DOI: 10.3390/app16136416 ISSN: 2076-3417

Forensic Recoverability of Deleted Records Under Database Shrink in Microsoft SQL Server 2025: A Version-Comparative Experimental Study

Jiho Shin, Byoung Hun Moon

Databases serve as critical repositories of digital evidence in criminal investigations, and the recoverability of deleted data is a key determinant of forensic success. Microsoft SQL Server, one of the most widely deployed relational database management systems, has been the subject of multiple forensic studies examining how deleted records persist in physical database files across different acquisition methods. A previous study established a reference baseline using SQL Server 2008 and 2017, demonstrating that the Database Shrink operation causes version-specific and method-specific behavior: under logical collection with Shrink applied in SQL Server 2017, unallocated deleted data becomes fully initialized, rendering recovery impossible—a pattern not observed in SQL Server 2008 or under physical collection in either version. With the release of SQL Server 2025, the most significant architectural update to the platform in a decade, it remained unknown whether these forensic behaviors persist in the latest version. This study replicates the experimental design of in a controlled SQL Server 2025 environment, applying the same deletion scenario (DELETE command without conditions), the same two acquisition methods (logical and physical collection), and the same Shrink condition. The results demonstrate that SQL Server 2025 does not reproduce the version-specific initialization behavior observed in SQL Server 2017: across all four experimental conditions, deleted data residue in unallocated page space remains recoverable, indicating a fundamental change in the interaction between the Shrink operation and the logical collection mechanism. This recoverability is a double-edged property: while it benefits forensic investigators by preserving deleted evidence, it simultaneously represents a data-sanitization risk from a security and privacy standpoint, as deleted records are not reliably erased. These findings provide updated forensic guidance for digital investigators operating in contemporary SQL Server environments. Specifically, the results inform acquisition-method selection in real-world investigations where a suspect may have deleted records and where only a logical backup (.bak) is available to investigators.

More from our Archive