SQL Server Live Forensics Analysis

Abstract: Forensic analysis of SQL server is a under-shadowed but most crucial part of Digital forensic it covers various fields like live forensics ,OS forensics, Disk Forensics. in this paper we are gonna discuss about tracing modification in SQL server database with time stamp .

Introduction: This paper is based on we going discuss tracing changes in a data table and define a methodology for forensic analysis of SQL server using various technique.

Steps :

  1. First of all take ram dump using any tool like DumpIt.
  2. Start volatility stand alone application.
  3. Identify OS profile using following command.
    D:\volatility>volatility.exe imageinfo
  4. Here output would be many suggested profile ,we need to select
    any one of them.
    Note: only one profile will work among suggested profile
    Now to identify SQL server and all its running processes in memory use “pslist” command.
    It will show all currently running processes in system.
  5. Now run “getsid” to which will show all user ID’s used in SQL server.1output:2
  6. Run command “memmap” to view virtual and physical memory size and its offset,this helps in when we try to recover deleted data.
    3output:4.jpg
  7. Now execute privs” to view privileges of SQL server.
    5.jpgoutput:6.jpg
  8. Run “PSSACN” which gives process ID and time created of a process.
    7.jpg
  9. Run “proc” command to see process ID ,offset of all sql processes . Although this command is not very important once you have already run “PSSCAN” command.8.jpg

Challenges:
network handles of volatility doesn’t work  for windows 8 environment ,but it can be made compatible because it is open source framework.

Conclusion:

Analysis of RAM for SQL server forensics can give many potential clues about any database security breach or any unauthorized activity,before jumping into main database, it can save a lot of time give many healthy information.

we try our best in our posts but if there are any point of improvement we will appreciate that if anyone correct us or give some valuable suggestions

Thank You

Leave a Reply