SQL Server 2000 inv...
 
Notifications
Clear all

SQL Server 2000 investigation

11 Posts
3 Users
0 Reactions
2,224 Views
(@jlgolin)
Active Member
Joined: 16 years ago
Posts: 5
Topic starter  

Good afternoon,

I am investigating a matter that includes unauthorized access into a SQL database. I would like to open the log file (.ldf) to see if it contains any record of the intruders activities while on the SQL server.

Can anyone tell me the best (free) way to parse or view the .ldf file?

Thanks,

John


   
Quote
(@zbrojovka)
Eminent Member
Joined: 17 years ago
Posts: 20
 

Do you also have the .mdf file? Why not restore the database into your own SQL server and review the info there….the logs would be available once the database was restored. Also…any unauthorized access may also be logged in the event viewer of the Victim server.


   
ReplyQuote
(@zbrojovka)
Eminent Member
Joined: 17 years ago
Posts: 20
 

This may do it too

http//wareseeker.com/System/lumigent-log-explorer-4.00.zip/1ffbc58bf


   
ReplyQuote
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
 

This may do it too

http//wareseeker.com/System/lumigent-log-explorer-4.00.zip/1ffbc58bf

Think he was looking for a lower cost solution.


   
ReplyQuote
(@zbrojovka)
Eminent Member
Joined: 17 years ago
Posts: 20
 

That link should allow a download for a demo version. Not sure how long the demo is for though.


   
ReplyQuote
(@zbrojovka)
Eminent Member
Joined: 17 years ago
Posts: 20
 

My apologies, that link apparently ends up at a dead end. So here is another one
http//www.red-gate.com/products/SQL_Log_Rescue/index.htm

There's also Log PI and Apex SQLLog. Apex has a trial as well but it may limit what you can retrieve. It's by far the most expensive if you had to buy something. I couldn't find a valid link to Log PI. Maybe someone else has a place to find it.

http//www.apexsql.com/download.asp


   
ReplyQuote
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
 

My apologies, that link apparently ends up at a dead end. So here is another one
http//www.red-gate.com/products/SQL_Log_Rescue/index.htm

There's also Log PI and Apex SQLLog. Apex has a trial as well but it may limit what you can retrieve. It's by far the most expensive if you had to buy something. I couldn't find a valid link to Log PI. Maybe someone else has a place to find it.

http//www.apexsql.com/download.asp

Are there any restrictions or limitations in the evaluation version of ApexSQL Log?

ApexSQL Log evaluation version can be installed on any number of server instances and users are not restricted in using it with only predetermine databases. However, evaluation version does have two important limitations

* Trial is limited to 30 days for any given server instance

* Generation and export of UNDO/REDO scripts is limited to every 10th operation.


   
ReplyQuote
(@zbrojovka)
Eminent Member
Joined: 17 years ago
Posts: 20
 

According to that quote not much!!

JlGolin try it and let us know!


   
ReplyQuote
(@jlgolin)
Active Member
Joined: 16 years ago
Posts: 5
Topic starter  

One thing I failed to mention is that I do not have an SQL server of my own. I had just exported the ldf file from a forensic image and was hoping there was a utility that would allow me to parse the file to view the contents.

I've downloaded a couple free trials, including the one from Apex and when you install it the first thing it asks for is a db to which it can connect.

I had read that Microsoft Log Parser 2.2 is capable of querying the log file, but that would require me knowing which fields to query. I have not been able to find any documentation regarding the fields contained within the transaction log (ldf file); hence I would not know how to write the query. If anyone can point me in the direction of any such documentation I would be very appreciative.

The long and short of it is that I think it may be easier to restore the database as zbrojovka had suggested. Thanks to everyone for their assistance (past and future).

-jlgolin


   
ReplyQuote
(@zbrojovka)
Eminent Member
Joined: 17 years ago
Posts: 20
 

Having your own instance of SQL is easy. First you will need to install MSDE (Microsoft SQL Desktop Engine)

http//www.microsoft.com/downloads/details.aspx?familyid=413744D1-A0BC-479F-BAFA-E4B278EB9147&displaylang=en

Next download DBAMGR2K. This will allow you to view, add, edit databases just like Enterprise Manager

http//www.asql.biz/GetFile.aspx?ID=5

Both of those utilities are free. Side note though, when your done doing your SQL business make sure to change the mssqlserver service to not auto start. It can be a resource hog.

It would be great if you could restore a full back up here in your own instance of SQL.

Now for queries. You can run queries against the .ldf via Query Profiler using the DBCC command. Here are a couple of resources to get you started if you resort to querying the .ldf after restoring

http//www.mssqlcity.com/Articles/Undoc/SQL2000UndocDBCC.htm
http//searchsqlserver.techtarget.com/tip/0,289483,sid87_gci1173464,00.html

Depending on how bad you want this information and the profile of this case you may consider seeking the cooperation of the victim DBA or finding a DBA to assist you. The SQL world gets fun fast 😉


   
ReplyQuote
Page 1 / 2
Share: