Received May 6, 2020, accepted May 31, 2020, date of publication June 8, 2020, date of current version June 29, 2020. Digital Object Identifier 10.1109/ACCESS.2020.3000747 Categorization and Organization of Database Forensic Investigation Processes ARAFAT AL-DHAQM 1,2 , (Member, IEEE), SHUKOR ABD RAZAK 1 , (Member, IEEE), DAVID A. DAMPIER 3 , (Senior Member, IEEE), KIM-KWANG RAYMOND CHOO 4 , (Senior Member, IEEE), KAMRAN SIDDIQUE 5 , (Member, IEEE), RICHARD ADEYEMI IKUESAN 6 , ABDULHADI ALQARNI 7 , AND VICTOR R. KEBANDE 8 1 Faculty of Engineering, School of Computing, Universiti Teknologi Malaysia (UTM), Johor Bahru 81310, Malaysia 2 Department of Computer Science, Aden Community College, Aden 891-6162, Yemen 3 College of Engineering and Computer Sciences, Marshall University, Huntington, WV 25755, USA 4 Department of Information Systems and Cyber Security, The University of Texas at San Antonio, San Antonio, TX 78249-0631, USA 5 Information and Communication Technology Department, School of Electrical and Computer Engineering, Xiamen University, Sepang 43900, Malaysia 6 Department of Cybersecurity and Networking, School of Information Technology, Community College of Qatar, Doha 9740, Qatar 7 Computer Science and Engineering Department, Jubail University College, Jubail 31961, Saudi Arabia 8 Computer Science and Media Technology Department, Malmö Universitet, 20506 Malmö, Sweden Corresponding authors: Arafat Al-Dhaqm (mrarafat@utm.my) and Kamran Siddique (kamran.siddique@xmu.edu.my) This work was supported in part by the Research Management Center, Xiamen University Malaysia under the XMUM Research Program Cycle 3 (Grant XMUMRF/2019-C3/IECE/0006) and in part by the Research Management Center, University Technology Malaysia under the Modeling Information Security Policy Field (Grant R. J130000.7113.04E96). ABSTRACT Database forensic investigation (DBFI) is an important area of research within digital forensics. It’s importance is growing as digital data becomes more extensive and commonplace. The challenges associated with DBFI are numerous, and one of the challenges is the lack of a harmonized DBFI process for investigators to follow. In this paper, therefore, we conduct a survey of existing literature with the hope of understanding the body of work already accomplished. Furthermore, we build on the existing literature to present a harmonized DBFI process using design science research methodology. This harmonized DBFI process has been developed based on three key categories (i.e. planning, preparation and pre-response, acquisition and preservation, and analysis and reconstruction). Furthermore, the DBFI has been designed to avoid confusion or ambiguity, as well as providing practitioners with a systematic method of performing DBFI with a higher degree of certainty. INDEX TERMS Database forensics, database forensic investigation, digital forensics, investigation process model. I. INTRODUCTION The use of different terminologies along with different defi- nitions to describe exactly the same thing, object or activity can cause confusion and ambiguity [1], which does not help reasoning in a court of law. A unique terminology along with an explicit definition is usually required to inform the reader on what each term in the process model meant [2]. This is particularly useful in digital forensics where the ambiguity of terms could result in litigation failure [3]. Otherwise, the reader may be in the dark about what the author is thinking and studying. Defining exactly what each terminology means The associate editor coordinating the review of this manuscript and approving it for publication was Lo’ai A. Tawalbeh . is an important part of the process construction. As a result, semantic-based conflicts that arise between two or more ter- minologies, must be reconciled or harmonized based on a common interpretation. This paper discusses the redundancy and overlaps in the DBFI processes which made the DBFI field ambiguous and heterogeneous among domain investigators. Redundancy in this regard refers to the tendency of multiple components of a model (or even different models) to imply the same meaning, even within the same context (as well as within different contexts). And in a different context, such terminol- ogy presents room for ambiguous connotations which could limit the efficacy of the proposed model. The combination of these two fundamental limitations could potentially lead to 112846 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ VOLUME 8, 2020