- Shopping Bag ( 0 items )
?What Kevvie Fowler has done here is truly amazing: He has defined, established, and documented SQL server forensic methods and techniques, exposing readers to an entirely new area of forensics along the way. This fantastic book is a much needed and incredible contribution to the incident response and forensic communities.?
?Curtis W. Rose, founder of Curtis W. Rose and Associates and coauthor of Real Digital Forensics
The Authoritative, ...
“What Kevvie Fowler has done here is truly amazing: He has defined, established, and documented SQL server forensic methods and techniques, exposing readers to an entirely new area of forensics along the way. This fantastic book is a much needed and incredible contribution to the incident response and forensic communities.”
–Curtis W. Rose, founder of Curtis W. Rose and Associates and coauthor of Real Digital Forensics
The Authoritative, Step-by-Step Guide to Investigating SQL Server Database Intrusions
Many forensics investigations lead to the discovery that an SQL Server database might have been breached. If investigators cannot assess and qualify the scope of an intrusion, they may be forced to report it publicly—a disclosure that is painful for companies and customers alike. There is only one way to avoid this problem: Master the specific skills needed to fully investigate SQL Server intrusions.
In SQL Server Forensic Analysis, author Kevvie Fowler shows how to collect and preserve database artifacts safely and non-disruptively; analyze them to confirm or rule out database intrusions; and retrace the actions of an intruder within a database server. A chapter-length case study reinforces Fowler’s techniques as he guides you through a real-world investigation from start to finish.
The techniques described in SQL Server Forensic Analysis can be used both to identify unauthorized data access and modifications and to gather the information needed to recover from an intrusion by restoring the pre-incident database state.
SQL Server Forensic Analysis is the first book of its kind to focus on the unique area of SQL Server incident response and forensics. Whether you’re a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, auditor, or database professional, you’ll find this book an indispensable resource.
About the Author xix
Chapter 1: Introduction to Databases 1
Running Chapter 1 Sample Scripts 2
Databases Explained 2
How Databases Are Used 3
Databases and COTS Applications 5
Database Structure 6
Structured Query Language (SQL) 7
Database Transactions 11
The ACID Model 11
Referential Integrity 12
Chapter 2: SQL Server Fundamentals 17
History of SQL Server 17
SQL Server Versions and Editions 18
SQL Server Connections 24
Context Switching 25
SQL Server Databases 26
Data Storage 27
Memory Management 34
Dynamic Management and Database Console Commands 42
SQL Server Agent 44
Chapter 3: SQL Server Forensics 47
The Road to SQL Server Forensics 47
SQL Server Forensics 48
SQL Server Forensic Methodology 59
Chapter 4: SQL Server Artifacts 63
SQL Server Artifacts 63
Resident SQL Server Artifacts 67
Nonresident SQL Server Artifacts 90
Artifact Summary 93
Chapter 5: SQL Server Investigation Preparedness 97
SQL Server Investigation Preparedness Overview 98
Configuring Your Forensics Workstation for a SQL Server Investigation 98
Creating a SQL Server Forensics Incident Response Toolkit 108
Chapter 6: Incident Verification 139
Running Chapter 6 Sample Scripts 139
Incident Verification Explained 140
What Not to Do When Investigating a Live SQL Server 141
Responding to an Incident 142
Identifying the SQL Server Instance Name 146
Connecting to a Victim System 150
Disconnecting from the Victim System 155
Identifying Signs of an Intrusion 156
Submitting Preliminary Findings 171
Chapter 7: Artifact Collection 173
Focus on Ad Hoc Collection 174
Running the Sample Scripts 175
Maintaining the Integrity of Collected Data 175
Automated Artifact Collection via Windows Forensic Toolchest 179
Identifying the Victim’s SQL Server Version 180
Ad Hoc Artifact Collection 181
Collecting Volatile SQL Server Artifacts 183
Collecting Nonvolatile SQL Server Artifacts 191
Chapter 8: Artifact Analysis I 225
Working Along with Chapter 8 Examples 226
Pre-analysis Activities 226
Authentication and Authorization 240
Configuration and Versioning 257
Chapter 9: Artifact Analysis II 273
Working Along with Chapter 9 Examples 273
Pre-analysis Activities 274
Activity Reconstruction 274
Data Recovery 340
Chapter 10: SQL Server Rootkits 357
Traditional Rootkits 357
SQL Server Rootkits: The New Threat 358
Generations of SQL Server Rootkits 359
First-Generation SQL Server Rootkits 360
How Rootkits Can Affect a SQL Server Investigation 384
Detecting Database Rootkits 384
When to Check for Database Rootkits 396
What to Do if You Find a Rootkit 396
Chapter 11: SQL Server Forensic Investigation Scenario 399
Scenario Overview 399
Importing Sample Artifacts 400
Investigation Synopsis 400
Incident Verification 401
Artifact Collection 406
Artifact Analysis 406
Activity Reconstruction 411
Investigation Summary 421
Appendix A: Installing SQL Server 2005 Express Edition with Advanced Services on Windows 425
Appendix B: SQL Server Incident Response Scripts 439
During a forensic investigation, a digital investigator tracks an intruder’s actions on a system, until “it” happens; the investigator identifies that the intruder has indeed accessed the database.
The database server stores sensitive financial information however it is configured with default database logging and there is no third party logging solution in place. Therefore, even though the investigator identified that the database was accessed, he is left to wonder what actions the intruder performed within the database server. Was credit card data accessed? Was anything modified? This scenario is an all too familiar one, which usually leaves investigators staring into a black hole, desperately needing a way to determine what actions an intruder performed within a database server.
With large data security breaches occurring at an alarming rate, investigators who are unable to properly qualify and assess the scope of a data security breach can be forced to report that all database data may have been exposed during an incident. This can in turn result in organizations disclosing that confidential database data was exposed when, in reality, the incident may not have involved this data.
This book helps avoid the preceding scenario by providing the first in-depth view into the collection and preservation of database artifacts and explaining how they can be analyzed to confirm a database intrusion and retrace the actions of an intruder within the database server. SQL Server forensic techniques as covered in this book can be used to identify unauthorized data access and modifications, as well as to restore the pre-incident database stateto recover from the database intrusion.Why Do We Need This Book, and Why Now?
Within the past few years, our reliance on database technology has increased exponentially. Databases have become an increasingly essential component of some of the world’s largest corporations, and in today’s business world almost all applications use a database to manage data.
As our reliance on databases has increased, so too have attacks targeting the data they store and process. According to Gartner Group, seventy-five percent of cyber attacks are application-based and often involve the theft of personal or financial data stored within a database.
With digital attacks targeting databases on the rise, large data security breaches are occurring at an alarming rate. In response, several regulations have been put in place that hold those who manage and store personal information accountable if and when the confidentiality of this information is compromised.
More specifically, many regulations demand that any organization that collects, uses, or stores their clients’ information must notify impacted clients in the event that their personal information is disclosed. Because of this requirement, it is becoming increasingly important for digital investigators to not only be able to confirm the occurrence of unauthorized database access but also to specifically determine what, if any, sensitive information was accessed.Who Will Benefit from Reading This Book?
This book will appeal to a wide audience inclusive of digital forensic practitioners, information security analysts, information security managers, information security auditors, database administrators, systems administrators, and law enforcement officials interested in digital forensics, security, or relational databases.
Readers will benefit from reading this book if they are interested in an in-depth view of:
Readers of this book should have a basic understanding of digital forensics and relational databases.