sql server database forensics
play

SQL Server Database Forensics Kevvie Fowler , GCFA Gold, CIS S P, - PowerPoint PPT Presentation

Aug 29, 2023 •45 likes •435 views

SQL Server Database Forensics Kevvie Fowler , GCFA Gold, CIS S P, MCTS , MCDBA, MCS D, MCS E Black Hat USA 2007 S QL S erver Forensics | Why are Databases Critical Assets? Why are databases critical assets? Databases hold critical

  1. SQL Server Database Forensics Kevvie Fowler , GCFA Gold, CIS S P, MCTS , MCDBA, MCS D, MCS E Black Hat USA 2007

  2. S QL S erver Forensics | Why are Databases Critical Assets? � Why are databases critical assets? � Databases hold critical information � Industry trends are scaling in versus out � Database servers today hold more sensitive information than ever before � Data security legislations & regulations dictate that security breaches must be reported � Database security breaches are “ Front Page” news � T.J. Maxx | 45.7 million credit/ debit cards disclosed � CardS ystems S olutions | 200,000 credit/ debit cards disclosed 2

  3. S QL S erver Forensics | The Problem With Traditional Forensics � Traditional investigations often exclude databases 3

  4. S QL S erver Forensics | The S olution � Database Forensics The application of computer investigation and analysis techniques to gather database evidence suitable for presentation in a court of law Benefits � Retrace user DML & DDL operations � Identify data pre and post transaction � Recover previously deleted data rows � Can help prove/ disprove a data security breach � Can help determine the scope of a database intrusion � For the “ real world” : No dependency on 3 rd party auditing tools or pre-configured DML or DDL triggers 4

  5. erver Forensics | Database Forensics Primer (1) S QL S � Database files Page � Data files (.mdf) contain the actual data Header � Consists of multiple data pages Data Row Data Row Data Row Data Row ... Row offset array Page Page Page Page 01:0059 01:0060 01:0067 01:0067 � Data rows can be fixed or variable length � Log files (.ldf) hold all data required to reverse transactions and recover the database � Physical log files consist of multiple Virtual Log Files (VLF) VLF #1 VLF #2 VLF #3 VLF #4 Free (Inactive ) (Inactive ) (Active) (Inactive ) Space � A VLF is the unit of truncation for the transaction log � According to Microsoft: “Although you might assume that reading the transaction log directly would be interesting or even useful, it’s just too much information.” Inside S QL S erver 2005: The S torage Engine, Microsoft Press, 2006 5

  6. SQL Server Forensics | Dat abase Forensics Primer (2) Inside the transaction log: 50. Savepoint Name 77. Meta S tatus 1. CurrentLS N 24. CHKPT End DB Version 51. Rowbits First Bit 78. File S tatus 2. Operation 25. Minimum LS N 52. Rowbits Bit Count 79. File ID 3. Context 26. Dirty Pages 53. Rowbits Bit Value 80. Physical Name 4. Transaction ID 27. Oldest Replicated Begin LS N 54. Number of Locks 81. Logical Name 5. Tag Bits 28. Next Replicated End LS N 55. Lock Information 82. Format LS N 6. Log Record Fixed Length 29. Last Distributed End LS N 56. LS N Before Wrties 83. RowsetID 7. Log Record Length 30. S erver UID 57. Pages Written 84. TextPtr 8. PreviousLS N 31. UID 58. Data Pages Delta 85. Column Offset 9. Flag Bits 32. SPID 59. Reserved Pages Delta 86. Flags 10. AllocUnitID 33. BeginLogS tatus 60. Used Pages Delta 87. Text S ize 11. AllocUnitName 34. Begin Time 61. Data Rows Delta 88. Offset 12. Page ID 35. Transaction Name 62. Command Type 89. Old S ize 13. Slot ID 36. Transaction S ID 63. Publication ID 90. New S ize 14. Previous Page LS N 37. End Time 64. Article ID 91. Description 15. PartionID 38. Transaction Begin 65. Partial S tatus 92. Bulk allocated extent count 16. RowFlags 39. Replicated Records 66. Command 93. Bulk rowinsertID 17. Num Elements 40. Oldest Active LS N 67. Byte Offset 94. Bulk allocationunitID 18. Offset in Row 41. S erver Name 68. New Value 95. Bulk allocation first IAM Page ID 19. Checkpoint Begin 42. Database Name 69. Old Value 96. Bulk allocated extent ids 20. CHKPT Begin DB Version 43. Mark Name 70. New S plit Page 97. RowLog Contents 0 21. MaxXDES ID 44. Master XDES ID 71. Rows Deleted 98. RowLog Contents 1 22. Num Transactions 45. Master DBID 72. Bytes Freed 99. RowLog Contents 2 23. Checkpoint End 46. PrepLogBegin LS N 73. CI Table ID 100. RowLog Contents 3 47. PrepareTime 74. CI Index ID 101. RowLog Contents 4 48. Virtual Clock 75. NewAllocationUnitID 6 49. Previous Savepoint 76. FIlegroupID

  7. erver Forensics | Database Forensics Primer (3) S QL S � S erver Process ID (S PID) � A unique value used by S QL S erver to track a given session within the database server � Transaction log activity is logged against the executing S PID � Data type storage and retrieval � 31 different data types � Data types are stored and retrieved differently within S QL S erver � Little-endian ordering (LEO) is applicable to selected data types � S toring and retrieving value: 21976 in various data types results in the following: Procedure Cache � Contains ad-hoc and parameterized statements 7

  8. S QL S erver Forensics | Database Evidence Repositories � S QL S erver data resides natively within S QL S erver and stored externally within the native Windows operating system � Evidence repositories � Operating System � SQL Server � Trace files � Volatile database data � S ystem event logs � Database data files � S QL S erver error logs � Database log files � Page file � Plan cache � Memory � Data cache � Indexes � Tempdb � Version store 8

  9. S QL S erver Forensics | Investigation Tools � S QL S erver Management S tudio Express � S QLCMD � Windows Forensic Toolchest � DD\DCFLDD � MD5S UM � Netcat\CryptCat � WinHex � Native S QL S erver views, functions and statements � Dynamic Management Views (DMV) � Database Consistency Checker (DBCC) commands � FN_* � Lots of sanitized acquisition media 9

  10. erver Forensics | Evidence Collection (1) S QL S Evidence Collection 10

  11. erver Forensics | Evidence Collection (2) S QL S � Determine the scope of evidence collection � Prioritize evidence collection 1. Volatile database data (sessions/ connections, active requests, active users, memory, etc.) 2. Transaction logs 3. Database files 4. S QL S erver error logs 5. S ystem event logs 6. Trace files 11

  12. erver Forensics | Evidence Collection (3) S QL S � Collecting volatile database data � Can be automated using WFT & command line S QL tools � GUI front end, binary validation and thorough logging � Gathers volatile data internal and external to S QL S erver 12

  13. erver Forensics | Evidence Collection (4) S QL S � S QLCMD � Load command line tool and establish logging � Collecting the active transaction log � Determine on disk locations of the transaction log files Results: 13

  14. SQL Server Forensics | Evidence Collect ion (5) � Collecting the active transaction log (cont’ d) � Gat her t he VLF allocat ions Result s: 2 = Act ive 0 = Recoverable or unused 14

  15. erver Forensics | Evidence Collection (6) S QL S � Collecting the active transaction log (cont’ d) � Fn_dblog filters transactions by: � Target database obj ect � S pecific columns � S PID and/ or date/ time range Select * from ::fn_dblog(NULL, NULL) � DBCC Log � More resource intensive � Dumps transaction log in its entirety dbcc log(<databasename>, 3) 0 = minimal info 1 = slightly more info 2 = detailed info including (page id, slot id, etc.) 3 = full information about each operation 4 = full information on each operation in addition to hex dump of current data row 15

  16. erver Forensics | Evidence Collection (7) S QL S � Collecting the database plan cache � Collecting the plan cache select * from sys.dm_exec_cached_plans cross apply sys.dm_exec_sql_text(plan_handle) � Collect additional plan cache specifics - select * from sys.dm_exec_query_stats - select * from sys.dm_exec_cached_plans cross apply sys.dm_exec_plan_attributes(plan_handle) � Collecting database data files & logs (\\Microsoft S QL S erver\MS S QL.1\MS S QL\DATA\ *.MDF | *.LDF ) � Collecting default trace files (\\Microsoft S QL S erver\MS S QL.1\MS S QL\LOG\ LOG_#.TRC ) � Collecting S QL S erver error logs (\\Microsoft S QL S erver\MS S QL.1\MS S QL\LOG\ ERRORLOG ) � Collecting system event log (WFT) 16

  17. erver Forensics | Evidence Analysis (1) S QL S Evidence Analysis 17

  18. erver Forensics | Evidence Analysis (2) S QL S � Windows event log � S QL S erver authentication data (failures, successful log-on/ off) � S QL S erver startup and shutdown � IP addresses of S QL S erver client connections � Error log � S QL S erver authentication data (failures, successful log-on/ off) � S QL S erver startup and shutdown � IP addresses of S QL S erver client connections 18

  19. erver Forensics | Evidence Analysis (3) S QL S � Default database trace � Complete authentication history � DDL operations (schema changes) � IP addresses of S QL S erver client connections 19

  20. erver Forensics | Evidence Analysis (4) S QL S � Data files & log files � Attach files � Use to obtain on-demand schema info, data page contents, etc. � Active transaction log � Import into Excel / Access for viewing � Identify DML & DDL statements � Map transactions to a S PID 20

Recommend

SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving

SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving

SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving as few evidence as possible Anti-Forensics techniques help to make forensics investigations difficult Anti-Forensics can be a never

657 views • 38 slides
SQL Injection: Summary Target: web server that uses a back-end database Attacker goal:

SQL Injection: Summary Target: web server that uses a back-end database Attacker goal:

SQL Injection: Summary Target: web server that uses a back-end database Attacker goal: inject or modify database commands to either read or alter web-site information Attacker tools: ability to send requests to web server (e.g.,

89 views • 4 slides
Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why using a database Persistency Concurrency (avoid race conditions) Query Scalability SQL vs NoSQL databases Relational database (SQL

475 views • 10 slides
NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk What is an RDBMS? A PostgreSQL database is not just kept in a big file, like a spreadsheet. A program called the database server, or RDBMS,

323 views • 14 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
DATABASE SYSTEMS Introduction to web programming Database Systems Course, 2016 AGENDA FOR TODAY

DATABASE SYSTEMS Introduction to web programming Database Systems Course, 2016 AGENDA FOR TODAY

DATABASE SYSTEMS Introduction to web programming Database Systems Course, 2016 AGENDA FOR TODAY Client side programming HTML CSS Javascript Server side programming: PHP Installing a local web-server Basic PHP usage DB programming with PHP

1.04k views • 63 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Forensics for Graphics Files Types of graphics file formats Type of data compression How to locate

362 views • 25 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Overview of Mobile Forensics Originated in Europe and focused on the GSM SIM card. Roaming of Devices

694 views • 17 slides
Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server for MySQL? a free, fully compatible, enhanced and open source drop-in replacement for any MySQL database 2 First of All, What Is

2.47k views • 28 slides
CSE 416 Database Issues Database Preliminaries Recap important topics Recap terminology

CSE 416 Database Issues Database Preliminaries Recap important topics Recap terminology

Session 13 Database Issues CSE 416 Database Issues Database Preliminaries Recap important topics Recap terminology Use a good DB modelling tool (e.g., Workbench) You will implement the DB on a shared CS server (e.g., MySQL)

500 views • 12 slides
A Personal and Portable Database Server : the CQL Card Pierre Paradinas1&amp;3 and Jean-Jacques

A Personal and Portable Database Server : the CQL Card Pierre Paradinas1&amp;3 and Jean-Jacques

A Personal and Portable Database Server : the CQL Card Pierre Paradinas1&amp;3 and Jean-Jacques Vandewalle1&amp;2 1 Rd2p, Recherche et Dveloppement Dossier Portable, CHRU Calmette, rue du Pr. J. Leclerc, 59 037 Lille Cdex, France, tel. :

338 views • 15 slides
Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics &amp; Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
Database II Undram Sambuu HomeBrewR Overview Steps to create SSIS Package STORED

Database II Undram Sambuu HomeBrewR Overview Steps to create SSIS Package STORED

Database II Undram Sambuu HomeBrewR Overview Steps to create SSIS Package STORED PROCEDURES Steps to create JOB S S IS SQL Server Integration Services ( SSIS ) is a component of the Microsoft SQL Server database software

705 views • 5 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
SQL Workshop Introduction Queries Doug Shook SQL Server As its name implies: its a

SQL Workshop Introduction Queries Doug Shook SQL Server As its name implies: its a

SQL Workshop Introduction Queries Doug Shook SQL Server As its name implies: its a data base server! Technically it is a database management system (DBMS) Competitors: Oracle, MySQL, DB2 End users (thats you!) interact

989 views • 51 slides
Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de la A N S S I scurit des systmes dinformation Introduction Forensics: context Forensics: memory Forensics: filesystem Reverse

545 views • 36 slides
Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to collect and analyze (digital) evidence Three basic phases Data collection, Analysis, Reporting Triage Various sources of information

307 views • 20 slides
CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Email System Components User agents / Webmail: Composing, editing, and reading mail messages. Mail

687 views • 49 slides
Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

FloCon 2015 Conference January 15, 2015 Portland, Oregon Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively Resolve Computer Security Incidents in Organizations JESUS RAMIREZ PICHARDO (PMP, GCFA,

333 views • 30 slides
Database System Interactions Thomas Schwarz, SJ Three Tier Web Server Architecture Standard

Database System Interactions Thomas Schwarz, SJ Three Tier Web Server Architecture Standard

Database System Interactions Thomas Schwarz, SJ Three Tier Web Server Architecture Standard architecture for e-commerce sites Tiered / layered architecture around since the THE operating system 1965 Presentation Layer: Web Services

520 views • 15 slides
Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona

Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona

Open Source Transparent Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona Agenda Why encrypt? What gets encrypted? What is supported where? How does it all work? Future of open

227 views • 11 slides

More recommend