Database_Forensics Flashcards
CHFI certificate
NAME?
is used for trusted connections
-e
is used to echo the input
NAME?
is used for column separation
Database and log file (MSSQL)
\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA*.MDF | *.LDF
DBCC BUFFER
Returns the buffer headers and pages from the SQL server buffer cache where the results are stored
DBCC DBINFO
Returns information related to the database metadata
DBCC DBTABLE
Returns structure of selected database table
dbcc loginfo and go
to obtain the VLF allocations for the moviescope database:
DBCC PAGE
Returns the data page structure of the selected database
DBCC PROCBUF
returns the contents of the SQL Server procedure buffer. Buffer contains SQL server cached executable statements such as stored procedures and SQL queries
DBCC SHOWFILESTATUS
Returns information related to the space occupied by the data files in an active database.
sp_helpdb moviescope and go
to determine the locations of the transaction log files associated with moviescope database (moviescope is the database for demonstration purposes)
sp_helpdb
command outputs the information related to a specific database.
SQL Server error logs
\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\LOG\ERRORLOG
Trace files
\Microsoft SQL Server\MSSQL14.MSSQLSERVER \MSSQL\ LOG\LOG_#.TRC
Identify the SQL server function that allows investigators to retrieve the active portion of a transaction log file, such as the target database object, specific columns, SPID, and date/time range.
fn_dblog ()
DBCC Commands
Database Consistency Checker commands may give the investigator valuable insight into what is happening within the Server system.
Pslist commands
displays elementary information about all the processes running on a system.
net session commands
Command is used for managing server computer connections
select * from sys.dm_exec_cached_plans
To view one row per plan attribute for the plan specified by the plan handle.
Select * from ::fn_dblog(NULL, NULL)
Displays the active portion of the transaction log file. Assigning NULL values imply that the start and end points for log sequence numbers (LSNs) are not specified.
select * from sys.dm_exec_cached_plans cross apply sys.dm_exec_sql_text(plan_handle)
Retrieve the SQL text of all cached entries.
select * from sys.dm_exec_query_stats
To collect additional plan cache specifics from the database, like viewing the aggregate performance statistics.
select * from sys.dm_exec_query_stats
To collect additional plan cache specifics from the database, like viewing the aggregate performance statistics.
Select * from ::fn_dblog(NULL, NULL)
Displays the active portion of the transaction log file. Assigning NULL values imply that the start and end points for log sequence numbers (LSNs) are not specified.
DBCC LOG(<databasename>, <output>)</output></databasename>
command allows investigators to view and retrieve the active transaction log files for a specific database.
Offset in Row
In row data offset of modification
LOP_BEGIN_XACT
Indicates the beginning of a transaction
LOP_COMMIT_XACT
Indicates the end of a transaction
LOP_MODIFY_ROW
Indicates the type of transaction performed
RowLog Contents 1
Value of the row after modification
RowLog Contents 0
Value of the row before modification
Slot ID
On data page row location of record
Connection Pool
handles all the client connection needs such as user authentication, memory checks, thread processing, caches, etc.
MyISAM
Provides unlimited data storage, Well-known for storing and retrieving huge volumes of seldom-accessed archival or historical data
ARCHIVE
Provides unlimited storage limit in compressed format
BLACKHOLE
Allows systems to write data: however, these data are never saved
SQL Interface
User interface that accepts SQL syntax and transmits the results to the user.
Query Cache
Caches the query structure and query results that are unique to MySQL
Cache and Buffers
They ensure that the commonly used data are provided in an efficient way.
Parser
validates the SQL queries entered by a user
Query Optimizer
Excludes known-bad conditions in the query before executing the join expression
Error log (HOSTNAME.err)
It contains the information associated with the start-up and shutdown events as well as the errors.
General query log (HOSTNAME.log)
It contains logs regarding the client connections and activities
Relay log (HOSTNAMErelay-bin.n)
It contains the events that describe the changes that occurred in the database.
Master info file (master.info)
It is created by a replication slave server that contains the essential parameters used for connecting to the master slave.
lbdata1
lbdata1 data file stores the permanent table records of InnoDB
PID
The server’s process ID (PID) file, which stores the MySQL server’s process ID
auto.cnf
file containing the server_uuid which is used to uniquely identify a server
[tablename].myd
Contains the table data of MyISAM Storage Engine
mysqldump
Take a backup of the database using
mysqlexport
To export metadata or data, or both from one or more databases
mysqlbinlog
To display the content of bin logs (mysql-bin.nnnnnn) in text format.
myisamlog
To process the MyISAM log file and perform recovery operation, display version information, etc., depending on the situation. The default operations of this utility include update(-u) and recovery(-r).
