I would check the tools/utilities/log management on securityfocus' website for tools you could use to parse these files. -----Original Message----- From: Mark G. Spencer [mailto:mspencerat_private] Sent: Thursday, August 21, 2003 10:25 AM To: forensicsat_private Subject: MS SQL Forensics? I'm not much of a database guru and I've come across a case where it looks like a standard Microsoft SQL database user account has had its privileges escalated by an intruder (cable modem user) and subsequently bad stuff (source code theft) occurred. I have archived the MSSQL/Data and MSSQL/Data/Backup folders from the machine in question. In those folders I have a variety of .LDF and .MDF files. My limited understanding is that in these database files should be contained diagnostic information, such as when various updates to objects such as user accounts were modified and by what IP address? I'm looking for suggestions on how to best get at all the log style information out of these files for review. Are there any special tools to assist here? Would I have to rebuild the databases on a fresh MS SQL server? Thanks for the advice, Mark G. Spencer Computer Forensics Examiner EvidentData, Inc. Web: http://www.evidentdata.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 17:54:46 PDT