September 22, 2009 at 9:08 am
Good morning. I am a computer forensics analyst and I am investigating a case in which a SQL 2000 database was deleted. I am performing my analysis on a forensic image of the server that housed the database (I do not have access to the server itself). The .mdf was deleted, but I was able to recover the .ldf file (Transaction Log). I would like to view the contents of the transaction log to see what, if anything, the intruder did within the database before deleting it.
Is there a utility that will allow me to view the contents of the transaction log if I do not have the corresponding .mdf file? Ideally, I would like to locate a utility that does not require me to build an instance of SQL but I think that may be hard to come by.
My second question is with regard to the format of the transaction log. Can anyone point me in the direction of some documentation that would describe the format\fields within the transaction log?
Thanks in advance,
John
September 22, 2009 at 9:40 am
Important Question: how can we know that you are what you say you are and not say, someone who has obtained an illicit copy of a database server's disks and needs our help to crack it?
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
September 22, 2009 at 10:13 am
There are a number of commercial log readers available that will read the LDF for you, I have not used these personally so I am not sure whether they would operate without the MDF, A Google/Bing search for SQL log reader will bring up the main products available.
Though it may be difficult to find out what the intruder did and saw as you will only see data changes and not selects.
Also you may have better luck restoring the last good back up (I am assuming that data important enough to hire a forensic analyst would be important enough to back-up) and going from there
September 22, 2009 at 10:57 am
OK, so I guess we're throwing caution (or ethics) to the wind then?
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
September 22, 2009 at 11:17 am
John,
get Kevvie Fowler's book. It will tell you everything you need to know and he handles chain of custody, etc., in his treatment of what to do.
SQL Server Forensics at Amazon.com
If you need it *now* it's available in Kindle Edition and on Safari as well.
EDIT: Read your scenario a little closer. Not sure he covers that. Trying to remember as it has been some months since I've read the book. I believe he has started with the assuming of working .mdf files. However, with that said, your best bet if he doesn't cover it is to enlist the help of Microsoft through support channels. Once they verify you're on the up and up, I'm sure they could provide assistance into piecing together the contents of what is in the .ldf, though it may not be very much.
K. Brian Kelley
@kbriankelley
September 22, 2009 at 11:20 am
Steveb,
Thanks for your reply. I've spent the morning trying to find a utility and I've identified several but they all seem to require a database to which they can connect. I also appreciate your insight as to what I may or may not be able to see in the transaction log. I don't have any SQL Server experience and little idea as to what may or may not be in the transaction log. I've got a couple of DBA friends and I'm going to see if they can help me out.
Thanks again,
John
----
RBarryYoung,
Thanks for your concern. The scenario is quite the opposite and you'll just have to trust me on that one. If you think I have ulterior motives in posting here, please just ignore my initial question.
September 22, 2009 at 11:22 am
Brian,
Thanks also for your reply. The book is on hold at Barnes & Noble and I'll be picking it up this afternoon.
-John
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply