[Dshield] Access Database Forensics

Nemo Omen nemoaus at hotmail.com
Wed Nov 23 22:24:47 GMT 2005


Hello John,

Good suggestions, but think "suspect" rather than "client". The database is 
on a forensic image with no access to luxuries like backup tapes.  Does 
Access have a transaction journal that I could check to see recent activity 
on the database? If anyone knows of a better place to ask this question, let 
me know.

Regards.  Nemo

>I'm not sure how detailed a timeframe you're looking for, but one option
>would be to compare that record against older copies on backup tapes.
>That should get you to the proper day at least.
>
>For future reference, perhaps add a date/time field into the database
>with a default value of 'Now()'.  Is it possible to go in and change it?
>Yes, but for the less adept end users, it should at least give you some
>visibility.
>
>John

_________________________________________________________________
REALESTATE: biggest buy/rent/share listings   
http://ninemsn.realestate.com.au



More information about the list mailing list