when the document was created. And the comparison process that can be automated. 2) When the document template has been modified, but still communicates the same information as before, the reconstructed document may differ from the questioned document, but the data extracted from the database should remain the same. Comparing the two documents may involve suppression of “constant” text and exploring differences in the remaining data. 3) When the template is lost, the examiner may use the database schema and the questioned document to determine inferred values which may then be compared with those on the questioned document. It is important to note that when the database schema has changed or the database needs to be reverted, some information may be overlooked or not be available for comparison.
This presentation assumes that the database or schema can be reverted to the
time that the questioned document was (purportedly) created. Although this research
was not focused on reverting or reconstructing the database, approaches that have
been described [1, 2] for this purpose can be used to obtain an earlier instance of the
database for document examinations.
References
-
[1] O. M. Fasan and M. S. Olivier. Reconstruction in Database Forensics. Advances in Digital Forensics VIII. Springer, 2012, pp. 273–287.
-
[2] O. M. Adedayo and M. S. Olivier. Schema Reconstruction in Database Forensics. Advances in Digital Forensics X. Springer, 2014, pp. 101–116.
BibTeX reference
@conference(dbdocs,author={Oluwasola Mary Adedayo and Martin S. Olivier},
title={The Examination of Questioned Digital Documents Customized From a Database},
booktitle={AAFS 73rd Annual Scientific Meeting},
address={Seattle, WA, USA},
month=feb,
year=2022,
note={(Oral presentation; abstract included in proceedings)} )