Recover SQL Server Master Database – How To

SQL database forensics is the investigation techniques and analysis procedures done in order to collect SQL database evidence that is optimum and suitable for court law presentation. Corporate cases usually involve server databases and it is quite difficult to deal with the active servers and perform analysis on them. It is important for investigators to know about the files belonging to SQL Server. This section will highlight the important steps while investigating SQL Server.

Retrieval of  Relevant Repositories

The primary SQL Server data exist mainly in SQL Server which stores it externally in the Windows Operating System (disk). But it does not restrict the server information to the databases; users can retrieve it from various other files as well. Below mentioned are some of the files which have forensic importance;

• SQL Server sessions, users, requests, and connection information.
• SQL databases MDF files, NDF files, Transaction log files.
• Plan cache, data cache, indexes, tempdb, page file, and memory.
• Server logs, System event logs, SQL Server trace files.

Where to retrieve the data from?

Acquiring database files can be easy by going to the mentioned paths. It must be kept into consideration that the databases need to detach or it needs to acquire by stopping the server service for a while. Once the MDF and NDF files i.e. acquire the Primary database and Secondary database, the SQL Server at the investigator’s workstation can use and analyze by creating a similar environment.

Corporates usually do not provide this much time for analyzing the databases on the servers so investigators have to make this smart move of acquiring the databases from the file system. In such a situation, the process of the operation should terminate temporarily in order to fetch all the databases. And it can complete it by executing ‘Service’ from the control panel by selecting the relevant service.

SQL Server Registry Path & Key

 

How to Perform Analysis & Recover SQL Server Master Database?

There are many situations where the SQL databases can be inoperative or corrupted and hence can be inaccessible as well. In such a situation, some external utility needs to use for recovering the data items from SQL databases. SQL Server Manager can be an optimum software solution for managing the SQL Server database recovery operation. It not only helps in recovering corrupted data but also recovers deleted data elements from the SQL databases which are highly required for investigation. This software has the added advantage of being a comprehensive product for recovering databases to SQL databases on the server or recovering them as SQL compatible scripts. Thus, the databases can be then analyzed on investigators’ workstations by recreating the databases and environment. SQL Server Database Manager Application can be utilized in order to recover the corrupted or inaccessible SQL databases.

• Launch the SQL Server Database Manager. This application is a complete suite for various activities like; recovering SQL database, removal of encryption, password resetting, analyzing transaction log files, backup recovery, etc. Select the first module i.e. “Recover Data from Corrupt SQL Server Database”.

 

• Click “Open” in order to add the SQL database.

• Check Scan Mode as per corruption level in the database as; Quick and Advance Scan.

• Once the scanning completes, the software will display all the data elements of databases including deleted items from the table.

Click Export in order to export the SQL database to; Live SQL Server or SQL compatible scripts as per the requirement of the investigator. This helps investigators to work on the same server or different servers as well.

In this way, SQL Server Database Manager helps to recover the SQL Server master database from its corrupted state in order to analyze this database for investigation purposes. It has an added advantage of SQL deleted data recovery as well.