Home » Email Forensics » SQL Server Forensics To Carve Evidence From SQL Server MDF Database

SQL Server Forensics To Carve Evidence From SQL Server MDF Database

Published By Raj Kumar
Aswin Vijayan
Approved By Aswin Vijayan
Published On August 1st, 2023
Reading Time 6 Minutes Reading


Before we move toward the SQL Server forensics task, it’s important to learn about the MDF file. MDF (Master Database File) file being the primary database file of the SQL server, holds the schema and data artifacts of the SQL server. this makes it quote useful for SQL forensics. All the log details of SQL server are stored in a peculiar kind of file format that is available as .ldf file.

The modifications to the database such as inserts, deletes and updates are stored in this LDF transaction log file. The need of SQL server database forensics, i.e., forensic analysis of these MDF and LDF files occur in scenarios where it is required to detect a data security breach, levels of database intrusion, examining the stored information and much more.

We need to deeply understand the structure of SQL Server database files to begin. Let’s begin without any further delay. Reading this useful guide till the end  can help us understand the SQL forensics in & outs.

Structure of SQL Server Database Files – SQL Server Forensics

The MDF file consists of multiple data pages, each data page having multiple rows of fixed or variable lengths.

SQL MDF Forensics

The LDF transaction log file stores information such as Transaction ID, Page ID, Slot ID, Row Offset, etc.

Therefore, it’s quite important for users to focus on both the files ; MDF & LDF as well.  In this article, first of all, we are going to look at the MDF forensics &. then move towards the SQL forensics of LDF files.

Repository Of Artifacts Where The Investigators Must Dig Into

The core targets during SQL sever database forensics where the probability of existence of some evidences persists, includes: –

  • SQL Server Database Files i.e. The MDF Files
  • The Transaction Log Files i.e. The LDF Files
  • Data Cache (used for caching table)
  • Indexes (just like a book’s index)
  • Tempdb (used for holding temporary user and internal objects)

Most of the SQL server forensics are carried out in an offline mode as analysis in a live mode may result in crashing of the server or data loss. As the SQL server maintains its own log, the location where the error log is stored is: –

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG

The error logs show definite information about the failed login attempts that have been carried out on the server.

Analysis of the SQL Server Evidence Artifacts

It’s very very crucial for forensicators to analyze data from SQL server database forensics with accuracy. Inculpatory/Exculpatory evidence can be carved out during SQL MDF forensics via analysis of the following zones of the SQL server: –

  • Windows Event Log
    1. Successful or failed login attempts
    2. Related IP address
    3. The startup and shutdown timestamp details.
  • MDF stored information such as DDL operations carried out for schema changes.
  • Active transaction log for viewing the imported Excel or Access database of information.
  • Investigation of the Page Headers.

Forensic Analysis of SQL MDF Database File via SQL Server Forensics Tool

The best part of this SQL Forensics Tool is that it is compatible to work with SQL Server 2016, 2014, 2012, 2008 / 2008 R2, 2005, 2000 database files. In addition to this, the software recovers all the stored triggers, rules, functions, tables and much more.

Download the tool from below & continue the operation without any hassles:

Download Now Purchase Now

automated tool

System requirements for SQL server forensics analysis tool: –

Operating System Supported – Windows 10 and all the below versions are supported for SQL forensics task.

Processor – 2.4 GHz

RAM – 4 GB

Hard Disk Space – 100 MB

SQL Server Editions Supported – SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012/2014/2016/2017

NOTE: – On Windows 10/8.1/8/7 or Vista, the tool need to be launched as “Run as Administrator”.

With this SQL Server Database Forensics tool, the investigation process is acquainted with the analysis of NDF file too. The NDF file is the secondary database file of the SQL server. The tool auto detects the NDF database file on the target machine.

The Quick and Advance Scanning algorithms embedded in the tool allow the investigators to easily dig into the heavily damaged or corrupted MDF files too.

Scan Modes

Recover the deleted SQL tables’ data that might have resulted due to the suspects’ activities. Carrying out the forensic investigation of the SQL server is not a piece of cake. But if conducted with the proper methodology, by keeping in mind the necessary requirements, the required evidences can be carved from the MDF and NDF files.

Understand the Process of LDF Files Forensics

Now, we can say that unauthorised access to the database server often results in ambiguous and illicit actions such as erroneous transaction, capital loss, cyber bullying, etc. To identify who has made certain modifications in your log files, the SQL Log Analyzer Software is the best utility to do so.

Download Now Purchase Now

This is so far the bets way how users can complete the entire SQL server forensics using the modern methods. Now, users have both the solutions for the forensics of MDF as well as LDF files without a doubt.

SQL Server Database Forensics Tool Features

There are several features present in the software for SQL forensics tasks & we need to understand them. This can help users to utilize the solution to its utmost potential without any hassles at all. Let’s dive deep into this to know more & in a better way.

  • The software allows users to scan the MDF files in two modes:
    • Quick Scan Mode: For minor or no corruption.
    • Advanced Scan Mode: For major corruption.
  •  There are a total of three data export modes available:
    • To Live SQL Server Database
    • In SQL Compatible Transcript File
    • To CSV file format
  • It is capable of resolving the corruption issues from Ransomware affected files.
  • The software offers plenty of filters & features to export selective database files.
  • Auto-detects the NDF files, if stored in the same location as the MDF data files.
  • The software detects the SQL Version automatically by scanning database files.
  • Supports SQL  2022, 2019, 2017, 216, 2014, 2012, 2008/R2, 2005, & 2000 version.

There You Have It!

There have been many cases where large enterprises have encountered loss of data due to some transactions unknown to them. These transactions could be made by hackers who have the motive of causing damage to the respective organization. The above-mentioned tool is the only way possible to identify the roots & culprits. Even experts consider these tools for SQL forensics whenever they need them.

Forensics investigation and the tool can help you out with that in order to help you avoid any more loss of assets and reputation in the market. Make sure to understand and follow the steps carefully for a successful process. If you are in need for such SQL server forensics or MDF forensics, the automated solutions can be a perfect choice for you.