SQL Server Forensic Investigation Scenario
In previous chapters, we've taken an end-to-end walk-through of SQL Server forensics. We began by defining what SQL Server Forensics is, examining how it can be used to augment traditional forensic investigations, and exploring each stage of the database forensics methodology. During this review, we've looked at a variety of SQL Server artifacts, the data within them, and the ways this data can be leveraged to benefit an investigation.
The goal of this chapter is to bring the technical content we've covered to life in an investigation scenario that you can walk through. Performing this walk-through will allow you to appreciate the logical progression of events during an investigation and gain a deeper understanding of how findings within artifacts can be confirmed and further analyzed. This chapter also contains some advanced activity reconstruction analysis methods that should serve as an extension to the content in Chapters 8 and 9.
This chapter will not regurgitate the information covered in previous chapters, nor will it cover all SQL Server artifacts. Instead, it aims to provide a real-world scenario of how key artifacts within an investigation can be analyzed to piece together an attack and build an attack timeline that details the actions the attacker took within the system.
The artifacts covered in this chapter are provided within the Chapter 11\artifacts folder on this book's companion DVD unless explicitly noted otherwise. As in Chapter 8, prepared versions of all artifacts are provided in addition to an automation script that will simplify importing the prepared artifacts into a new analysis database that will be set up on your SQL Server instance.