Contact Us   |   FAQ   |   Cart/Checkout
  |   Register   |  
Search  
SHOP BY TOPIC

SQL Server Forensic Analysis

Last Updated 3/18/2009 12:41:57 PM


By: Tony Stevenson

 

SQL Server Forensic Analysis
Author: Kevvie Fowler
Publisher: Addison-Wesley Professional (www.informit.com/aw)
Published: December 2008
ISBN-10: 0-321-54436-6
ISBN-13: 978-0-321-54436-0
Format: Soft cover plus companion DVD, 512 pages.
Price: $54.99

SQL Server Forensic Methods and Techniques

Why should you bother reading a book titled “SQL Server Forensic Analysis”? According to the book’s author, Kevvie Fowler, the reason is simple: “within the past few years, our reliance on database technology has increased exponentially…As our reliance on databases has increased, so, too, have the number of attacks targeting the data those databases store and process…In response, regulations at several levels have been put in place to hold those who manage and store personal information accountable if and when the confidentiality of this information is compromised. More specifically, many regulations demand that any organization that collects, uses, or stores its clients’ information must notify affected clients in the event that their personal information is disclosed.”

This is the key issue that must be successfully handled – Fowler correctly points out that “because of the need to comply with this requirement, it is becoming increasingly important for digital investigators not only to be able to confirm the occurrence of unauthorized database access but also to specifically determine what, if any, sensitive information was accessed.” So if you are responsible for securing the contents of the databases deployed within your company or organization, can you afford not to read “SQL Server Forensic Analysis”? The sorts of IT professionals who stand to benefit from studying the contents of this book are diverse, ranging from information security analysts and managers through to database administrators, security auditors, and systems administrators. Fowler recommends that, in order to get the most from his book, that any potential reader have at least a basic understanding of digital forensics and relational databases.

The information presented in the book has been divided up into 11 chapters and two appendixes. The first couple of chapters of “SQL Server Forensic Analysis” are intended to be read by those looking for a refresher course in databases and SQL Server fundamentals. For those readers just starting out with databases in general or with SQL Server in particular, Fowler lists the details of a couple of other books that he regards as more or less mandatory reading before proceeding with his own book. The subject of SQL Server forensics is introduced in the third chapter of the book. It is here that Fowler discusses “how this specialized area of forensics came to be, what it is, and how it can be used to investigate suspected incidents involving SQL Server data.” The fourth and fifth chapters of the book respectively tackle the topics of SQL Server artifacts and SQL Server investigation preparedness. SQL Server artifacts are defined in the book as being “collections of related SQL Server data” and are generally comprised of two different types, namely, resident artifacts and nonresident artifacts. An example of a resident artifact is information contained in an SQL Server resource such as the SQL Server error log while an example of a nonresident artifact would be information found in a non-explicit SQL Server resource, for instance, SQL Server data found in the Windows system event log. The chapter on investigation preparedness discusses both the software and hardware requirements that need to be in place in order to carry out successful SQL Server investigations.

The next five chapters of “SQL Server Forensic Analysis” investigate the following subject matter: incident verification; artifact collection; artifact analysis (there are two chapters devoted to this particular topic); and SQL Server rootkits. Fowler explains that “a rootkit is a single or collection (“kit”) of applications that allow an individual to covertly maintain administrator (“root”) permission within a computer operating system. Rootkits use multiple techniques to either exploit operating system vulnerabilities or alter operating system objects to disguise or modify data returned by operating system functions.” Fowler then goes on to provide examples of the different sort of actions that rootkits can potentially conceal or perform. The emphasis though in this chapter is on SQL Server rootkits, and in particular, how to create them and their affect on the core relational database management system. Sample content from “SQL Server Forensic Analysis” that you can access online from the Addison-Wesley Professional Web site, the publishers of the book (www.informit.com/aw), includes the book's preface and index along with the entire final chapter from the book (the 11th chapter) titled “SQL Server Forensic Investigation Scenario.” The book’s author, Kevvie Fowler, explains to his readers that “the goal of this chapter is to bring the technical content we’ve covered to life in an investigation scenario that you can walk through. Performing this walk-through will allow you to appreciate the logical progression of events during an investigation and gain a deeper understanding of how findings within artifacts can be confirmed and further analyzed. This chapter also contains some advanced activity reconstruction analysis methods that should serve as an extension to the content in Chapters 8 and 9.” [Chapters 8 and 9 are both concerned with artifact analysis] Appendix A of “SQL Server Forensic Analysis” steps readers through the installation of SQL Server 2005 Express Edition with Advanced Services on Windows while Appendix B contains the syntax of the SQL Server Incident Response (IR) scripts that have been used throughout the book.

The book’s companion DVD contains a trademarked and customized “Windows Forensic Toolchest” framework that has been specifically designed and built for performing SQL Server forensics. The intended role of the framework is to allow for the automated collection, preservation, and analysis of SQL Server artifacts. The contents of the DVD are:

  • The files needed for the installation of SQL Server 2005 Express.

  • A collection of SQL Server Incident Response scripts. 

  • A collection of binaries required to build the SQL Server extended version of Windows Forensic Toolchest v3.0.

  • Sets of sample SQL Server artifacts, scripts, and databases that are referred to in different chapters of the “SQL Server Forensic Analysis” book.

Instructions for the installation and subsequent use of the DVD are also provided.

A bonus with buying a copy of “SQL Server Forensic Analysis” is that you also get free online access to its contents via the “Safari Books Online” Web site. That access lasts for 45 days. Each Safari book contains all of the content provided in the printed version including any tables, graphics and diagrams. Of course, the major advantages of the online versions of books are that they are easily accessible from different geographical locations without having to lug the actual physical versions around with you, and most importantly, electronic searches of their contents can be easily initiated. And I recommend too that you pay a visit to the book’s companion Web site located at www.applicationforensics.com.

By doing so, you will not only find out more about the “SQL Server Forensic Analysis” book itself, as well as its author Kevvie Fowler, you can also gain more knowledge about application forensics. That knowledge can be achieved by reading through the latest application forensic research posted on the site and by reading other recommended books featured there. These books focus on specific application forensics with two examples being firstly, Windows Server 2008 and Windows Vista, and secondly, Oracle. As described on the site, the major purpose of the “ApplicationForensics.com” site is to facilitate “the sharing of application forensic research amongst the digital forensics community.” The book’s companion Web site is also where you can learn about problems or errors with that particular book, for instance, you can click a link to download a bat file that was inadvertently left off the book's companion DVD. Fowler’s other Web site is Ring Zero (www.ringzero.ca) – Ring Zero is the online home of a research and consulting company that is described in the book as focusing on the “security and forensic analysis of Microsoft technologies.”

In summary, here are just two of the major benefits to be gained from reading “SQL Server Forensic Analysis”:

  • Acquisition of up to date knowledge about SQL Server forensics, a discipline that Fowler describes as “an emerging and specialized area in the field of computer forensic science.”

  • The use of SQL Server forensics to track down the compromise of one or more databases that the more traditional methods of investigation are incapable of detecting.

In conclusion, Fowler himself best sums the primary goal of his book when he states that it is intended to “provide real-world database forensic techniques that can be used to investigate intrusions on SQL Server 2000, 2005, and 2008 installations with default configurations.” The lesson to be learnt here is straightforward – don’t compromise the security of your organization’s data because you failed to heed the important messages and strategies contained in “SQL Server Forensic Analysis.”

Rate this:
Recent Comments
There are currently no comments. Be the first to make a comment.
Ads by Google
Sponsored Links
Featured Links
© 2010 Penton Media, Inc.  |  Terms of Use  |  Privacy Statement