SQL Server Forensics To Carve Evidence From SQL Server MDF Database

MDF (Master Database File) file being the primary database file of the SQL server, holds schema and data artifacts of the SQL server. All the log details of SQL server are stored in a peculiar kind of file format that is available as .ldf file. The modifications to the database such as inserts, deletes and updates are stored in this LDF transaction log file. The need of SQL server forensics, i.e., forensic analysis of these MDF and LDF files occur in scenarios where it is required to detect a data security breach, levels of database intrusion, examining the stored information and much more. Unauthorized access to the database server often results in ambiguous and illicit actions such as erroneous transaction, capital loss, cyber bullying, etc.

Structure of SQL Server Database Files – SQL Server Forensics

The MDF file consists of multiple data pages, each data page having multiple rows of fixed or variable lengths.

SQL MDF Forensics

The LDF transaction log file stores information such as Transaction ID, Page ID, Slot ID, Row Offset, etc.

Repository Of Artifacts Where The Investigators Must Dig Into

The core targets during SQL sever database forensics where the probability of existence of some evidences persists, includes: –

  • SQL Server Database Files i.e. The MDF Files
  • The Transaction Log Files i.e. The LDF Files
  • Data Cache (used for caching table)
  • Indexes (just like a book’s index)
  • Tempdb (used for holding temporary user and internal objects)

Most of the SQL server forensics are carried out in an offline mode as analysis in a live mode may result in crashing of the server or data loss. As the SQL server maintains its own log, the location where the error log is stored is: –

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG

The error logs show definite information about the failed login attempts that have been carried out on the server.

Analysis of the SQL Server Evidence Artifacts

Inculpatory/Exculpatory evidences can be carved out during SQL MDF forensics  via analysis of the following zones of the SQL server: –

  • Windows Event Log
    1. Successful or failed login attempts
    2. Related IP address
    3. The startup and shutdown timestamp details.
  • MDF stored information such as DDL operations carried out for schema changes.
  • Active transaction log for viewing the imported Excel or Access database of information.
  • Investigation of the Page Headers.

Forensic Analysis of SQL MDF Database File via SQL Server Forensics Tool

The best part of this SQL Forensics Tool is that it is compatible to work with SQL Server 2016, 2014, 2012, 2008 / 2008 R2, 2005, 2000 database files. In addition to this, the software recovers all the stored triggers, rules, functions, tables and much more.




System requirements for SQL server forensics analysis tool: –

Operating System Supported – Windows 10 and all the below versions

Processor – 1 GHz

RAM – 512 MB

Hard Disk Space – 10 MB

SQL Server Editions Supported – SQL Server 2000/2005, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012/2014/2016

NOTE: – On Windows 10/8.1/8/7 or Vista, the tool need to be launched as “Run as Administrator”

With this SQL Server Database Forensics tool, the investigation process is acquainted with the analysis of NDF file too. The NDF file is the secondary database file of the SQL server. The tool auto detects the NDF database file on the target machine. The Quick and Advance Scanning algorithms embedded in the tool allow the investigators to easily dig into the heavily damaged or corrupted MDF files too.


Recover the deleted SQL tables’ data that might have resulted due to the suspects’ activities. Carrying out the forensic investigation of the SQL server is not a piece of cake. But if conducted with the proper methodology, by keeping in mind the necessary requirements, the required evidences can be carved from the MDF and NDF files.