6. Incident Verification

Incident verification involves performing a preliminary investigation on a live database server in an effort to identify the occurrence of a database intrusion. There is no simple way of determining what to look for during this preliminary investigation. Data remnants left after a database intrusion will be spread among a number of SQL Server artifacts. Data indicating prior unauthorized database access or usage will need to be specially identified and analyzed. This entire process will also need to be performed on a live SQL Server in a time-efficient manner.

This chapter walks you through the incident verification process from end-to-end. We begin by defining incident verification, the way in which it should ...

Get SQL Server Forensic Analysis now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.