Good afternoon,
I am investigating a matter that includes unauthorized access into a SQL database. I would like to open the log file (.ldf) to see if it contains any record of the intruders activities while on the SQL server.
Can anyone tell me the best (free) way to parse or view the .ldf file?
Thanks,
John
Do you also have the .mdf file? Why not restore the database into your own SQL server and review the info there….the logs would be available once the database was restored. Also…any unauthorized access may also be logged in the event viewer of the Victim server.
This may do it too
http//
This may do it too
http//
wareseeker.com/System/lumigent-log-explorer-4.00.zip/1ffbc58bf
Think he was looking for a lower cost solution.
That link should allow a download for a demo version. Not sure how long the demo is for though.
My apologies, that link apparently ends up at a dead end. So here is another one
http//
There's also Log PI and Apex SQLLog. Apex has a trial as well but it may limit what you can retrieve. It's by far the most expensive if you had to buy something. I couldn't find a valid link to Log PI. Maybe someone else has a place to find it.
http//
My apologies, that link apparently ends up at a dead end. So here is another one
http//www.red-gate.com/products/SQL_Log_Rescue/index.htm There's also Log PI and Apex SQLLog. Apex has a trial as well but it may limit what you can retrieve. It's by far the most expensive if you had to buy something. I couldn't find a valid link to Log PI. Maybe someone else has a place to find it.
http//
www.apexsql.com/download.asp
Are there any restrictions or limitations in the evaluation version of ApexSQL Log?
ApexSQL Log evaluation version can be installed on any number of server instances and users are not restricted in using it with only predetermine databases. However, evaluation version does have two important limitations
* Trial is limited to 30 days for any given server instance
* Generation and export of UNDO/REDO scripts is limited to every 10th operation.
According to that quote not much!!
JlGolin try it and let us know!
One thing I failed to mention is that I do not have an SQL server of my own. I had just exported the ldf file from a forensic image and was hoping there was a utility that would allow me to parse the file to view the contents.
I've downloaded a couple free trials, including the one from Apex and when you install it the first thing it asks for is a db to which it can connect.
I had read that Microsoft Log Parser 2.2 is capable of querying the log file, but that would require me knowing which fields to query. I have not been able to find any documentation regarding the fields contained within the transaction log (ldf file); hence I would not know how to write the query. If anyone can point me in the direction of any such documentation I would be very appreciative.
The long and short of it is that I think it may be easier to restore the database as zbrojovka had suggested. Thanks to everyone for their assistance (past and future).
-jlgolin
Having your own instance of SQL is easy. First you will need to install MSDE (Microsoft SQL Desktop Engine)
http//
Next download DBAMGR2K. This will allow you to view, add, edit databases just like Enterprise Manager
http//
Both of those utilities are free. Side note though, when your done doing your SQL business make sure to change the mssqlserver service to not auto start. It can be a resource hog.
It would be great if you could restore a full back up here in your own instance of SQL.
Now for queries. You can run queries against the .ldf via Query Profiler using the DBCC command. Here are a couple of resources to get you started if you resort to querying the .ldf after restoring
http//
http//
Depending on how bad you want this information and the profile of this case you may consider seeking the cooperation of the victim DBA or finding a DBA to assist you. The SQL world gets fun fast 😉