Authors: Kim Jeonghyeon (Korea University), Park Aran (Korea University), Lee Sangjin (Korea University)
DFRWS USA 2016
Abstract
The Extensible Storage Engine (ESE) database is a data storage technology developed by Microsoft. It is mainly used by Windows OS and its web browser. It is possible to easily delete a table or a record in the database using the ESENT API. However, there are insufficient papers and relevant information about how about recovering deleted records. Previous works apply only to some tables and fail to recover deleted data perfectly. In this paper, we analyzed the structure of the ESE database and present a general-use technique to recover deleted records and tables. We developed a tool to implement the technique and assessed the performance of the proposed tool.