In this session we will discuss, various methods to analyse possible criminal actions/accidents and pin point it to a specific person/group of persons and time/time frame.
We will discuss the goals of a forensic investigation, define breaches, types of breaches and how to verify them. We will also learn about various database file formats, methodology of forensic investigation, collection and analysis of artifacts. We will take a look at native SQL methods.
We will also cover what artifacts to collect and why.
We will also cover a couple of third party tools available in the market. Understand why it is not always easy to use these tools.
Can we retrace the DML/DDL statements and possibly undo the harm?
We will also learn how to preserve the evidence, how to setup HoneyPots.
We will also look at the Initial and Advanced Response Toolkit. How to use SQL Binaries to determine hack.
5. Database Forensics
Goals
a) Prove or disprove the occurrence of a data security breach
b) Determine the scope of a database intrusion
c) Retrace user DML and DDL operations
d) Identify data pre- and post-transactions
e) Recover previously deleted database data
10. Database Forensics
Incident Preparedness
1. Configure your forensics workstation(Server/WS)
2. Create a SQL Server forensics IRT
3. Develop SQL Server incident response scripts.
4. Integrate base scripts with automated live
forensic suites (optional).
11. Database Forensics
Incident Verification
yout text here
Identifying signs of penetration:
A. SQL Server Penetration
B. Active unauthorized SQL Server
Connections
C. Past unauthorized SQL Server access
a) SQL Server error logs
b) Plan Cache
c) Session details
12. Database Forensics
Artifacts
1. Volatile:
1. ( sqlcmd- :out c:dbse_loginfo.txt, dbcc loginfo go) ;
2. select * FROM sys.dm_os_ring_buffers WHERE ring_buffer_type =
'RING_BUFFER_SECURITY_ERROR‘;
3. Data Cache, Plan Cache, Recent executed statements, Active connections,
Active sessions, Active VLFs, Ring Buffers
2. Non-Volatile- Default Trace Files
3. Pre-planned
4. Configuration
5. Constant update
Item Importance Volatility Priority
SQL Server Connections & Sessions 5 5 0
Transaction Logs 5 4 1
SQL Server Logs 4 3 3
SQL Server Database Files 3 2 5
System Event Logs 2 2 6
13. Database Forensics
Artifacts –Collection
Summary of Volatile SQL Server
Artifacts
Volatile SQL
Server Artifacts
Automate
d Artifact
Collection
(WFT)
Ad Hoc
Artifact
Collection
Data cache ♦
Cache clock
hands
♦
Plan cache ♦
Most recently
executed (MRE)
statements
♦
Active
connections
♦
Active sessions ♦
Active virtual log
files (VLFs)
◊ ♦
Ring buffers ♦
14. Database Forensics
Artifacts –Analysis 1. Pre analysis –
• Create an Image
• Use write blockers
• Create a repository (database)
2. Security Audit- Use of Honeypot...
• Audit level
• Log history
• History of suspect
3. SQL Logs
4. System Event Viewer Logs
5. Profiler-Trace or Monitoring software like Idera
16. Database Forensics
Q&A - Bibliography
http://www.bmyers.com/public/1958.cfm
SQL Server Forensic Analysis By: Kevvie Fowler
Fowler, K. (2007). Forensic analysis of a sql server 2005
database. Informally published manuscript, .
17. Database Forensics
As prudent investigators, our job is
to find the clues that the
perpetrator doesn’t know he/she
left behind.
William Petersen
CSI 2001
18. Explore Everything PASS Has to Offer
Free SQL Server and BI Web Events Free 1-day Training Events Regional Event
Local User Groups Around
the World
Free Online Technical Training
This is Community Business Analytics Training
Session Recordings PASS Newsletter