SQL Server Forensic Analysis - Softcover

About the Author

Kevvie Fowler is the Director of Managed Security Services at TELUS Security Solutions, where he is responsible for the delivery of specialized security, incident response, and forensic services. In addition to authoring SQL Server Forensic Analysis, he is contributing author of How to Cheat at Securing SQL Server 2005 (Syngress, 2007) and The Best Damn Exchange, SQL, and IIS Book Period (Syngress, 2007).

Kevvie is also the founder of Ring Zero, a research and consulting company that focuses on the security and forensic analysis of Microsoft technologies. In addition to Ring Zero, Kevvie owns and maintains the applicationforensics.com Web site, which he hopes to grow into the leading source of application forensics information on the Internet.

Kevvie is a frequent presenter at leading information security conferences such as Black Hat and SecTor. He is a GIAC Gold Certified Forensic Analyst (GCFA) and Certified Information System Security Professional (CISSP), and he holds several Microsoft certifications, including MCTS, MCDBA, MCSD, and MCSE. Kevvie is also a member of the High Technology Crime Investigation Association (HTCIA).

Excerpt. © Reprinted by permission. All rights reserved.

Preface

During a forensic investigation, a digital investigator tracks an intruder’s actions on a system, until “it” happens; the investigator identifies that the intruder has indeed accessed the database.

The database server stores sensitive financial information however it is configured with default database logging and there is no third party logging solution in place. Therefore, even though the investigator identified that the database was accessed, he is left to wonder what actions the intruder performed within the database server. Was credit card data accessed? Was anything modified? This scenario is an all too familiar one, which usually leaves investigators staring into a black hole, desperately needing a way to determine what actions an intruder performed within a database server.

With large data security breaches occurring at an alarming rate, investigators who are unable to properly qualify and assess the scope of a data security breach can be forced to report that all database data may have been exposed during an incident. This can in turn result in organizations disclosing that confidential database data was exposed when, in reality, the incident may not have involved this data.

This book helps avoid the preceding scenario by providing the first in-depth view into the collection and preservation of database artifacts and explaining how they can be analyzed to confirm a database intrusion and retrace the actions of an intruder within the database server. SQL Server forensic techniques as covered in this book can be used to identify unauthorized data access and modifications, as well as to restore the pre-incident database state to recover from the database intrusion.

Why Do We Need This Book, and Why Now?

Within the past few years, our reliance on database technology has increased exponentially. Databases have become an increasingly essential component of some of the world’s largest corporations, and in today’s business world almost all applications use a database to manage data.

As our reliance on databases has increased, so too have attacks targeting the data they store and process. According to Gartner Group, seventy-five percent of cyber attacks are application-based and often involve the theft of personal or financial data stored within a database.

With digital attacks targeting databases on the rise, large data security breaches are occurring at an alarming rate. In response, several regulations have been put in place that hold those who manage and store personal information accountable if and when the confidentiality of this information is compromised.

More specifically, many regulations demand that any organization that collects, uses, or stores their clients’ information must notify impacted clients in the event that their personal information is disclosed. Because of this requirement, it is becoming increasingly important for digital investigators to not only be able to confirm the occurrence of unauthorized database access but also to specifically determine what, if any, sensitive information was accessed.

Who Will Benefit from Reading This Book?

This book will appeal to a wide audience inclusive of digital forensic practitioners, information security analysts, information security managers, information security auditors, database administrators, systems administrators, and law enforcement officials interested in digital forensics, security, or relational databases.

Readers will benefit from reading this book if they are interested in an in-depth view of:

• How SQL Server forensics can be used to pick up where traditional forensic investigations end to confirm a database intrusion and retrace an intruder’s actions within the database server
• Real-world SQL Server forensic techniques that can be applied on default SQL Server installations without dependency on third party logging applications
• How to identify, extract, and analyze database evidence from published and unpublished areas of SQL Server
• How to build a SQL Server incident response toolkit
• The threat of SQL Server rootkits and how to detect and circumvent them during a database investigation
• How to identify and recover previously deleted database data using native SQL Server commands

Readers of this book should have a basic understanding of digital forensics and relational databases.