2. SQL Server Forensics
In recent years, data security breaches have been a common theme in the news.
SQL Server forensics can be used to aid in the qualification and investigation of data security
breaches and to help a forensic investigator prove or disprove whether a suspected digital
intrusion has occurred.
If one did occur, the practice of SQL Server forensics can help determine whether it included
data protected by regulations/legislation and possibly prevent an organization from
incorrectly disclosing the occurrence of a digital intrusion involving this protected data.
It focuses directly on the identification, preservation, and analysis of the database data
suitable for presentation in a court of law.
It enables an investigator to better qualify, assess, and investigate intrusions involving SQL
Server data.
3. SQL Server Forensics
The application of SQL Server forensics during a digital investigation or
electronic discovery initiative can achieve the following goals:
• Prove or disprove the occurrence of a data security breach
• Determine the scope of a database intrusion
• Retrace user DML and DDL operations
• Identify data pre- and post-transactions
• Recover previously deleted data
4. Investigation Trigger
Almost all SQL Server forensic investigations you perform will be
undertaken in response to a specific digital event (or trigger).
Numerous triggers can initiate a database forensic investigation,
including these common events:
• Suspected unauthorized database usage
• A need to assess the scope of a digital intrusion involving
devices with logical access to a SQL Server
• Electronic discovery initiatives involving SQL Server data
5. SQL Server Forensics vs Traditional
Windows Forensics
A traditional Windows forensic investigation focuses on volatile and nonvolatile operating
system and selected application data. Applications such as Internet Explorer, the Microsoft
Office suite, and various instant messaging (IM) applications are typically targeted by
traditional digital forensic investigations. These investigations often neglect the database.
However, when the database is ignored, it is obviously difficult—and in some cases
impossible—for investigators to determine whether a database was compromised during
an attack.
SQL Server forensics picks up where traditional investigations end by focusing on the
database.
8. Live Acquisition
Live SQL Server acquisition is conducted using the resources and binaries of the target database
server. Live acquisition can be used to acquire both volatile and nonvolatile SQL Server data.
Because of the ever-increasing size of computer storage, live analysis is becoming more practical.
During a live investigation, all of the actions that you perform will alter the state of the server.
Whether you are interactively logging on to a database server to perform a live analysis or connecting
to a database server remotely, you will inevitably change data on the target system.
The following principles will help minimize the intrusiveness of an investigation based on live analysis:
• Include nonpersistent (volatile) data that would be lost if the server was shut down or SQL Server
services were restarted.
• Employ sound artifact collection methods to ensure that the integrity of collected artifacts are
maintained.
• Artifact collection should adhere to order of volatility principles
• All actions should be logged when possible to track investigator activity, and investigators should
be aware of the changes that their actions will introduce in relation to the target.
9. Connecting to a Live SQL Server
Interactive Connection: An investigator using an interactive
connection would interactively log on to a live SQL Server and use
incident response tools to acquire data. This interactive logon can
be performed by an investigator physically logging on to a server or
logically logging on using remote system administration software
such as Remote Desktop Protocol (RDP). Interactive connections
support the widest range of SQL Server protocols.
Remote Connection: When using a remote connection, an
investigator will use a separate networked computer to connect to
a live SQL Server and acquire data. Because this approach is
performed over the network, the SQL native client on the remote
computer and the target SQL Server will need to be configured to
support at least one common network-based SQL Server protocol
so that they can communicate.
10. Dead Acquisition
o Dead SQL Server acquisition is performed on a dormant SQL Server that is not
operational.
o Ideally, the SQL Server should be shut down using a “dirty” shutdown, commonly
accomplished by disconnecting the power cord(s) of a server. The obvious
downside to this approach is that all volatile data is lost when the system is
powered down.
o Once the SQL Server has been shut down, the system can be booted using a
floppy disk or boot media (e.g., CD), which will enable you to run a trusted data
acquisition application and acquire data.
o Dead analysis is deemed by many as the most reliable way to acquire digital data
from a target system. It is also typically faster than live analysis when imaging disks.
o A benefit to dead analysis is that its results can be easily reproduced because you
are dealing with static data images.
11. Hybrid Acquisition
o Hybrid acquisition can be viewed as a typical dead acquisition that is
performed after the live acquisition of volatile data.
o Live analysis doesn’t have to stop at volatile data.
o In some cases, it’s much easier to acquire selected nonvolatile data
using a live acquisition as opposed to extracting it from a dormant
system.
o Hybrid analysis allows you to control the ratio of live versus dead
acquisition to suit your needs.
13. Investigation Preparedness
● Investigation preparedness involves preparing the hardware and software
needed for an investigation.
● Steps to perform before a SQL Server Investigation:
1. Create a SQL Server incident response toolkit, which will ensure that the
tools required during future phases of the investigation are verified and
available upon request.
2. Prepare a forensic workstation for a SQL Server investigation.
3. Collect pre-developed SQL incident response scripts, which will
automate artifact preservation and reduce the time needed to preserve
key artifacts.
● Proper investigation preparedness can significantly increase the chances
of a successful outcome from the investigation.
14. Incident Verification
o Some organizations will not allow a database server to be removed from a
network to conduct a database forensic investigation without adequate
justification.
o During the incident verification phase, limited artifact collection and analysis is
performed to produce preliminary findings, with the goal of identifying digital
events that will justify the need for a full SQL Server forensic investigation.
o A third party, application, or system administrator may perform satisfactory
incident verification.
o In some scenarios, an organization may not have a say in the matter. In these
cases, the incident verification stage can be skipped and you can proceed
directly to artifact collection.
15. Artifact Collection
o Data collection involves the acquisition and preservation of data
targeted in the previous phase.
o During data collection, all database files and query outputs should be
preserved to ensure that their integrity was not compromised or
corrupted.
o Typically, data preservation is performed by generating digital hashes
using a trusted hashing algorithm such as MD5 or SHA-1.
o Data collection is a critical step in a database investigation, because
if your findings are selected for submission as evidence within a court
of law, you will need to prove the integrity of the data on which your
findings are based.