Re: MS SQL Forensics?

From: Gary L. Palmer (palmergat_private)
Date: Thu Aug 21 2003 - 15:47:46 PDT

  • Next message: Zachary Bourdeau: "RE: Windows forensics with Linux analysis machine"

    Hi Mark,
    I know much more about Oracle but after a brief MS KB search it appears that
    SQL Server has many similar logging features although enabled quite
    differently.
    Check out
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/dbsql/sql2kaud.asp
    
    for more detail.
    Briefly, installation of SQL Svr will automatically integrate some record
    logging into windows standards event logs that can be queried by event viewer
    (or LogParser if you know how to use it). Like other DB's for performance
    reasons auditing, especially of network events, isn't enabled by default. So
    if the instance of the SQL Svr you are studying did have it enabled (which the
    link above describes how to tell) you will get a lot more information about
    network transaction that may tell you what accounts on what remote connections
    may have elevated user privs, if that did happen. Unfortunately, like anything
    else levels of auditing vary as well, if they are enabled at all, so your
    picture may not be as clear as you would like.
    
    Hope the link helps a little,
    Gary
    
    "Mark G. Spencer" wrote:
    
    > I'm not much of a database guru and I've come across a case where it looks
    > like a standard Microsoft SQL database user account has had its privileges
    > escalated by an intruder (cable modem user) and subsequently bad stuff
    > (source code theft) occurred.
    >
    > I have archived the MSSQL/Data and MSSQL/Data/Backup folders from the
    > machine in question.  In those folders I have a variety of .LDF and .MDF
    > files.  My limited understanding is that in these database files should be
    > contained diagnostic information, such as when various updates to objects
    > such as user accounts were modified and by what IP address?
    >
    > I'm looking for suggestions on how to best get at all the log style
    > information out of these files for review.  Are there any special tools to
    > assist here?  Would I have to rebuild the databases on a fresh MS SQL
    > server?
    >
    > Thanks for the advice,
    >
    > Mark G. Spencer
    > Computer Forensics Examiner
    > EvidentData, Inc.
    > Web: http://www.evidentdata.com
    >
    > -----------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    
    
    
    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 18:19:31 PDT