Editor’s note: In the information age, the importance of the database is beyond doubt. However, information security of database has always been a headache for us. Misoperation, man-made sabotage, hardware failure, many different reasons can lead to loss of valuable digital data.
Today, the SalvationDATA will share some of the ACCESS database file recovery and extraction technologies.
Access database introduction
Microsoft Access is a database management system (DBMS) from Microsoft that combines the relational Microsoft Jet Database Engine with a graphical user interface and software-development tools.
Microsoft Access stores data in its own format based on the Access Jet Database Engine. It can also import or link directly to data stored in other applications and databases. It is now widely used by personal developers, enterprises, government organizations or even military agencies. Access is not only a simple database, it is also equipped with powerful data managing capability, providing convenience for data storage, query, reporting, etc.
How does Access database store data
Access database stores data based on a sort of page structure. Each page contains 4096 Bytes, and the first byte of this page indicates its type. These types include:
00 – database info page, 01 – data page, 02 – table structure page, 04 – transition page
A typical Access database structure is shown in below picture. 02 page records management information for this database file, while 04 page records the page number of 01 page, and 01 pages are where the actual data is stored.
When reading an Access database table, the structure is as below picture shows. 00 page is fixed as the first page, 02 is the second, 04 records the page number of 01 pages, and 01 are the data pages. However, this time it is not data that is stored in 01 pages but table inform of this database.
The structure of 00 page is as below, database basic info is recorded in this page.
The structure of 01 page is as below, user data is recorded in this page.
The structure of 02 page is as below.
The structure of 04 page is as below.
How to recover data from Access database?
According to our forensic expert’s analysis, when data is deleted from a database table, the raw data will not be erased. Only the management data recorded in 01 pages is
changed, at the offset position 0x0F we found that 0F has changed to CF.
However, after deletion, the raw user data still remains. As shown in the below picture:
And according to the data row structure, it is possible to recover deleted row data. The row structure is shown below:
Conclusion
Based on the analysis of Access database structure above, we now understand how the raw data changes when data is deleted from an Access database. And we discovered that no matter if a data row, a table, or even the database file is deleted, we can always recover the data by analyzing the page structure on the base level.
So in this article, we introduced a practical and efficient solution to recover deleted data from Microsoft Access database.
SalvationDATA Blog 