Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: MS SQL Forensics?
.

  • To: "Mark G. Spencer" <[EMAIL PROTECTED]>
  • Subject: Re: MS SQL Forensics?
  • From: "Gary L. Palmer" <[EMAIL PROTECTED]>
  • Date: Thu, 21 Aug 2003 18:47:46 -0400
  • Cc: [EMAIL PROTECTED]
  • Organization: The MITRE Corporation
  • References: <[EMAIL PROTECTED]>
.
 
Hi Mark,
I know much more about Oracle but after a brief MS KB search it appears that
SQL Server has many similar logging features although enabled quite
differently.
Check out
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/dbsql/sql2kaud.asp

for more detail.
Briefly, installation of SQL Svr will automatically integrate some record
logging into windows standards event logs that can be queried by event viewer
(or LogParser if you know how to use it). Like other DB's for performance
reasons auditing, especially of network events, isn't enabled by default. So
if the instance of the SQL Svr you are studying did have it enabled (which the
link above describes how to tell) you will get a lot more information about
network transaction that may tell you what accounts on what remote connections
may have elevated user privs, if that did happen. Unfortunately, like anything
else levels of auditing vary as well, if they are enabled at all, so your
picture may not be as clear as you would like.

Hope the link helps a little,
Gary

"Mark G. Spencer" wrote:

> I'm not much of a database guru and I've come across a case where it looks
> like a standard Microsoft SQL database user account has had its privileges
> escalated by an intruder (cable modem user) and subsequently bad stuff
> (source code theft) occurred.
>
> I have archived the MSSQL/Data and MSSQL/Data/Backup folders from the
> machine in question.  In those folders I have a variety of .LDF and .MDF
> files.  My limited understanding is that in these database files should be
> contained diagnostic information, such as when various updates to objects
> such as user accounts were modified and by what IP address?
>
> I'm looking for suggestions on how to best get at all the log style
> information out of these files for review.  Are there any special tools to
> assist here?  Would I have to rebuild the databases on a fresh MS SQL
> server?
>
> Thanks for the advice,
>
> Mark G. Spencer
> Computer Forensics Examiner
> EvidentData, Inc.
> Web: http://www.evidentdata.com
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.