GCFA Gold, CISSP, MCTS, MCDBA, MCSD, MCSE Kevvie Fowler

[Pages:39]SQL Server Database Forensics

Kevvi e Fowl er, GCFA Gold, CISSP, MCTS, MCDBA, MCSD, MCSE Black Hat USA 2007

SQL Server Forensics | Why are Dat abases Crit ical Asset s?

Why are dat abases crit ical asset s?

Dat abases hold crit ical inf ormat ion Indust ry t rends are scaling in versus out Dat abase servers t oday hold more sensit ive inf ormat ion t han ever bef ore Dat a securit y legislat ions & regulat ions dict at e t hat securit y breaches must be report ed Dat abase securit y breaches are " Front Page" news

T. J. Maxx | 45. 7 million credit / debit cards disclosed CardSyst ems Solut ions | 200, 000 credit / debit cards disclosed

2

SQL Server Forensics | The Problem Wit h Tradit ional Forensics

Tradit ional invest igat ions of t en exclude dat abases

3

SQL Server Forensics | The Solut ion

Dat abase Forensics

The applicat ion of comput er invest igat ion and analysis t echniques t o gat her dat abase evidence suit able f or present at ion in a court of law

Benef it s

Ret race user DML & DDL operat ions Ident if y dat a pre and post t ransact ion Recover previously delet ed dat a rows Can help prove/ disprove a dat a securit y breach Can help det ermine t he scope of a dat abase int rusion For t he " real world" : No dependency on 3rd part y audit ing t ools or pre-conf igured DML or

DDL t riggers

4

SQL Server Forensics | Dat abase Forensics Primer(1)

Dat abase f iles

Dat a f iles (. mdf ) cont ain t he act ual dat a Consist s of mult iple dat a pages

Page 01:0059

...

Page 01:0060

Page 01:0067

Page Header

Data Row Data Row Data Row Data Row

Row offset array

Page 01:0067

Dat a rows can be f ixed or variable lengt h Log f iles (. l df ) hold all dat a required t o reverse t ransact ions and recover t he dat abase Physical log f iles consist of mult iple Virt ual Log Files (VLF)

VLF #1 (Inactive )

VLF #2 (Inactive )

VLF #3 (Active)

VLF #4 (Inactive )

Free Space

A VLF is t he unit of t runcat ion f or t he t ransact ion log According t o Microsof t :

" Although you might assume that reading the transaction log directly would be interesting or even useful, it' s j ust too much information. "

Inside SQL Server 2005: The St orage Engine, Microsof t Press, 2006

5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download