Database Forensics

Database servers store sensitive information. Database forensics refers to the branch of digital forensic science specifically related to the study of databases and the data they keep. Database forensics look at who access the database and what actions are performed. Large data security breaches are a large problem, and criminal investigators search for related information.

Modern criminal investigations often involve database forensics as investigators search for motive and method and try to identify suspects. Database forensics can also be used to verify commercial agreements, such as a recent legal dispute between two large companies regarding whether database software had accurately calculated the residual value of a fleet of 45,000 leased cars.

A forensic examination of a database may investigate the timestamps relating to the update time of a row in a relational table in order to verify the actions of a database user. Another database forensics case might examine all transactions within a database system or application over a specific period of time in order to identify any fraudulent transactions.

Experts in database forensics need to be well-versed in almost all aspects of database development and use, as they have to preserve, authenticate, analyze and output data from large, custom-built databases that cannot just be copied and taken back to the office for further investigation.

Stroz Friedberg highlight that enterprise database forensics typically requires investigators to “leverage the infrastructure of the database itself, using a combination of disabling archive and deletion features, preserving backup tapes, and/or preserving existing reports.”

Investigators and DBAs can leverage books and tools to better understand database forensics. The book SQL Server Forensic Analysis by Kevvie Fowler defines and documents methods and techniques for SQL server forensics. It remains the go to database forensics textbook specifically for SQL servers.

Additionally, Data Alerts in Idera’s SQL Compliance Manager can be used to perform forensics. Data Alerts can identify when privileged users manipulate data or can track access to specific sensitive data. You can find more information in SQL Compliance Manager’s Release Notes.