Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
jlgolin
Starting Member
3 Posts |
 Posted - 2009-11-17 : 12:46:09
|
| Good afternoon. I have recently been tasked with determining the chain of events that took place during an intrusion in which a SQL database was deleted. The .mdf file is gone; however, the transaction log (.ldf) is available.The focus of my investigation is to determine what the intruder did to the database before deleting it. From what I have gathered, this type of information would be available in the .ldf.Are there any stand-alone utilities for parsing the .ldf file? By stand-alone, what I mean is a utility that is not going to require me to connect to the database. I have exported a copy of the .ldf file and now I want to open it up and see the contents.Thanks in advance,John |
|
|
russell
Pyro-ma-ni-yak
5072 Posts |
Posted - 2009-11-17 : 13:19:27
|
| do you have backups? lumigent could do this from the backups as well as the live logs. don't recall if it could be done to a detached ldf.pretty sure ApexSQL purchased the product, so have a look on their site. And they do offer a free trial. |
 |
|
|
jlgolin
Starting Member
3 Posts |
Posted - 2009-11-17 : 14:16:28
|
| No, I don't have any backups. I basically have the transaction log and that's it. I've been digging around on the Internet and haven't really found much in terms of parsing the log. I've even read that the format of the log file (i.e. the fields contained in it) are held close-to-the-vest by Microsoft. |
|
|
|
russell
Pyro-ma-ni-yak
5072 Posts |
Posted - 2009-11-17 : 15:05:00
|
| Have a look at Log Explorer. Again, don't remember if it works on a detached ldf...worth a peek. Might even call Apex and ask |
|
|
|
jlgolin
Starting Member
3 Posts |
Posted - 2009-11-17 : 16:50:32
|
| Thanks Russell. I'll take a look and\or give a call as you suggested.-John |
|
|
|
|
|
|
Forensic investigation of SQL database