SQL Server Forensic Analysis (paperback)
Addison-Wesley Educational Publishers Inc (Verlag)
978-0-321-95162-5 (ISBN)
- Titel ist leider vergriffen;
keine Neuauflage - Artikel merken
—Curtis W. Rose, founder of Curtis W. Rose and Associates and coauthor of Real Digital Forensics
The Authoritative, Step-by-Step Guide to Investigating SQL Server Database Intrusions
Many forensics investigations lead to the discovery that an SQL Server database might have been breached. If investigators cannot assess and qualify the scope of an intrusion, they may be forced to report it publicly–a disclosure that is painful for companies and customers alike. There is only one way to avoid this problem: Master the specific skills needed to fully investigate SQL Server intrusions.
In SQL Server Forensic Analysis, author Kevvie Fowler shows how to collect and preserve database artifacts safely and non-disruptively; analyze them to confirm or rule out database intrusions; and retrace the actions of an intruder within a database server. A chapter-length case study reinforces Fowler’s techniques as he guides you through a real-world investigation from start to finish.
The techniques described in SQL Server Forensic Analysis can be used both to identify unauthorized data access and modifications and to gather the information needed to recover from an intrusion by restoring the pre-incident database state.
Coverage includes
Determining whether data was actually compromised during a database intrusion and, if so, which data
Real-world forensic techniques that can be applied on all SQL Server instances, including those with default logging
Identifying, extracting, and analyzing database evidence from both published and unpublished areas of SQL Server
Building a complete SQL Server incident response toolkit
Detecting and circumventing SQL Server rootkits
Identifying and recovering previously deleted database data using native SQL Server commands
SQL Server Forensic Analysis is the first book of its kind to focus on the unique area of SQL Server incident response and forensics. Whether you’re a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, auditor, or database professional, you’ll find this book an indispensable resource.
Kevvie Fowler is the Director of Managed Security Services at TELUS Security Solutions, where he is responsible for the delivery of specialized security, incident response, and forensic services. In addition to authoring SQL Server Forensic Analysis, he is contributing author of How to Cheat at Securing SQL Server 2005 (Syngress, 2007) and The Best Damn Exchange, SQL, and IIS Book Period (Syngress, 2007). Kevvie is also the founder of Ring Zero, a research and consulting company that focuses on the security and forensic analysis of Microsoft technologies. In addition to Ring Zero, Kevvie owns and maintains the applicationforensics.com Web site, which he hopes to grow into the leading source of application forensics information on the Internet. Kevvie is a frequent presenter at leading information security conferences such as Black Hat and SecTor. He is a GIAC Gold Certified Forensic Analyst (GCFA) and Certified Information System Security Professional (CISSP), and he holds several Microsoft certifications, including MCTS, MCDBA, MCSD, and MCSE. Kevvie is also a member of the High Technology Crime Investigation Association (HTCIA).
Preface xiii
Acknowledgments xvii
About the Author xix
Chapter 1: Introduction to Databases 1
Running Chapter 1 Sample Scripts 2
Databases Explained 2
How Databases Are Used 3
Databases and COTS Applications 5
Database Structure 6
Structured Query Language (SQL) 7
Database Transactions 11
The ACID Model 11
Referential Integrity 12
Summary 15
Chapter 2: SQL Server Fundamentals 17
History of SQL Server 17
SQL Server Versions and Editions 18
Architecture 20
SQL Server Connections 24
Context Switching 25
SQL Server Databases 26
Data Storage 27
Memory Management 34
Security 34
Permissions 39
Encryption 40
Dynamic Management and Database Console Commands 42
Logging 44
SQL Server Agent 44
Summary 44
Chapter 3: SQL Server Forensics 47
The Road to SQL Server Forensics 47
SQL Server Forensics 48
SQL Server Forensic Methodology 59
Summary 61
Chapter 4: SQL Server Artifacts 63
SQL Server Artifacts 63
Resident SQL Server Artifacts 67
Nonresident SQL Server Artifacts 90
Artifact Summary 93
Summary 95
Chapter 5: SQL Server Investigation Preparedness 97
SQL Server Investigation Preparedness Overview 98
Configuring Your Forensics Workstation for a SQL Server Investigation 98
Creating a SQL Server Forensics Incident Response Toolkit 108
Summary 137
Chapter 6: Incident Verification 139
Running Chapter 6 Sample Scripts 139
Incident Verification Explained 140
What Not to Do When Investigating a Live SQL Server 141
Responding to an Incident 142
Identifying the SQL Server Instance Name 146
Connecting to a Victim System 150
Disconnecting from the Victim System 155
Identifying Signs of an Intrusion 156
Submitting Preliminary Findings 171
Summary 172
Chapter 7: Artifact Collection 173
Focus on Ad Hoc Collection 174
Running the Sample Scripts 175
Maintaining the Integrity of Collected Data 175
Automated Artifact Collection via Windows Forensic Toolchest 179
Identifying the Victim’s SQL Server Version 180
Ad Hoc Artifact Collection 181
Collecting Volatile SQL Server Artifacts 183
Collecting Nonvolatile SQL Server Artifacts 191
Summary 224
Chapter 8: Artifact Analysis I 225
Working Along with Chapter 8 Examples 226
Pre-analysis Activities 226
Authentication and Authorization 240
Configuration and Versioning 257
Summary 271
Chapter 9: Artifact Analysis II 273
Working Along with Chapter 9 Examples 273
Pre-analysis Activities 274
Activity Reconstruction 274
Data Recovery 340
Summary 356
Chapter 10: SQL Server Rootkits 357
Traditional Rootkits 357
SQL Server Rootkits: The New Threat 358
Generations of SQL Server Rootkits 359
First-Generation SQL Server Rootkits 360
How Rootkits Can Affect a SQL Server Investigation 384
Detecting Database Rootkits 384
When to Check for Database Rootkits 396
What to Do if You Find a Rootkit 396
Summary 397
Chapter 11: SQL Server Forensic Investigation Scenario 399
Scenario Overview 399
Importing Sample Artifacts 400
Investigation Synopsis 400
Incident Verification 401
Artifact Collection 406
Artifact Analysis 406
Activity Reconstruction 411
Investigation Summary 421
Appendix A: Installing SQL Server 2005 Express Edition with Advanced Services on Windows 425
Appendix B: SQL Server Incident Response Scripts 439
SSFA_DataCache.sql 439
SSFA_ClockHands.sql 440
SSFA_PlanCache.sql 441
SSFA_RecentStatements.sql 443
SSFA_Connections.sql 445
SSFA_Sessions.sql 446
SSFA_TLOG.sql 447
SSFA_DBObjects.sql 449
SSFA_Logins.sql 452
SSFA_Databases.sql 453
SSFA_DbUsers.sql 454
SSFA_Triggers.sql 456
SSFA_Jobs.sql 458
SSFA_JobHistory.sql 459
SSFA_Configurations.sql 460
SSFA_CLR.sql 461
SSFA_Schemas.sql 462
SSFA_EndPoints.sql 464
SSFA_DbSrvInfo.sql 465
SSFA_AutoEXEC.sql 466
SSFA_TimeConfig.sql 467
Index 469
| Erscheint lt. Verlag | 11.12.2013 |
|---|---|
| Verlagsort | New Jersey |
| Sprache | englisch |
| Maße | 179 x 231 mm |
| Gewicht | 820 g |
| Themenwelt | Informatik ► Datenbanken ► SQL Server |
| Informatik ► Netzwerke ► Sicherheit / Firewall | |
| ISBN-10 | 0-321-95162-X / 032195162X |
| ISBN-13 | 978-0-321-95162-5 / 9780321951625 |
| Zustand | Neuware |
| Haben Sie eine Frage zum Produkt? |
aus dem Bereich
