SANS Digital Forensics and Incident Response Blog: Tag - SQL

SQL Rootkits

SQL, Databases and Forensics

by Craig Wright

For the most part, databases have become an integral part of any organization. More importantly, they have become mission critical. On top of this, many enterprise level databases are far larger than any disk you are likely to encounter. As an example, I was required to image a database that belonged to an insurance company. This database was 68TB in total size and it was business critical. The consequence is that you need to start thinking of other ways to do forensic work on databases.

As with all live system forensics, begin with gathering the evidence required starting from the most volatile and working toward that which is unlikely to change. When doing this, remember to:

  • Protect the Audit Trail - Protect the audit trail so that audit information cannot be added, changed, or deleted.

Oracle Forensics: Toad from Quest Software

Here are some notes for Oracle related forensics concerning Toad from Quest Software.


The CONNECTIONS.INI file stores connection information related to previously used connections. It contains the passwords, usernames, and servers the user connected to using Toad. During a forensics review, you will find bits and pieces of this file all over unallocated space and slack space depending on how much the user used Toad.

In my experience with Oracle developers, I have found this file being traded among them as it offers an easy way to pass connection information. Based on that you should be able to see how easy it is for one user to obtain credentials of another user and log in with them. All the user has to do is put the file in the proper spot, bring up Toad, and then click on the connection to log in. No password checks are made by Toad provided that previous connection listed in the

... Continue reading Oracle Forensics: Toad from Quest Software