Hi Mark, I know much more about Oracle but after a brief MS KB search it appears that SQL Server has many similar logging features although enabled quite differently. Check out http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/dbsql/sql2kaud.asp for more detail. Briefly, installation of SQL Svr will automatically integrate some record logging into windows standards event logs that can be queried by event viewer (or LogParser if you know how to use it). Like other DB's for performance reasons auditing, especially of network events, isn't enabled by default. So if the instance of the SQL Svr you are studying did have it enabled (which the link above describes how to tell) you will get a lot more information about network transaction that may tell you what accounts on what remote connections may have elevated user privs, if that did happen. Unfortunately, like anything else levels of auditing vary as well, if they are enabled at all, so your picture may not be as clear as you would like. Hope the link helps a little, Gary "Mark G. Spencer" wrote: > I'm not much of a database guru and I've come across a case where it looks > like a standard Microsoft SQL database user account has had its privileges > escalated by an intruder (cable modem user) and subsequently bad stuff > (source code theft) occurred. > > I have archived the MSSQL/Data and MSSQL/Data/Backup folders from the > machine in question. In those folders I have a variety of .LDF and .MDF > files. My limited understanding is that in these database files should be > contained diagnostic information, such as when various updates to objects > such as user accounts were modified and by what IP address? > > I'm looking for suggestions on how to best get at all the log style > information out of these files for review. Are there any special tools to > assist here? Would I have to rebuild the databases on a fresh MS SQL > server? > > Thanks for the advice, > > Mark G. Spencer > Computer Forensics Examiner > EvidentData, Inc. > Web: http://www.evidentdata.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 18:19:31 PDT