The widespread adoption of NoSQL databases has made digital forensics increasingly difficult as storage formats are diverse and often opaque, and audit logs cannot be assumed trustworthy when privileged insiders, such as DevOps or administrators, can disable, suppress, or manipulate logging to conceal activity. We present RADAR (Record & Artifact Detection, Alignment & Reporting), a log-adversary-aware framework that derives forensic ground truth by cross-referencing low-level storage artifacts against high-level application logs. RADAR analyzes artifacts reconstructed by the Automated NoSQL Carver (ANOC), which infers layouts and carves records directly from raw disk bytes, bypassing database APIs and the management system entirely, thereby treating physical storage as the independent evidence source. RADAR then reconciles carved artifacts with the audit log to identify delta artifacts such as unlogged insertions, silent deletions, and field-level updates that exist on disk but are absent from the logical history. We evaluate RADAR across ten NoSQL engines, including BerkeleyDB, LMDB, MDBX, etcd, ZODB, Durus, LiteDB, Realm, RavenDB, and NitriteDB, spanning key-value and document stores and multiple storage designs, e.g., copy-on-write/MVCC, B/B+ tree, and append-only. Under log-evasion scenarios, such as log suppression and post-maintenance attacks, including cases where historical bytes are pruned, RADAR consistently exposes unattributed operations while sustaining 31.7-397 MB/min processing throughput, demonstrating the feasibility of log-independent, trustworthy NoSQL forensics.

翻译：随着NoSQL数据库的广泛采用，数字取证变得日益困难，原因在于存储格式多样且通常不透明，且当具备特权的内部人员（如DevOps或管理员）可能通过禁用、抑制或篡改日志来隐藏活动时，审计日志的可靠性无法得到保证。本文提出RADAR（记录与存储痕迹检测、对齐与报告框架），这是一种具备日志对抗意识的取证框架，通过将底层存储痕迹与高层应用日志进行交叉比对来推导取证基准真相。RADAR分析由自动化NoSQL存储解析器（ANOC）重建的存储痕迹——该工具通过直接从原始磁盘字节推断存储布局并提取记录，完全绕过了数据库API和管理系统，从而将物理存储作为独立证据源。随后，RADAR将提取的存储痕迹与审计日志进行比对，识别出存在于磁盘但未在逻辑历史中记录的差异痕迹，包括未记录的插入操作、静默删除以及字段级更新。我们在十种NoSQL引擎上评估RADAR，涵盖BerkeleyDB、LMDB、MDBX、etcd、ZODB、Durus、LiteDB、Realm、RavenDB和NitriteDB，涉及键值存储与文档存储等多种类型，并覆盖写时复制/MVCC、B/B+树及追加写入等多种存储设计。在日志抑制及运维后攻击（包括历史字节被清除的场景）等日志规避场景下，RADAR能持续检测出未记录的数据库操作，同时保持31.7-397 MB/分钟的处理吞吐量，这证明了不依赖日志的可信NoSQL取证技术的可行性。