Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database Forensics Paresh Motiwala - SQL Solutions Architect at www.actifio.comwww.actifio.com.

Published byHector Alexander Modified over 8 years ago

Similar presentations

Presentation on theme: "Database Forensics Paresh Motiwala - SQL Solutions Architect at www.actifio.comwww.actifio.com."— Presentation transcript:

1

2 Database Forensics Paresh Motiwala - SQL Solutions Architect at www.actifio.comwww.actifio.com

3 yout text here

4 1. Introduction 2. Goals 3. Breaches 4. File Formats 5. Methodology 6. Incident Preparedness 7. Incident Verification 8. Artifacts- Collection, Verification, Analysis 9. Log Readers 10. Demo 11. Q&A 12. Bibliography

5 Database Forensics 1. Introduction 2. Goals 3. Breaches 4. File Formats 5. Methodology 6. Incident Verification 7. Artifacts- Collection, Verification, Analysis 8. Log Readers 9. Demo 10. Q&A 11. Bibliography

6 Database Forensics Goals a)Prove or disprove the occurrence of a data security breach b)Determine the scope of a database intrusion c)Retrace user DML and DDL operations d)Identify data pre- and post-transactions e)Recover previously deleted database data

7 Database Forensics Introduction a)Breaches b)eDiscovery

8 Database Forensics Breaches

9 Database Forensics File Formats

10 Database Forensics Methodologies Investigation Preparedness Incident Verification Artifact Collection Artifact Analysis

11 Database Forensics Incident Preparedness 1. Configure your forensics workstation(Server/WS) 2. Create a SQL Server forensics IRT 3. Develop SQL Server incident response scripts. 4. Integrate base scripts with automated live forensic suites (optional).

12 Database Forensics Incident Verification yout text here Identifying signs of penetration: A. SQL Server Penetration B. Active unauthorized SQL Server Connections C. Past unauthorized SQL Server access a) SQL Server error logs b) Plan Cache c) Session details

13 Database Forensics Artifacts 1. Volatile: 1. ( sqlcmd- :out c:\dbse_loginfo.txt, dbcc loginfo go) ; 2. select * FROM sys.dm_os_ring_buffers WHERE ring_buffer_type = 'RING_BUFFER_SECURITY_ERROR‘; 3. Data Cache, Plan Cache, Recent executed statements, Active connections, Active sessions, Active VLFs, Ring Buffers 2. Non-Volatile- Default Trace Files 3. Pre-planned 4. Configuration 5. Constant update ItemImportanceVolatilityPriority SQL Server Connections & Sessions550 Transaction Logs541 SQL Server Logs433 SQL Server Database Files325 System Event Logs226

14 Database Forensics Artifacts –Collection Summary of Volatile SQL Server Artifacts Volatile SQL Server Artifacts Automate d Artifact Collection (WFT) Ad Hoc Artifact Collection Data cache ♦ Cache clock hands ♦ Plan cache ♦ Most recently executed (MRE) statements ♦ Active connections ♦ Active sessions ♦ Active virtual log files (VLFs) ◊ ♦ Ring buffers ♦

15 Database Forensics Artifacts –Analysis 1. Pre analysis – Create an Image Use write blockers Create a repository (database) 2. Security Audit- Use of Honeypot... Audit level Log history History of suspect 3. SQL Logs 4. System Event Viewer Logs 5. Profiler-Trace or Monitoring software like Idera

16 Database Forensics Log Readers 1. Expensive 2. Pre-planned 3. Configuration 4. Constant update

17 Database Forensics Q&A - Bibliography http://www.bmyers.com/public/1958.cfm SQL Server Forensic Analysis By: Kevvie Fowler Fowler, K. (2007). Forensic analysis of a sql server 2005 database. Informally published manuscript,.

18 Database Forensics As prudent investigators, our job is to find the clues that the perpetrator doesn’t know he/she left behind. William Petersen CSI 2001

19 Explore Everything PASS Has to Offer Free SQL Server and BI Web Events Free 1-day Training Events Regional Event Local User Groups Around the World Free Online Technical Training This is CommunityBusiness Analytics Training Session Recordings PASS Newsletter

Download ppt "Database Forensics Paresh Motiwala - SQL Solutions Architect at www.actifio.comwww.actifio.com."

Similar presentations

Monitoring a web sites health. Web Analytics - Definition Measurement of the behavior of visitors to a website Which aspects of the website work towards.

Monitoring a web sites health. Web Analytics - Definition Measurement of the behavior of visitors to a website Which aspects of the website work towards.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.

Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Automating Common DBA Tasks

Automating Common DBA Tasks
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
CADDLAB Medical Imaging on Remote Compute Servers.

CADDLAB Medical Imaging on Remote Compute Servers.
Bar|Scan ® Asset Inventory System The leader in asset and inventory management.

Bar|Scan ® Asset Inventory System The leader in asset and inventory management.
Bonrix Track & Trace System A GPS Based Vehicle Tracing System (SMS, GPRS/3G, Offline) Bonrix Software Systems Ahmedabad (INDIA) Website:

Bonrix Track & Trace System A GPS Based Vehicle Tracing System (SMS, GPRS/3G, Offline) Bonrix Software Systems Ahmedabad (INDIA) Website:
Excel Services Overview. Broad sharing of spreadsheets Business intelligence capabilities Excel services architecture What Will We Cover?

Excel Services Overview. Broad sharing of spreadsheets Business intelligence capabilities Excel services architecture What Will We Cover?
Managing and Monitoring SQL Server 2005 Shankar Pal Program Manager SQL Server, Redmond.

Managing and Monitoring SQL Server 2005 Shankar Pal Program Manager SQL Server, Redmond.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.

Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.
1 Copyright © 2005, Oracle. All rights reserved. Introduction.

1 Copyright © 2005, Oracle. All rights reserved. Introduction.
Module 18 Monitoring SQL Server 2008 R2. Module Overview Monitoring Activity Capturing and Managing Performance Data Analyzing Collected Performance Data.

Module 18 Monitoring SQL Server 2008 R2. Module Overview Monitoring Activity Capturing and Managing Performance Data Analyzing Collected Performance Data.
Implementing Database Snapshot & Database Mirroring in SQL Server 2005 Presented by Tarek Ghazali IT Technical Specialist Microsoft SQL Server MVP Microsoft.

Implementing Database Snapshot & Database Mirroring in SQL Server 2005 Presented by Tarek Ghazali IT Technical Specialist Microsoft SQL Server MVP Microsoft.
Maintaining a Microsoft SQL Server 2008 Database SQLServer-Training.com.

Maintaining a Microsoft SQL Server 2008 Database SQLServer-Training.com.
Ripple Technologies, Inc 7/98 LogCaster. Ripple Technologies, Inc 7/98 LogCaster NT Real Time System Monitoring.

Ripple Technologies, Inc 7/98 LogCaster. Ripple Technologies, Inc 7/98 LogCaster NT Real Time System Monitoring.
Module 10: Monitoring ISA Server 2004. Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Similar presentations

Ads by Google