Perform MSSQL Forensics in this SQL server is a Relational Database Management System and is being widely adopted by various organizations to store data associated with the applications. This includes sensitive data related to the web application and users’ accounts in the web application. MSSQL forensics take action when a security incident has occurred and detection and analysis of the malicious activities performed by criminals over the SQL database file are required. A forensic investigator needs to examine the Primary Database Files and Transaction Log Files for investigation purpose.
Data Storage in SQL Server
Data and Logs in SQL servers are stored in three different files;
Primary Data Files (MDF)
The primary data file is the starting point of a database and points to other files in the database, Every database has a primary data file. The primary data file stores all the data in the database objects (tables, schema, indexes, etc.). The file name extension for primary data files is .mdf.
Secondary Data Files (NDF)
The secondary data files are optional. While a database contains only one primary data file, it can contain zero/single/multiple secondary data files. The Secondary data file can be stored on a hard disk, separate than the primary data file. The file name extension for secondary data files is .ndf.
Transaction LOG Data Files (LDF)
The transaction log files hold the entire log information associated with the database. The transaction log file helps a forensic investigator to examine the transactions occurred on a database, and even recover data deleted from the database. The file name extension for transaction log date files is .Idf and each file is divided into virtual log files.
These three files together constitute a database, and each data file contains multiple data pages, as discussed above.
Related Product : Computer Hacking Forensic Investigator | CHFI
Directly focuses on the identification, preservation and analysis of database data.
- Retrace user DML & DDL operations
- Identify data pre and post transaction
- Recover previously deleted data rows
- Can help prove/disprove the occurrence of a data security breach
- Can determine the scope of a database intrusion
- For the “real world”: No dependency on 3rd party auditing tools or pre-configured DML or DDL triggers
Why are databases critical assets?
- Databases hold critical information
- Industry trends are scaling in versus out
- Database servers today hold more sensitive information than ever before
- Data security legislations & regulations dictate that security breaches must be reported
- The Canadian Internet Policy and Public Interest Clinic (CIPPIC) is calling for a data security breach notification law in Canada
Also Read : Database Forensics and Its Importance
How to Detect Deleted Statements in SQL Server?
It happens many times that when you’re dealing with your database and accidentally performed any task such as dropping a table, deleting a record or if a third person has accessed your database and performed some DML statements, In such case, there is no need to worry about it, the SQL Server uses some undocumented commands, through which you can detect all the transactions performed by you or by a third person.
Don’t ignore the database when conducting computer forensics investigations Database forensics techniques learned today can augment traditional forensics skills to uncover the additional evidence needed to support your case
Questions related to this topic
- How do I view data in a SQL database?
- How many primary data file should be in a database?
- What is log file in SQL Server database?
- Where are SQL database files stored?
- How to Perform MSSQL Forensics ?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com