ORCID ID
0009-0009-6558-3546
Date of Award
5-2026
Degree Type
Dissertation
Degree Name
Ph.D.
Degree Program
Engineering and Applied Science - Computer Science
Department
Computer Science
Major Professor
James Wagner
Second Advisor
Vassil Roussev
Third Advisor
Abdul Rahman Alsamman
Fourth Advisor
Alexander Rasin
Abstract
Modern organizations rely on diverse database management systems to store critical data across heterogeneous storage architectures. These platforms complicate forensic investigations because database engines vary profoundly in their layouts, encodings, and update policies. Malicious insiders can exploit this architectural opacity to alter data and disable audit logging undetected, leaving investigators with an untrusted view of database activity. Furthermore, building custom forensic solutions for every database version is fundamentally unscalable.
This dissertation advances data-system security through a tamper-aware, cross-layer framework that reconstructs database states and detects unauthorized operations even when audit logs are manipulated. By unifying the analysis of physical storage and application-level logs, this approach provides trustworthy insight into system behavior under a privileged-insider threat model.
This work is implemented through two novel methodologies. First, we introduce the Automated NoSQL Carver (ANOC), which integrates our novel Inference for NoSQL Storage (INFERNOS) algorithm to automatically infer NoSQL storage structure parameters and reconstruct records directly from raw disk and memory snapshots without vendor-specific parsers. Second, we present the Record and Artifact Detection, Alignment and Reporting (RADAR) framework for NoSQL databases. Building on artifacts recovered by ANOC, RADAR reconciles active, modified, and deleted storage evidence with application audit logs to expose unattributed operations.
Experimental validation confirms the effectiveness of both methodologies. Testing across ten diverse NoSQL databases demonstrates the record-reconstruction and operation- verification capabilities of ANOC and RADAR. ANOC achieves up to 100 percent reconstruction of inserted records at high throughputs and maintains reliable recov- ery under random file corruption. Together, these contributions enable trustworthy reconstruction and verification of database activity across heterogeneous data-system architectures.
Recommended Citation
Nissan, Mahfuzul I., "Database State Reconstruction and Audit Log Reconciliation for Data Systems Security" (2026). University of New Orleans Theses and Dissertations. 3392.
https://scholarworks.uno.edu/td/3392
Rights
The University of New Orleans and its agents retain the non-exclusive license to archive and make accessible this dissertation or thesis in whole or in part in all forms of media, now or hereafter known. The author retains all other ownership rights to the copyright of the thesis or dissertation.