RE: MS SQL Forensics?

From: Steve Larson (stevialarsonat_private)
Date: Thu Aug 21 2003 - 15:25:56 PDT

  • Next message: Reava, Jeffrey [IT/0200]: "RE: Windows forensics with Linux analysis machine"

    I would check the tools/utilities/log management on securityfocus' website
    for tools you could use to parse these files.
    
    -----Original Message-----
    From: Mark G. Spencer [mailto:mspencerat_private]
    Sent: Thursday, August 21, 2003 10:25 AM
    To: forensicsat_private
    Subject: MS SQL Forensics?
    
    
    I'm not much of a database guru and I've come across a case where it looks
    like a standard Microsoft SQL database user account has had its privileges
    escalated by an intruder (cable modem user) and subsequently bad stuff
    (source code theft) occurred.
    
    I have archived the MSSQL/Data and MSSQL/Data/Backup folders from the
    machine in question.  In those folders I have a variety of .LDF and .MDF
    files.  My limited understanding is that in these database files should be
    contained diagnostic information, such as when various updates to objects
    such as user accounts were modified and by what IP address?
    
    I'm looking for suggestions on how to best get at all the log style
    information out of these files for review.  Are there any special tools to
    assist here?  Would I have to rebuild the databases on a fresh MS SQL
    server?
    
    Thanks for the advice,
    
    Mark G. Spencer
    Computer Forensics Examiner
    EvidentData, Inc.
    Web: http://www.evidentdata.com
    
    
    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    
    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 17:54:46 PDT