The application schema layer of a Database Management System (DBMS) can be modi ed to produce results that do not
ect the data actually stored in the database. For example, table structures may be corrupted by changing the metadata
of a database, or operators of the database can be altered to produce incorrect results when used in queries. Such incorrect
results may lead to a forensic examination to determine the cause of the problem. Alternatively, such modi cations may be
employed as an anti-forensic technique in an attempt to hide the actual data from an investigator when an investigation
lead to the examination of a database. In both cases forensic examiners need to be aware of the impact of such metadata
on queries and plan their examination of the database accordingly. Di erent versions of a layer of metadata may exist: a
version as found on the computer being investigated, the version that was initially designed, versions from backups, and so
on. It is possible that these versions are identical, but subtle ad hoc changes are often made over time and someone with
access and malicious intent can introduce changes to modify the behaviour of the DBMS to achieve some nefarious goal.
This paper initially discusses categories of possibilities that exist to (surreptitiously) change the application schema;
practical examples are used to illustrate these possibilities.
The paper is based on the premise that a speci c combination of DBMS layers of metadata and data should be
assembled to test speci c hypotheses. For example, questions about how a DBMS should have responded to a speci c query
and how it does, in fact, respond are both facts that may be important to a forensic investigator. The paper illustrates
how such a combination of layers may be of use to examine a speci c facet of the behaviour of the DBMS. The paper refers
to such a combination of layers as a con guration.
The primary purpose of the paper is to explore methods that may be used to construct a given con guration for
testing. A process is proposed on how forensic evidence should be extracted from the application schema layer of a DBMS.