Microsoft SQL Server Forensics

We recently performed a forensic analysis on a terminal which utilized a SQL Server driven backend application. Once a bit stream image copy was performed, the forensic image copy was taken back to our lab for the analysis. There are various tools that can open and review mdf and ldf files, we decided to use the traditional SQL Server with the SQL Server Management Studio Express for this particular case. Several queries have been ran against the SQL databases to gather logs, accounts and deleted data from transaction logs as well as various metadata. Some of the queries demonstrated by Kevvie Fowler in his book “SQL Server Forensic Analysis” as well as some specific in-house crafted sql queries have been used to extract all relevant information. In our case, a login account was found that we could match up with a timeline correlating to the time of the incident. In addition our team was able to identify modified and deleted records.

When should a forensic analysis be performed on a database?

Every time that a website or application is utilized, which Is database driven and a potential of a breach or unauthorized alteration has occurred. Such as for example in terminals, point of sales systems, online E-Commerce sites, ATM machines, medical coding & billing systems, as well as any other type of database that holds confidential or privileged information.

The most common SQL database types are Microsoft SQL Server, MySQL and Oracle

What to do in such as case?

It is very critical that the system running the database is preserved as quickly as possible. Otherwise there is a great risk that evidence that is only temporary stored in transaction logs, temp files and cache become lost or overwritten. We have encountered situations in the past, where crucial information had been overwritten due to prolonged processes and failure to perform an immediate preservation. In addition, we have also encountered situations where only a native SQL backup was performed, rather than a full preservation, which in many cases can be insufficient.

If you have any questions, about how to preserve a sql database or about forensic procedures including SQL Forensics, please call us at: 866-456-3282

Forensic Analyzers