Database Forensics

00:00

Hi, everyone. Welcome back to the course. So the last module we wrapped up our discussion on weather tax

00:07

in this module, we're gonna briefing cover database. Forensics were Just talk about this at a very high level.

00:13

So just a quick pre assessment question here. The secondary data files are required. Is that true or false?

00:20

Are so let's false. The secondary data files are actually optional. We'll talk about that in a little bit.

00:27

So Microsoft Sequel server M s sequel is he might see it on the exam itself. Especially this a relational database management system.

00:35

Different ways we can get information from it. The transact sequel, or T sequel, as it's more commonly called snack and CLR. So ah, sequel server, native client and the common language run time.

00:48

So in the forensic aspect of it data and loves air going to store the three different files. So we got the primary data file secondary data file as well. See, transaction log data file.

01:00

Primary data file s name implies it's a starting point of the database, and then that points to other files in the database. Right? So other areas, right? So, for example, you know, Think of it like spaghetti and meatballs. So the meatball will be the starting point. So the primary data file and then it would have all those little stringy paths or the noodles

01:18

to the other points of the database.

01:21

Normally, we see it with the dot NDF extension. So definitely remember that for your exam. And then it stores all data in database objects. Those things like tables and essays, et cetera.

01:32

The secondary data file. This one is optional. So remember our pre assessment question. We said it was required. It's actually optional. Andi contain the database. Couldn't contain multiple, right. So can have a single secondary file. It can have multiple ones. They could even have Sierra one of them, right? And then the file type we normally see is dot nd f the file extension

01:53

and then the transaction log data file. This one basically holds the entire log information that's associated with the database. So this one helps. Ah, forensic investigator examined the transactions that were occurring in the database, even if the data was deleted from the database. Right. So that's one key aspect there.

02:10

So this one's gonna be an extension of dot l B f.

02:16

One thing you're just gonna wantto memorize for your exams. His path. Right here. Um, So, uh, if you want to collect the MDF and you're gonna come to see program Microsoft sequel server, you know, etcetera, etcetera and then ending an m s sequel

02:32

backslash data. So just remember that portion of it. If you remember nothing else. Remember that last portion of it? Emma sequel backwards. Slashing data. You should be good to go. Some of its kind of common sense, right? You figure that that would be in the data area, But just memorize that for the exam.

02:50

So location of the files for restoration of evidence, some other things you will just want to memorize here. So the database in log Files, M s sequel, backward slash data, as we have just seen trace files Emma sequel backwards slash log and then the sequel server Air log files. As the name implies,

03:07

M s equal law, backwards slash air log,

03:13

different commands you'll just want to be familiar with for the exam sequel command. So that's for a system procedures. The my sequel Dump That one takes a back of the database my sequel database export or D B Export exports and made a data.

03:28

My eye Sam Law gives you the version information recovery operations. It's used for recovery operations. And then Maya Sam check basically checks the status of the Maya sam table.

03:39

So the sequel server planned cash. I just wantto basically no, Like what? This is What's that used for? S o this store's details on all the sequel statements that have been executed. So even if they're deleted, it contains the information about all of them. So very important as an investigator

03:55

trace file collection. This is, ah, gonna be events that that occurred on the sequel server and also the host database. Eso

04:04

again, just kind of memorized this past here the M s sequel Backward sash log and you should be good to go for the exam.

04:13

Just a quick post assessment question on the command aspect. So the mice equal dump command is used to get the version information.

04:18

Is that true or false?

04:21

It's less false, right? If you remember that, commands actually used to take a back up with the database in and you will definitely want to know that command for the exam