SANS Digital Forensics and Incident Response Blog: Tag - DATABASE

SQL Rootkits

SQL, Databases and Forensics

by Craig Wright

For the most part, databases have become an integral part of any organization. More importantly, they have become mission critical. On top of this, many enterprise level databases are far larger than any disk you are likely to encounter. As an example, I was required to image a database that belonged to an insurance company. This database was 68TB in total size and it was business critical. The consequence is that you need to start thinking of other ways to do forensic work on databases.

As with all live system forensics, begin with gathering the evidence required starting from the most volatile and working toward that which is unlikely to change. When doing this, remember to:

  • Protect the Audit Trail - Protect the audit trail so that audit information cannot be added, changed, or deleted.