SQL Server Forensics Analysis

Alessia Manon | Modified: August 18th, 2015 | SQL Forensics

SQL Server is a Relational Database Management System (RDBMS) that is widely used in organizations to manage and store critical/sensitive financial information. The need of MS SQL Server database forensics arises; where it is required to detect and analyze the forged activities performed by criminals in SQL database file i.e. MDF (Master Database File). Therefore, the very first step to begin with the investigation of SQL Server is an in-depth forensic analysis of MDF file along with the LDF log file (Log Data File) to extract evidence.

Dig Out the Evidence from MDF File

Evidence artifacts of SQL server are available in MDF file. The database maintains a record of every modification and transaction in the form of multiple data pages that can either be fixed or variable in length.

SQL MDF Forensics

The SQL server’s log files (.ldf) store all data required to restore and reverse the transactions executed on corresponding database. These files consist of multiple VLF files (Virtual Log Files) that is the unit of truncation.

MS SQL Server Database Forensics

During SQL Server forensics analysis, experts need to conduct detailed analysis to carve the existing evidence from following database files:

  • Transaction Log Files
  • SQL Server Database Files
  • Events Logs of System
  • Trace Files
  • Error Log Files

If an intrusion has occurred in a database file, then via forensic analysis of the above files, investigators can identify and collect all inculpatory/exculpatory evidence from victim’s or suspect’s machine depending on the situation.

Location of Files to Restore the Evidence

  • Database & logs files: \\Microsoft SQL Server\ MSSQL.1\MSSQL\ DATA\*.MDF | *.LDF
  • Trace files: \\Microsoft SQL Server\ MSSQL.1\MSSQL\ LOG\LOG_#.TRC
  • SQL Server error logs: \\Microsoft SQL Server\ MSSQL.1\MSSQL\ LOG\ERRORLOG

Evidence Analysis

After collecting the evidence from suspects’ machine, investigators can examine those artifacts from the following storage:

  • Widows Event and Error Log:
    • Store records of successful or failure login attempts
    • IP address
    • Startup or Shutdown timing of SQL Server
  • Files attached to the data and log files
  • Analysis of user’s authentication history
  • Examine the Page Header
  • Collect information about the object schema

Detailed Investigation of SQL Server Database Files via SQL Server Forensics Software

The software is exclusively designed for the forensic investigation of the MDF and LDF SQL Server database files. The application provides the secure recovery of files for analysis; software is equipped with multiple features as well. The Quick and Advanced Scanning option of the tool enables the experts to repair and recover both primary and secondary database file.

SQL Server Forensics Analysis

The best part of this SQL forensic tool is that it has been tested and proved by a number of forensic experts. With the help of tool, examiner can perform the MS SQL Server database forensics to recover the data of deleted SQL tables.

SQL MDF Forensics

At the time of SQL Server forensics analysis, the most immense challenge that investigators face is exporting of evidence. To make the examination process an easy one, the tool has been armed with an efficient Export option. Using this option, experts can export the SQL file into SQL Server Database or as SQL Server compatible scripts.

MS SQL Server Database Forensics

SQL MDF forensics to extracting the evidence from SQL Server is not a piece of cake, but by using a systematic methodology, investigators can perform a complete investigation on the offender’s machine. SQL forensic tool is one of the most suitable technology that can be deployed for efficient examination and forensic investigation of MDF and LDF files.

download