Database Forensics

Database Forensics and its Importance

• The branch of digital forensics focused on investigating databases to

uncover evidence of malicious activity or policy violations.

• Involves the extraction, analysis, and recovery of data from database

systems.

• Aimed at identifying unauthorized access, modifications, or data

breaches.
 Key Components of Database Forensics
• Data Collection: Gathering data and metadata from databases,
including logs, transactions, and access records.

• Analysis: Reviewing data integrity, query history, and changes made

to the database.

• Preservation: Ensuring data authenticity and maintaining an unaltered

state for legal admissibility.

• Reporting: Documenting findings, timelines, and potential attack

vectors for legal and organizational purposes.
 Importance of Database Forensics

• Incident Response: Helps in identifying and understanding the scope

of a data breach or unauthorized access.
• Data Integrity: Verifies that data within databases has not been
tampered with or corrupted.
• Compliance: Assists organizations meet regulatory requirements (e.g.,
GDPR, PCI-DSS) by ensuring secure and traceable data handling.
• Legal Evidence: Provides admissible evidence for legal investigations
or corporate audits.
• Risk Mitigation: Detects security weaknesses in database
configurations, permissions, and access controls.
 Data Storage in SQL Server

• Primary Data Files (MDF): Main file storing user data and database
objects; serves as the starting point of a database.

• Secondary Data Files (NDF): Optional files to spread data across

multiple disks for efficiency.

• Transaction Log Files (LDF): Logs all database transactions for

recovery purposes; divided into smaller units called Virtual Log Files
(VLFs).
 Data Storage in SQL Server

• Database Composition: All these files (MDF, NDF, and LDF) combine
to form a complete database structure in SQL Server.

• Data Page Structure

• Data Pages: Basic storage units in SQL Server, each with a capacity of 8 KB.
• Page Components:
• Page Header: Contains metadata like page ID and type.
• Data Rows: Stores the actual data entries.
• Offset Table: Points to the locations of the data within the page.
 Database Evidence Repositories in SQL Server

• SQL Server Data Storage: Data is stored within SQL Server itself and
also on the Windows machine hosting it.

• Key Evidence Sources for Examiners

• SQL Server Volatile Database: Temporary data stored in memory, which can
provide insight into active sessions and ongoing transactions.
• Primary Data File (MDF) & Active Transaction Logs (LDF): Core
components containing user data, database objects, and transaction history
crucial for forensic analysis.
• Database Plan Cache: Stores execution plans for recent queries, helping to
understand recent database activities and potential suspicious operations.
 Collect Evidence Files on MSSQL Server

• Collecting Volatile Database Data

• Capture active sessions, in-memory processes, and ongoing transactions.
• Provides insights into current operations, which may not be recoverable later.
• Use Apex SQL DBA’s ApexSQL Audit application

• Collecting Primary Data File (MDF) and Active Transaction Logs

(LDF)
• Use SQLCMD to export data and logs directly from the SQL Server.
• Essential for capturing user data, database objects, and transaction details.
 Collect Evidence Files on MSSQL Server

• Collecting Primary Data File and Transaction Logs

• Backup or copy the MDF and LDF files to secure forensic evidence.
• Ensures that primary data and logs are preserved for analysis.

• Collecting Active Transaction Logs Using SQL Server Management

Studio (SSMS)
• Use SSMS to view, extract, and export active transaction logs.
• Important for recovering recent transaction history.
 Collect Evidence Files on MSSQL Server

• Collecting Database Plan Cache

• Capture query execution plans to understand recent database activity.
• Can reveal patterns in SQL query usage, highlighting potential suspicious
actions.
• Issue the syntax select * from sys.dm_exec_query_stat s to view the aggregate
performance statistics for the cached query plans. I

• Collecting Windows Logs

• Retrieve Windows Event Logs from the server hosting SQL Server.
• Useful for identifying user logins, system events, and security-related
incidents.
• To collect the trace files (.trc), navigate to C:\Program Files\Microsoft SQL
Server\MSSQL14.MSSQLSERVER\MSSQL\LOG
 Collect Evidence Files on MSSQL Server

• Collecting SQL Server Trace Files

• Gather trace files that log specific SQL Server events.
• Valuable for understanding queries executed, login attempts, and user activity.
• To collect the trace files (.trc), navigate to C:\Program Files\Microsoft SQL
Server\MSSQL14.MSSQLSERVER\MSSQL\LOG

• Collecting SQL Server Error Logs

• Capture SQL Server error logs to identify potential issues or unauthorized
access attempts.
• Includes information on failed login attempts, errors, and system warnings.
• Launch Event Viewer, expand Windows Logs node and view various Windows
event logs.
 Perform MSSQL Forensics
• Step 1: Examine the
Windows Logs
• Examine the Windows Logs to
obtain SQL Server
authentication information,
start-up and shutdown
instances, and the IP addresses
of client connections.
• It is observed that an event
associated with the server
login about the MSSQL Server
is recorded.
 Perform MSSQL Forensics
• Step 2: Examine the Error Logs
• C:\ProgramFiles\MicrosoftSQL Server\MSSQL14.MSSQLSERVER\MSSQL\LOG
 Perform MSSQL Forensics

• Step 3: Examine the Active Transaction logs

• Launch the SQL Server Management Studio and connect to the SQL Server.
• Execute the command dbcc log(moviescope, 3) in the query window to view
the transaction log file for the moviescope database, with detailed information
for each operation.
 MySQL Forensics

• MySQL contains an Information_Schema table that provides access to

the database metadata.

• There are two phases in database analysis:

• Evidence collection: Use MySQL utility programs to make copies of databases
and log files that contain a substantial amount of information required for
forensic investigation

• Evidence examination: Identify the fraudulent activities and reconstruct the

tampered data
MySQL Utility Programs for Forensic Analysis
 Perform MySQL Forensics on WordPress Web Application
Database
• Consider a scenario where a post in the index page of a WordPress
website appears to be suspicious:
 Perform MySQL Forensics on WordPress Web Application
Database
• Identifying a malicious user and collecting all the posts made by them
through the command line client
• Scenario 1: Collect the Evidence
• The primary task during a forensic investigation involves the examination of
the error log files and checking for the presence of any unintentional
start-up/shutdown events and critical errors when the server is running.
 Perform MySQL Forensics on WordPress Web Application
Database
• Examine the General Log Files
Perform MySQL Forensics on WordPress Web Application
Database
 Perform MySQL Forensics on WordPress Web Application
Database
• Take a Backup of the Database
• Since malicious activity is evident, a backup of the database must be created
for further forensic investigation.
• Create a backup of the database using mysqldump command line utility.

• Create Evidence Database

• Create a database in the forensic examiner’s machine and dump the contents
of the previously taken backup.
• Log in to mysql server in the forensic examiner’s machine
• Create a database with the same name as that in the affected machine
• Exit the mysql terminal
• Copy all contents of the dump file to the newly created database
 Perform MySQL Forensics on WordPress Web Application
Database
• Select Database
• Login to mysql (forensic examiner’s machine) and select the wordpress
database from the command prompt.

• View Tables in the Database

• View the tables in the wordpress database and check if any tables are missing.

• View Users in the Database

• Analysis of the user account tables to check for any unauthorized user
accounts in the database.
• Suppose a new user has been identified.
 Perform MySQL Forensics on WordPress Web Application
Database
• Collect Posts Made by the User
• In the next task, dump all the posts made by the user
• Use post_author and the user ID to retrieve all the posts made by the user
 Perform MySQL Forensics on WordPress Web Application
Database
• Examine the Posts Made by the User
• The posts made by the malicious user were determined.
Thank You!