Recover SQL Server Master Database – How To

SQL database forensics is the investigation techniques and analysis procedures done in order to collect SLQ database evidences which are optimum and suitable for court law presentation. Corporate cases usually involve the server databases and it is quite difficult to deal with the active servers and perform analysis on them. It is important for investigators to know about the files belonging to SQL Server. This section will highlight the important steps to be taken while investigating SQL Server.

Relevant Repositories To Be Retrieved

The primary SQL Server data exist mainly in SQL Server which is stored externally in the Windows Operating System (disk). But the server information is not restricted to the databases; it can be retrieved from various other files as well. Below mentioned are some of the files which have forensic importance;

• SQL Server sessions, users, requests, and connection information.
• SQL databases MDF files, NDF files, Transaction log files.
• Plan cache, data cache, indexes, tempdb, page file, and memory.
• Server logs, System event logs, SQL Server trace files.

Where to retrieve the data from?

Database files can be easily acquired by going to the mentioned paths. It must be taken into consideration that the databases need to be detached or it needs to be acquired by stopping the server service for a while. Once the MDF and NDF files i.e. Primary database and Secondary database are acquired, the SQL Server at investigator’s workstation can be used and analyzed by creating similar environment.

Corporates usually do not provide this much time for analyzing the databases on the servers so investigators have to make this smart move of acquiring the databases from file system. In such situation, the process of the operation should be temporarily stopped in order to fetch all the databases. This can be also done by executing ‘Service’ from control panel by selecting relevant service.

SQL Server Registry Path & Key

 

How to Perform Analysis & Recover SQL Server Master Database?

There are many situations where the SQL databases can be inoperative or corrupted and hence can be inaccessible as well. In such situation, some external utility is supposed to be used for recovering the data items from SQL databases. SQL Server Manager can be an optimum software solution for managing the SQL Server database recovery operation. It not only helps in recovering corrupted data, but also recovers deleted data elements from the SQL databases which are highly required for investigation. This software has an added advantage of being a comprehensive product for recovering databases to SQL databases on the server or recovering them as SQL compatible scripts. Thus, the databases can be then analyzed on investigators workstations by recreating the databases and environment. SQL Server Database Manager Application can be utilized in order to recover the corrupted or inaccessible SQL databases.

• Launch the SQL Server Database Manager. This application is a complete suite for various activities like; recovering SQL database, removal of encryption, password resetting, analyzing transaction log file, backup recovery, etc. Select the first module i.e. “Recover Data from Corrupt SQL Server Database”.

 

• Click “Open” in order to add the SQL database.

• Check Scan Mode as per corruption level in the database as; Quick and Advance Scan.

• Once the scanning is completed, software will display all the data elements of databases including deleted items from table.

Click Export in order to export the SQL database to; Live SQL Server or SQL compatible scripts as per the requirement of investigator. This helps investigators to work on the same server or different server as well.

In this way, SQL Server Database Manager helps to recover SQL Server master database from corrupted state in order to analyze this database for investigation purpose. It has an added advantage of SQL deleted data recovery as well.