Module:-11

Day:-56

Database Forensics and its Importance :-

Database Forensics is a specialized branch of digital forensics that focuses on investigating

and analyzing databases to uncover hidden, deleted, or altered data, track unauthorized
access, and trace the actions taken on sensitive data. It involves the extraction, preservation,
and interpretation of data from database systems, logs, and related files to provide evidence
that can be used in legal proceedings, security investigations, or compliance audits.

Components of Database Forensics

1. Identification: Locating potential sources of evidence within the database,

including tables, logs, transactions, backups, and metadata.
2. Preservation: Ensuring that the database remains intact and tamper-free
throughout the investigation process. This includes taking snapshots or forensic images of
the database environment.
3. Collection: Gathering relevant data, including:
• Database logs: Which track changes, transactions, and access.
• Audit trails: Records of user activities, database queries, and responses.
• Memory dumps: Which may include temporary data not yet committed to the
database.
4. Examination: Using specialized forensic tools to analyze the data and identify
suspicious activity or data tampering. This could involve examining database queries,
changes in records, and unauthorized access attempts.
5. Analysis: Interpreting the collected data to reconstruct events, such as identifying
who accessed sensitive information, what changes were made, and when these activities
occurred.
6. Reporting: Documenting the findings in a detailed, structured report that outlines
the forensics process and provides evidence for legal or internal investigations.

Importance of Database Forensics

1. Incident Response and Investigation

Database forensics plays a crucial role in investigating data breaches, insider threats, and
unauthorized database access. It helps to determine the extent of the damage, how the
breach occurred, and what specific data was compromised. This is essential for identifying
vulnerabilities and preventing future attacks.

2. Data Integrity and Compliance

Ensuring data integrity is paramount for businesses that handle sensitive information,
especially those in industries like finance, healthcare, and government. Database forensics is
critical for organizations that must comply with regulatory standards like GDPR, HIPAA, PCI-
DSS, and SOX. Forensics ensures that sensitive data is handled properly and that
unauthorized changes are detected, enabling compliance with legal standards.

3. Internal Threat Detection

Database forensics is not only useful for external cyberattacks but also for detecting and
investigating insider threats. Employees with access to critical databases may misuse their
privileges, modify sensitive information, or steal confidential data. By tracing user activities,
database forensics helps mitigate internal security risks.

4. Tracking Data Manipulation and Fraud

In cases of financial or corporate fraud, database forensics can track unauthorized

transactions, data manipulation, or falsification of records. This is especially important for
financial institutions, where fraudulent activity needs to be tracked across complex
databases.

5. Legal Evidence in Court

Database forensics provides irrefutable digital evidence that can be used in court
proceedings. The process of preserving the data with proper chain-of-custody
documentation ensures that the evidence remains credible and admissible in court. Database
forensics experts often testify in court as to their findings and the methods used in the
investigation.
investigation.

6. Mitigation of Data Breaches

Database forensics helps identify the source and methodology of data breaches. By
analyzing logs and tracing the activities that led to the compromise, forensics teams can
identify vulnerabilities in the database system and suggest remediation measures to prevent
further breaches.

7. Backup and Recovery Verification

Database forensics also plays a role in verifying the authenticity and accuracy of backup
systems. For instance, if a company experiences data loss or corruption, forensic analysis
can help determine whether the backup data is genuine and has not been tampered with,
ensuring accurate recovery.

Conclusion
Database forensics is vital in today’s digital landscape, where databases are the
backbone of most business operations. It ensures that data integrity is maintained,
helps detect and respond to security incidents, supports legal actions, and assists
organizations in complying with data protection regulations. As databases continue to
grow in complexity, the role of forensics in ensuring their security and integrity
becomes even more critical.
Day:-57

Data Storage in SQL Server :-

SQL Server is a relational database management system (RDBMS) that stores data in a
structured format. Its storage architecture is designed to efficiently manage, retrieve, and
maintain data. Below is a detailed explanation of how data is stored in SQL Server.

1. Database Files

SQL Server uses three types of files to store data:

• Primary Data File (.mdf): This is the main file where the data is stored. Every SQL
Server database has a primary data file, and it can also contain user objects (tables, indexes,
views, etc.).
• Secondary Data Files (.ndf): These are optional files used if the primary data file
becomes too large. Databases can be spread across multiple secondary files, especially in
cases where storage needs to be expanded or spread across multiple disks.
• Log File (.ldf): The log file stores all the transaction logs, which help in maintaining
data integrity and recovery processes. Every database must have at least one log file.

2. Pages and Extents

Data is physically stored in SQL Server using pages and extents.

Pages

• A page is the fundamental unit of data storage in SQL Server. Each page is 8 KB in
size, and a database is divided into pages.
• Pages store various types of information, depending on their type:
• Data Pages: Store the actual data in rows.
• Index Pages: Store index information for quicker searches.
• Text/Image Pages: Store large objects such as text, images, or large binary data.
• Global Allocation Map (GAM) Pages: Manage allocated extents.
• Page Free Space (PFS) Pages: Track the amount of free space available on each
page.
• Bulk Changed Map (BCM) Pages: Keep track of changes during bulk operations.

Each page consists of a 96-byte header that includes metadata like page number, type,
amount of free space, etc., followed by the actual data.

Extents

• An extent consists of eight contiguous pages (8 KB each), making the extent size
64 KB.
• SQL Server allocates space to objects in extents, which can either be:
• Uniform Extents: Owned by a single object (all eight pages belong to the same
object).
• Mixed Extents: Shared among multiple objects (used when objects are small and
don’t require a full extent).
Initially, SQL Server uses mixed extents, but as tables grow, uniform extents are allocated to
improve performance.

3. Row Storage

SQL Server stores data in rows, and each row is stored on a page. The maximum size for a
row is 8,060 bytes, though certain types of data (e.g., varchar(MAX) and varbinary(MAX))
can exceed this limit by using a special storage mechanism for large data types (text/image
storage).

Rows are stored sequentially in a page, and each row has a row offset table at the end of the
page that points to the starting position of each row.

Large Data Types

If a row contains large data such as varchar(MAX), varbinary(MAX), text, ntext, or image,
SQL Server stores part of the row on the page, but the large data is stored on separate
pages, known as LOB (Large Object) pages. The row contains a pointer to the LOB page.

4. Indexes and Data Storage

Indexes help speed up data retrieval and are stored as part of the database structure. SQL
Server uses two primary types of indexes:

• Clustered Index: A clustered index determines the physical order of the data in the
table. There can only be one clustered index per table because the rows are stored physically
in this order. The data and the index are stored together.
• Non-Clustered Index: A non-clustered index stores the index separately from the
data. It contains a pointer to the data location, which can either be the row’s physical
address or the key value in a clustered index.

Both types of indexes are stored on index pages and organized similarly to data pages. Non-
clustered indexes allow faster searching but do not affect the physical order of the data in
the table.

5. Transaction Logs
SQL Server uses transaction logs to maintain a record of all transactions and ensure ACID
properties (Atomicity, Consistency, Isolation, Durability). The .ldf file stores all the logs.

• Write-Ahead Logging (WAL): Before SQL Server makes any changes to the actual
data files, it first logs the change in the transaction log. Only once the log is written does SQL
Server commit the transaction to the data files.
• The transaction log ensures that in the event of a system crash or failure, the
database can be restored to a consistent state. It stores:
• The start of a transaction.
• All modifications (INSERTs, UPDATEs, DELETEs).
• Commit or rollback operations.

6. Memory Storage: Buffer Pool

SQL Server also uses in-memory storage to cache frequently accessed data pages, indexes,
and plans for faster retrieval. This is known as the buffer pool. When data is queried, SQL
Server first checks the buffer pool. If the data is not there, it reads it from disk and then
stores it in the buffer pool for future access.

The Lazy Writer process manages the buffer pool by writing dirty pages (modified pages)
back to disk and freeing up space for new pages when needed.

7. Filegroups

Filegroups are a logical structure that groups database files (either primary or secondary)
together. Filegroups provide flexibility in managing large databases and can be used for:

• Performance optimization: Storing tables and indexes on different filegroups,

spreading them across multiple disks to enhance performance.
• Backup management: SQL Server allows backing up individual filegroups, which
can simplify backup and recovery in large databases.

8. Database Snapshots

A database snapshot is a read-only, static view of the database at a specific point in time.
SQL Server uses a copy-on-write mechanism for snapshots:
 • Whenever a change is made to the database, the original data page is copied to the
snapshot before being overwritten in the database. The snapshot only stores the original
pages that have been modified, making it more storage-efficient.

9. Data Compression

SQL Server offers two types of data compression to optimize storage space and improve I/O
performance:

• Row Compression: Reduces the amount of storage space by using variable-length

storage for fixed-length data types.
• Page Compression: In addition to row compression, page compression compresses
data by eliminating duplicate values within a page.

10. TempDB Storage

SQL Server uses a special database called TempDB for temporary storage of data such as:

• Temporary tables and indexes.

• Intermediate query results.
• Sorting and aggregation operations.
• Cursors and table variables.

TempDB is recreated every time SQL Server is restarted, and it plays a critical role in
performance, as many operations rely on it.

Conclusion
Data storage in SQL Server is highly structured, with data stored in pages and extents
within primary, secondary, and log files. The use of indexes, transaction logs, and in-
memory buffer pools ensures efficient access, management, and integrity of the data.
Filegroups, compression, and TempDB further enhance flexibility and performance in
larger and more complex databases. SQL Server’s architecture is designed to provide
both reliability and scalability for enterprise-level database management.

Day:-57

Collecting evidence from a MySQL server :-

Collecting evidence from a MySQL server involves extracting critical information that can
help investigate unauthorized access, data manipulation, or other security incidents. Proper
evidence collection is crucial for digital forensics, ensuring that all data is accurately
captured, preserved, and can be used in court or internal investigations. Below is a guide on
how to collect evidence from a MySQL server.

Steps for Collecting Evidence on a MySQL Server

1. Secure the System

Before collecting any evidence, ensure that the system is secured to prevent any further
changes or tampering. This includes:

• Disabling unnecessary services or limiting access to the MySQL server.

• Isolating the server from the network if necessary to prevent external tampering or
attacks.

2. Create a Forensic Image (Snapshot) of the Server

Before interacting with the MySQL server, it’s crucial to create a full disk image or snapshot
of the entire server, including the database, logs, and system files. This ensures that you
have an unaltered copy of the server data to analyze if needed.

• Use disk imaging tools like dd, FTK Imager, or EnCase to capture a full image of the
disk or partition where the MySQL data resides.
• Document the process carefully, maintaining a proper chain of custody.

3. Collect Configuration and Version Information

Gather information about the MySQL configuration and server version to understand the
environment and identify potential vulnerabilities.

Steps:

• Connect to the MySQL server and run the following command to capture the
version and environment information:

SELECT VERSION();
SHOW VARIABLES;
SHOW GLOBAL VARIABLES;

This will provide information about the MySQL version, configuration settings, and
environment variables.

• Export the configuration file my.cnf (Linux) or my.ini (Windows), which contains
server parameters and settings:

cat /etc/my.cnf # Linux

type C:\ProgramData\MySQL\MySQL Server X.X\my.ini #
Windows

4. Dump the MySQL Database

Create a full backup (dump) of all the databases for further analysis. This includes both the
schema (structure) and data.

Steps:

• Use the mysqldump command to export all the databases to a SQL file:

mysqldump -u [user] -p --all-databases --single-

transaction --routines --events --triggers --skip-
lock-tables > all_databases_backup.sql

• Options used:
• --all-databases: Dumps all databases.
• --single-transaction: Creates a consistent
snapshot for transactional databases like InnoDB.
• --routines: Includes stored procedures and
functions.
• --events: Includes database events.
• --triggers: Includes triggers.
• --skip-lock-tables: Prevents table locking
during the dump process.
Ensure the dump file is stored securely and make a note of the exact time and date of the
backup.

5. Collect Logs

Logs are critical in determining who accessed the system and what actions were performed.
MySQL generates several types of logs that you should collect:

a) General Query Log

The General Query Log records all SQL queries executed by the server, including login
attempts. This log is useful for understanding user activities.

• To enable the general query log (if not already enabled):

SET GLOBAL general_log = 'ON';

SET GLOBAL log_output = 'FILE';

• To find the location of the general query log:

SHOW VARIABLES LIKE 'general_log_file';

• Copy the contents of the log file for analysis:

cp /path/to/general_log_file /path/to/
evidence_folder/general_query_log.sql

b) Error Log

The Error Log records errors that occur during the operation of the MySQL server, including
startup, shutdown, and runtime errors. It may also contain information about potential
attacks or crashes.

• Find the location of the error log:

SHOW VARIABLES LIKE 'log_error';

 • Copy the error log for review:

cp /path/to/error_log_file /path/to/evidence_folder/
error_log.sql

c) Binary Log (Binlog)

The Binary Log contains a record of all changes made to the database (e.g., INSERT, UPDATE,
DELETE statements), as well as the time and user associated with each change. This is
critical for tracking data manipulation.

• To see if binary logging is enabled and find the log file:

SHOW VARIABLES LIKE 'log_bin';

SHOW BINARY LOGS;

• If enabled, copy the binary logs:

cp /path/to/mysql_binlog.* /path/to/evidence_folder/

d) Slow Query Log

The Slow Query Log records queries that take longer than a specified time to execute. It is
useful for detecting potential performance issues or malicious queries designed to overload
the server.

• Find the location of the slow query log:

SHOW VARIABLES LIKE 'slow_query_log_file';

• Copy the slow query log:

cp /path/to/slow_query_log_file /path/to/
evidence_folder/slow_query_log.sql

6. Audit Logs (If Available)

MySQL may have audit logs enabled if third-party plugins, such as MySQL Enterprise Audit,
are installed. Audit logs track all user actions and are extremely useful for forensic
investigations.

• Check if audit logs are enabled:

SHOW VARIABLES LIKE 'audit_log_file';

• If enabled, copy the audit log file:

cp /path/to/audit_log_file /path/to/evidence_folder/
audit_log.sql

7. User and Privilege Information

Extract information about the users, their privileges, and roles to identify suspicious or
unauthorized accounts or privileges.

Steps:

• Dump user accounts and privileges:

SELECT user, host, authentication_string, plugin FROM mysql.user;

SHOW GRANTS FOR 'user'@'host';

• Save the results to a file:

mysql -u [user] -p -e "SELECT user, host,

authentication_string, plugin FROM mysql.user" >
user_privileges.sql

8. Review File System for Suspicious Activity

Investigate the MySQL data directory and file system for any signs of tampering or
suspicious files. The MySQL data directory stores the actual database files.

• To find the data directory:

SHOW VARIABLES LIKE 'datadir';

• Check for unusual files or changes in file permissions:

ls -la /path/to/mysql/data/

• Record any irregularities for further analysis.

9. Network Information

Gather information about network connections and communication to the MySQL server, as
attackers often use network-based attacks.

• Use the netstat command to capture active network connections:

netstat -anp | grep mysqld > network_connections.txt

• Capture firewall rules:

iptables -L > firewall_rules.txt

10. Create a Chain of Custody

Maintain a chain of custody for all evidence collected. This ensures that the evidence is
admissible in court and that its integrity is maintained. Include the following details:

• Date and time of collection.

• Name and role of the person collecting the evidence.
• The method of evidence collection.
• A description of the evidence (e.g., log files, database dump, etc.).
• Details of where and how the evidence is stored.

11. Preserve the Evidence

Once the evidence is collected, store it in a secure location to prevent unauthorized access
or tampering. Ensure that all the evidence is hashed using algorithms like MD5 or SHA-256
to verify its integrity over time.

md5sum evidence_folder/* > evidence_hashes.txt

Conclusion

Collecting evidence from a MySQL server involves gathering data from multiple
sources, including logs, database dumps, user accounts, and network information. The
integrity of the evidence must be maintained throughout the process by following a
structured and documented approach. This evidence will be crucial for identifying
malicious activities, investigating data breaches, or complying with legal requirements.