Citation: Alhussan, A.A.; Al-Dhaqm, A.; Yafooz, W.M.S.; Emara, A.-H.M.; Bin Abd Razak, S.; Khafaga, D.S. A Unified Forensic Model Applicable to the Database Forensics Field. Electronics 2022, 11, 1347. https:// doi.org/10.3390/electronics11091347 Academic Editor: Prasan Kumar Sahoo Received: 12 March 2022 Accepted: 17 April 2022 Published: 23 April 2022 Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affil- iations. Copyright: © 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/). electronics Article A Unified Forensic Model Applicable to the Database Forensics Field Amel Ali Alhussan 1 , Arafat Al-Dhaqm 2 , Wael M. S. Yafooz 3 , Abdel-Hamid M. Emara 3,4 , Shukor Bin Abd Razak 2 and Doaa Sami Khafaga 1, * 1 Department of Computer Sciences, College of Computer and Information Sciences, Princess Nourah Bint Abdulrahman University, Riyadh 11671, Saudi Arabia; aaalhussan@pnu.edu.sa 2 School of Computing, Faculty of Engineering, Universiti Teknologi Malaysia (UTM), Johor Skudai 813110, Malaysia; mrarafat1@utm.my (A.A.-D.); shukorar@utm.my (S.B.A.R.) 3 Department of Computer Science, College of Computer Science and Engineering, Taibah University, Medina 42353, Saudi Arabia; wyafooz@taibahu.edu.sa (W.M.S.Y.); aemara@taibahu.edu.sa (A.-H.M.E.) 4 Department of Computers and Systems Engineering, Faculty of Engineering, Al-Azhar University, Cairo 11884, Egypt * Correspondence: dskhafga@pnu.edu.sa Abstract: The Database Forensics Investigation (DBFI) field is focused on capturing and investi- gating database incidents. DBFI is a subdomain of the digital forensics domain, which deals with database files and dictionaries to identify, acquire, preserve, examine, analyze, reconstruct, present, and document database incidents. Several frameworks and models have been offered for the DBFI field in the literature. However, these specific models and frameworks have redundant investigation processes and activities. Therefore, this study has two aims: (i) conducting a compressive survey to discover the challenges and issues of the DBFI field and (ii) developing a Unified forensic model for the database forensics field. To this end, the design science research (DSR) method was used in this study. The results showed that the DBFI field suffers from many issues such as the lack of standardization, multidimensional nature, heterogeneity, and ambiguity, making it complex for those working in this domain. In addition, a model was proposed in this paper, called the Unified Forensic Model (UFM), which consists of five main stages: initialization stage, acquiring stage, investigation stage, restoring and recovering stage, and evaluation stage. Each stage has several processes and activities. The applicability of UFM was evaluated from two perspectives: complete- ness and implementation perspectives. UFM is a novel model covering all existing DBFI models and comprises two new stages: the recovering and restoring stage and the evaluation stage. The proposed UFM is so flexible that any forensic investigator could employ it easily when investigating database incidents. Keywords: database forensic; digital forensic; design science research; model 1. Introduction Database Forensic Investigation (DBFI) is a branch of digital forensics that examines database content to confirm database incidents. It is considered a significant field to identify, detect, acquire, analyze, and reconstruct database incidents and reveal intruders’ activities [1]. It has suffered from several issues, which have resulted in it becoming a heterogeneous, confusing, and unstructured domain. Examples of these issues include a variety of database system infrastructures, the multidimensional nature of database systems, and domain knowledge effectively being scattered in all directions. Various database system infrastructures with multidimensional natures have enabled the DBFI domain to address specific incidents. Therefore, each database management system (DBMS) has a straightforward forensic investigation model/approach. Consequently, the issues of different concepts and terminologies in the forensic investigation process and the scattering Electronics 2022, 11, 1347. https://doi.org/10.3390/electronics11091347 https://www.mdpi.com/journal/electronics