7. Artifact Collection

In Chapter 6, we looked at incident verification and examined how to gather and analyze selected artifacts to verify the occurrence of a database intrusion. Although incident verification involves collecting and preserving limited data, it should not be confused with full artifact collection, which acquires all applicable SQL Server artifacts.

When one thinks of artifact collection, it is common to consider creating an image of a victim hard drive using a trusted disk duplication utility such as dcfldd or commercial forensic software such as EnCase. However, if we take this approach without knowing where key data is stored, what this data represents, and the format in which it was stored, artifact analysis will ...

Get SQL Server Forensic Analysis now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.