GCFA Gold, CISSP, MCTS, MCDBA, MCSD, MCSE Kevvie Fowler
SQL Server Database Forensics
Kevvi e Fowl er, GCFA Gold, CISSP, MCTS, MCDBA, MCSD, MCSE Black Hat USA 2007
SQL Server Forensics | Why are Dat abases Crit ical Asset s?
Why are dat abases crit ical asset s?
Dat abases hold crit ical inf ormat ion Indust ry t rends are scaling in versus out Dat abase servers t oday hold more sensit ive inf ormat ion t han ever bef ore Dat a securit y legislat ions & regulat ions dict at e t hat securit y breaches must be report ed Dat abase securit y breaches are " Front Page" news
T. J. Maxx | 45. 7 million credit / debit cards disclosed CardSyst ems Solut ions | 200, 000 credit / debit cards disclosed
2
SQL Server Forensics | The Problem Wit h Tradit ional Forensics
Tradit ional invest igat ions of t en exclude dat abases
3
SQL Server Forensics | The Solut ion
Dat abase Forensics
The applicat ion of comput er invest igat ion and analysis t echniques t o gat her dat abase evidence suit able f or present at ion in a court of law
Benef it s
Ret race user DML & DDL operat ions Ident if y dat a pre and post t ransact ion Recover previously delet ed dat a rows Can help prove/ disprove a dat a securit y breach Can help det ermine t he scope of a dat abase int rusion For t he " real world" : No dependency on 3rd part y audit ing t ools or pre-conf igured DML or
DDL t riggers
4
SQL Server Forensics | Dat abase Forensics Primer(1)
Dat abase f iles
Dat a f iles (. mdf ) cont ain t he act ual dat a Consist s of mult iple dat a pages
Page 01:0059
...
Page 01:0060
Page 01:0067
Page Header
Data Row Data Row Data Row Data Row
Row offset array
Page 01:0067
Dat a rows can be f ixed or variable lengt h Log f iles (. l df ) hold all dat a required t o reverse t ransact ions and recover t he dat abase Physical log f iles consist of mult iple Virt ual Log Files (VLF)
VLF #1 (Inactive )
VLF #2 (Inactive )
VLF #3 (Active)
VLF #4 (Inactive )
Free Space
A VLF is t he unit of t runcat ion f or t he t ransact ion log According t o Microsof t :
" Although you might assume that reading the transaction log directly would be interesting or even useful, it' s j ust too much information. "
Inside SQL Server 2005: The St orage Engine, Microsof t Press, 2006
5
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- 11 psm in sql server
- gcfa gold cissp mcts mcdba mcsd mcse kevvie fowler
- sql server using the sqlcmd command line utility
- product version 5
- sql tutorialspoint
- deploying microsoft sql server on amazon web services
- whatsup gold database migration and management guide
- postgresql database to ms sql server
- microsoft sql server
- table of contents ulisboa