SQL Server Forensic Analysis

Cover
Contents
Preface
Acknowledgments
About the Author
Chapter 1 Introduction to Databases
	Running Chapter 1 Sample Scripts
	Databases Explained
	How Databases Are Used
	Databases and COTS Applications
	Database Structure
	Structured Query Language (SQL)
		Data Definition Language
		Data Manipulation Language
	Database Transactions
	The ACID Model
	Referential Integrity
		Primary Keys
		Foreign Keys
		Experimenting with Primary Key and Foreign Key Integrity Rules
	Summary
Chapter 2 SQL Server Fundamentals
	History of SQL Server
	SQL Server Versions and Editions
	Architecture
		SQL Server 2000
		SQL Server 2005 and 2008
	SQL Server Connections
	Context Switching
	SQL Server Databases
		System Databases
		User Databases
		Database Files
	Data Storage
		Data Rows
		Data Tables
		Data Pages and Extents
		Data Types
		Unicode
		Collation Settings
		Endian Ordering
	Memory Management
	Security
		Authentication Modes
		Security Gates
		SQL Server Login Accounts
		Database User Accounts
		Fixed Server Roles
		Fixed Database Roles
	Permissions
		Object Permissions
		Statement Permissions
		Implied Permissions
	Encryption
		Symmetric Key Encryption
		Asymmetric Key Encryption
		Certificate-Based Encryption
		Pass-Phrase Encryption
	Dynamic Management and Database Console Commands
		Dynamic Management Views and Functions
		Database Console Commands
	Logging
	SQL Server Agent
	Summary
Chapter 3 SQL Server Forensics
	The Road to SQL Server Forensics
	SQL Server Forensics
		Investigation Triggers
		SQL Server Forensics versus Traditional Windows Forensics
		Acquisition Methods
	SQL Server Forensic Methodology
		Investigation Preparedness
		Incident Verification
		Artifact Collection
		Artifact Analysis
	Summary
Chapter 4 SQL Server Artifacts
	SQL Server Artifacts
		Types of Artifacts
		Artifact Categories
	Resident SQL Server Artifacts
		Data Cache
		Plan Cache
		Active VLFs
		Reusable VLFs
		Server State
		Authentication Settings
		SQL Server Logins
		Authorization Catalogs
		Databases
		Database Users
		Database Objects
		Auto-executing (AutoEXEC) Procedures
		Cache Clock Hands
		Time Configuration
		Data Page Allocations
		Collation Settings and Data Types
		Jobs
		Triggers
		Native Encryption
		Endpoints
		Common Language Runtime Libraries
		Server Hardening
		Server Versioning
		Server Configuration
		Schemas
		Table Statistics
		Ring Buffers
		Trace Files
		SQL Server Error Logs
		Data Files
	Nonresident SQL Server Artifacts
		System Event Logs
		External Security Controls
		Web Server Logs
	Artifact Summary
	Summary
Chapter 5 SQL Server Investigation Preparedness
	SQL Server Investigation Preparedness Overview
	Configuring Your Forensics Workstation for a SQL Server Investigation
		Installing a Locally Installed SQL Server Instance (Optional)
		Installing SQL Server Workstation Tools
		Enabling Client Communication Protocols
	Creating a SQL Server Forensics Incident Response Toolkit
		Gathering Required Hardware and Software
		Developing SQL Server Incident Response Scripts
		Using SQLCMD to Execute SQL Incident Response Scripts
		Integrating SQL Server Incident Response Scripts with Automated Live Forensic Frameworks
		Windows Forensic Toolchest Integration
	Summary
Chapter 6 Incident Verification
	Running Chapter 6 Sample Scripts
	Incident Verification Explained
	What Not to Do When Investigating a Live SQL Server
	Responding to an Incident
		Database Privileges Required to Perform Incident Verification
		Infrastructure Roadblocks to Avoid
		Selecting a Connection Method
		Managing Investigation Output
	Identifying the SQL Server Instance Name
		Default Instances
		Named Instances
		Remote Enumeration of SQL Server Instances
		Interactive Enumeration of SQL Server Instances
	Connecting to a Victim System
		Testing Your SQL Server Connection
		Executing SQL Server Incident Response Scripts
		Acquiring SQL Server Error Logs
		Performing SQL Server Rootkit Detection
	Disconnecting from the Victim System
	Identifying Signs of an Intrusion
		SQL Server Penetration
		Active Unauthorized Database Access
		Past Unauthorized SQL Server Access
	Submitting Preliminary Findings
	Summary
Chapter 7 Artifact Collection
	Focus on Ad Hoc Collection
	Running the Sample Scripts
	Maintaining the Integrity of Collected Data
		Ensuring Artifact Integrity Using md5deep
		Ensuring Artifact Integrity Using dcfldd
	Automated Artifact Collection via Windows Forensic Toolchest
	Identifying the Victim's SQL Server Version
	Ad Hoc Artifact Collection
		Enabling DBCC Trace Flag (3604)
		Setting the Database Context
	Collecting Volatile SQL Server Artifacts
		Active Virtual Log Files
		Ring Buffers
	Collecting Nonvolatile SQL Server Artifacts
		Authentication Settings for SQL Server 2000, 2005, and 2008
		Authorization Catalogs
		Table Statistics
		Auto-executing Stored Procedures
		Collation Settings and Data Types
		Data Page Allocations
		Server Hardening
		Identifying Native Encryption Use
		Performing SQL Server Rootkit Detection
		Disconnecting from SQLCMD and Shutting Down the MSSQLServer Service
		Data Files
		Reusable VLFs
		CLR Libraries
		Trace Files
		SQL Server Error Logs
		System Event Logs
		External Security Controls
		Web Server Logs
	Summary
Chapter 8 Artifact Analysis I
	Working Along with Chapter 8 Examples
	Pre-analysis Activities
		Create an Image of Collected Artifacts
		Use a Write Blocker
		Create an Analysis Database
		Preparing Artifacts for Import
		Importing Collected Artifacts
		Verifying Collation and Code Page Compatibility
		Attaching Victim Databases
	Authentication and Authorization
		Authentication Settings
		Identifying Historical Successful and Failed SQL Server Connections
		SQL Server Permission Hierarchy
	Configuration and Versioning
		Database Server Versioning
		SQL Server Configuration and Hardening
		Identifying Native Encryption Usage
	Summary
Chapter 9 Artifact Analysis II
	Working Along with Chapter 9 Examples
	Pre-analysis Activities
	Activity Reconstruction
		Recently Accessed Data Pages (Data Cache)
		Previously Executed SQL Statements
		Identifying Anomalous Database Sessions and Connections
		SQL Injection
		Identifying Database Object and Server Securable Creation and Modification Times
		Identifying Malicious Object Code
		External Security Controls
	Data Recovery
		Recovering Deleted Data from Data Files
		Recovering Deleted Data from the Transaction Log
		Recovering Deleted Data from Table Statistics
		SQL Server Artifacts Not Directly Analyzed
		Verifying the Integrity of Attached Database Files
	Summary
Chapter 10 SQL Server Rootkits
	Traditional Rootkits
	SQL Server Rootkits: The New Threat
	Generations of SQL Server Rootkits
	First-Generation SQL Server Rootkits
		Object Tampering
		Object Translation Tampering
	How Rootkits Can Affect a SQL Server Investigation
	Detecting Database Rootkits
		Detecting Object Tampering
		Detecting Object Translation Tampering
		Detecting Synonym Link Alteration
	When to Check for Database Rootkits
	What to Do if You Find a Rootkit
	Summary
Chapter 11 SQL Server Forensic Investigation Scenario
	Scenario Overview
	Importing Sample Artifacts
	Investigation Synopsis
	Incident Verification
		Preliminary Review of the SQL Server Error Log
		Preliminary Review of WFT Execution Results
	Artifact Collection
	Artifact Analysis
		Authorization
		Native SQL Server Encryption
	Activity Reconstruction
		Server State
		Plan Cache
		Active VLFs
	Investigation Summary
Appendix A: Installing SQL Server 2005 Express Edition with Advanced Services on Windows
Appendix B: SQL Server Incident Response Scripts
	SSFA_DataCache.sql
	SSFA_ClockHands.sql
	SSFA_PlanCache.sql
	SSFA_RecentStatements.sql
	SSFA_Connections.sql
	SSFA_Sessions.sql
	SSFA_TLOG.sql
	SSFA_DBObjects.sql
	SSFA_Logins.sql
	SSFA_Databases.sql
	SSFA_DbUsers.sql
	SSFA_Triggers.sql
	SSFA_Jobs.sql
	SSFA_JobHistory.sql
	SSFA_Configurations.sql
	SSFA_CLR.sql
	SSFA_Schemas.sql
	SSFA_EndPoints.sql
	SSFA_DbSrvInfo.sql
	SSFA_AutoEXEC.sql
	SSFA_TimeConfig.sql
Index
	A
	B
	C
	D
	E
	F
	G
	H
	I
	J
	K
	L
	M
	N
	O
	P
	Q
	R
	S
	T
	U
	V
	W
	X