SQL Server Forensic Analysis
Search in google:
“What Kevvie Fowler has done here is truly amazing: He has defined, established, and documented SQL server forensic methods and techniques, exposing readers to an entirely new area of forensics along the way. This fantastic book is a much needed and incredible contribution to the incident response and forensic communities.” –Curtis W. Rose, founder of Curtis W. Rose and Associates and coauthor of Real Digital Forensics The Authoritative, Step-by-Step Guide to Investigating SQL Server Database Intrusions Many forensics investigations lead to the discovery that an SQL Server database might have been breached. If investigators cannot assess and qualify the scope of an intrusion, they may be forced to report it publicly—a disclosure that is painful for companies and customers alike. There is only one way to avoid this problem: Master the specific skills needed to fully investigate SQL Server intrusions. In SQL Server Forensic Analysis, author Kevvie Fowler shows how to collect and preserve database artifacts safely and non-disruptively; analyze them to confirm or rule out database intrusions; and retrace the actions of an intruder within a database server. A chapter-length case study reinforces Fowler’s techniques as he guides you through a real-world investigation from start to finish. The techniques described in SQL Server Forensic Analysis can be used both to identify unauthorized data access and modifications and to gather the information needed to recover from an intrusion by restoring the pre-incident database state. Coverageincludes Determining whether data was actually compromised during a database intrusion and, if so, which data Real-world forensic techniques that can be applied on all SQL Server instances, including those with default logging Identifying, extracting, and analyzing database evidence from both published and unpublished areas of SQL Server Building a complete SQL Server incident response toolkit Detecting and circumventing SQL Server rootkits Identifying and recovering previously deleted database data using native SQL Server commands SQL Server Forensic Analysis is the first book of its kind to focus on the unique area of SQL Server incident response and forensics. Whether you’re a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, auditor, or database professional, you’ll find this book an indispensable resource.
Preface xiii Acknowledgments xvii About the Author xix Chapter 1: Introduction to Databases 1 Running Chapter 1 Sample Scripts 2 Databases Explained 2 How Databases Are Used 3 Databases and COTS Applications 5 Database Structure 6 Structured Query Language (SQL) 7 Database Transactions 11 The ACID Model 11 Referential Integrity 12 Summary 15 Chapter 2: SQL Server Fundamentals 17 History of SQL Server 17 SQL Server Versions and Editions 18 Architecture 20 SQL Server Connections 24 Context Switching 25 SQL Server Databases 26 Data Storage 27 Memory Management 34 Security 34 Permissions 39 Encryption 40 Dynamic Management and Database Console Commands 42 Logging 44 SQL Server Agent 44 Summary 44 Chapter 3: SQL Server Forensics 47 The Road to SQL Server Forensics 47 SQL Server Forensics 48 SQL Server Forensic Methodology 59 Summary 61 Chapter 4: SQL Server Artifacts 63 SQL Server Artifacts 63 Resident SQL Server Artifacts 67 Nonresident SQL Server Artifacts 90 Artifact Summary 93 Summary 95 Chapter 5: SQL Server Investigation Preparedness 97 SQL Server Investigation Preparedness Overview 98 Configuring Your Forensics Workstation for a SQL Server Investigation 98 Creating a SQL Server Forensics Incident Response Toolkit 108 Summary 137 Chapter 6: Incident Verification 139Running Chapter 6 Sample Scripts 139 Incident Verification Explained 140 What Not to Do When Investigating a Live SQL Server 141 Responding to an Incident 142 Identifying the SQL Server Instance Name 146 Connecting to a Victim System 150 Disconnecting from the Victim System 155 Identifying Signs of an Intrusion 156 Submitting Preliminary Findings 171 Summary 172 Chapter 7: Artifact Collection 173 Focus on Ad Hoc Collection 174 Running the Sample Scripts 175 Maintaining the Integrity of Collected Data 175 Automated Artifact Collection via Windows Forensic Toolchest 179 Identifying the Victim’s SQL Server Version 180 Ad Hoc Artifact Collection 181 Collecting Volatile SQL Server Artifacts 183 Collecting Nonvolatile SQL Server Artifacts 191 Summary 224 Chapter 8: Artifact Analysis I 225 Working Along with Chapter 8 Examples 226 Pre-analysis Activities 226 Authentication and Authorization 240 Configuration and Versioning 257 Summary 271 Chapter 9: Artifact Analysis II 273 Working Along with Chapter 9 Examples 273 Pre-analysis Activities 274 Activity Reconstruction 274 Data Recovery 340 Summary 356 Chapter 10: SQL Server Rootkits 357 Traditional Rootkits 357 SQL Server Rootkits: The New Threat 358 Generations of SQL Server Rootkits 359 First-Generation SQL Server Rootkits 360 How Rootkits Can Affect a SQL Server Investigation 384 Detecting Database Rootkits 384 When to Check for Database Rootkits 396 What to Do if You Find a Rootkit 396 Summary 397 Chapter 11: SQL Server Forensic Investigation Scenario 399 Scenario Overview 399 Importing Sample Artifacts 400 Investigation Synopsis 400 Incident Verification 401 Artifact Collection 406 Artifact Analysis 406 Activity Reconstruction 411 Investigation Summary 421 Appendix A: Installing SQL Server 2005 Express Edition with Advanced Services on Windows 425 Appendix B: SQL Server Incident Response Scripts 439 SSFA_DataCache.sql 439 SSFA_ClockHands.sql 440 SSFA_PlanCache.sql 441 SSFA_RecentStatements.sql 443 SSFA_Connections.sql 445 SSFA_Sessions.sql 446 SSFA_TLOG.sql 447 SSFA_DBObjects.sql 449 SSFA_Logins.sql 452 SSFA_Databases.sql 453 SSFA_DbUsers.sql 454 SSFA_Triggers.sql 456 SSFA_Jobs.sql 458 SSFA_JobHistory.sql 459 SSFA_Configurations.sql 460 SSFA_CLR.sql 461 SSFA_Schemas.sql 462 SSFA_EndPoints.sql 464 SSFA_DbSrvInfo.sql 465 SSFA_AutoEXEC.sql 466 SSFA_TimeConfig.sql 467 Index 469
