Database Forensics

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

17 hours 41 minutes
Video Transcription
Hi, everyone. Welcome back to the course. So the last module we wrapped up our discussion on weather tax
in this module, we're gonna briefing cover database. Forensics were Just talk about this at a very high level.
So just a quick pre assessment question here. The secondary data files are required. Is that true or false?
Are so let's false. The secondary data files are actually optional. We'll talk about that in a little bit.
So Microsoft Sequel server M s sequel is he might see it on the exam itself. Especially this a relational database management system.
Different ways we can get information from it. The transact sequel, or T sequel, as it's more commonly called snack and CLR. So ah, sequel server, native client and the common language run time.
So in the forensic aspect of it data and loves air going to store the three different files. So we got the primary data file secondary data file as well. See, transaction log data file.
Primary data file s name implies it's a starting point of the database, and then that points to other files in the database. Right? So other areas, right? So, for example, you know, Think of it like spaghetti and meatballs. So the meatball will be the starting point. So the primary data file and then it would have all those little stringy paths or the noodles
to the other points of the database.
Normally, we see it with the dot NDF extension. So definitely remember that for your exam. And then it stores all data in database objects. Those things like tables and essays, et cetera.
The secondary data file. This one is optional. So remember our pre assessment question. We said it was required. It's actually optional. Andi contain the database. Couldn't contain multiple, right. So can have a single secondary file. It can have multiple ones. They could even have Sierra one of them, right? And then the file type we normally see is dot nd f the file extension
and then the transaction log data file. This one basically holds the entire log information that's associated with the database. So this one helps. Ah, forensic investigator examined the transactions that were occurring in the database, even if the data was deleted from the database. Right. So that's one key aspect there.
So this one's gonna be an extension of dot l B f.
One thing you're just gonna wantto memorize for your exams. His path. Right here. Um, So, uh, if you want to collect the MDF and you're gonna come to see program Microsoft sequel server, you know, etcetera, etcetera and then ending an m s sequel
backslash data. So just remember that portion of it. If you remember nothing else. Remember that last portion of it? Emma sequel backwards. Slashing data. You should be good to go. Some of its kind of common sense, right? You figure that that would be in the data area, But just memorize that for the exam.
So location of the files for restoration of evidence, some other things you will just want to memorize here. So the database in log Files, M s sequel, backward slash data, as we have just seen trace files Emma sequel backwards slash log and then the sequel server Air log files. As the name implies,
M s equal law, backwards slash air log,
different commands you'll just want to be familiar with for the exam sequel command. So that's for a system procedures. The my sequel Dump That one takes a back of the database my sequel database export or D B Export exports and made a data.
My eye Sam Law gives you the version information recovery operations. It's used for recovery operations. And then Maya Sam check basically checks the status of the Maya sam table.
So the sequel server planned cash. I just wantto basically no, Like what? This is What's that used for? S o this store's details on all the sequel statements that have been executed. So even if they're deleted, it contains the information about all of them. So very important as an investigator
trace file collection. This is, ah, gonna be events that that occurred on the sequel server and also the host database. Eso
again, just kind of memorized this past here the M s sequel Backward sash log and you should be good to go for the exam.
Just a quick post assessment question on the command aspect. So the mice equal dump command is used to get the version information.
Is that true or false?
It's less false, right? If you remember that, commands actually used to take a back up with the database in and you will definitely want to know that command for the exam
are. So this is kind of shorter module video, but we were just talking about database forensics in this video and the next monitor, we're gonna talk about cloud forensics.
Up Next