Database memory forensics: A machine learning approach to reverse-engineer query activity

Memory analysis allows forensic investigators to establish a more complete timeline of system activity using a snapshot of main memory (i.e., RAM). Investigators may rely on such analysis to detect malicious activity and understand the scope of what data was exfiltrated. This is of particular interest in the presence of incomplete or untrusted logs, where a privileged user (or an attacker with such capabilities) can altogether bypass or disable logging. In such instances, a forensic investigator can still rely on the fact that data must ultimately be processed in memory, regardless of the information that is recorded in audit logs.