On August 31, 2008, you receive a call from a client, who states that her company may have been a victim of a security incident some time during the past 24 hours. The client explains that an employee, Mike Smith, came into work earlier that day and noticed he could not log in to the company's production SQL Server, which is called PROD-SQL05. Another employee logged into the server and noticed that an unauthorized account, EASYACCESS, had been created. Mike is convinced that someone gained access to his account and insists he has not used it in the past 24 hours. The PROD-SQL05 server in question stores and processes sensitive credit card data, so the client is concerned about the possibility of a security breach. However, the client is also concerned about a delivery deadline that will prevent the server from being taken offline as a result of the mere suspicion of a security incident.
The client advises you that the PROD-SQL05 server uses native SQL Server encryption and was in the process of being changed from an old encryption key to a new key. The production data was still using the CCProtect_Key, so the client is unclear as to which users have had access to the encryption keys. She does know that Mike Smith was leading the key migration project. The client also informs you that production credit card information was stored within the Orders table. Two other tables, OrderHistory and BackupOrders, were created with test data. The focus of the investigation should be on just the Orders table, as it alone contains sensitive information.
The goal of your investigation will be to determine if a database intrusion has occurred and, if so, to identify the actions the intruder performed within the system. Perhaps most importantly, you need to determine what, if any, sensitive data was disclosed.
When you arrive on scene, you are briefed by the client. She provides you with the necessary user credentials and the instance name of the SQL Server at the center of the investigation. The client also advises you that a major application release is planned later in the week, so the server cannot be taken offline unless you can provide sufficient proof that an incident has occurred.