[Dshield] Access Database Forensics

Ed Truitt ed.truitt at etee2k.net
Thu Nov 24 16:07:34 GMT 2005


Nemo, have you tried contacting MSFT about this?  It looks as if you are looking for some type of metadata in the file to help you - also if the database was accessed over the network maybe the event logs of the machine it was on would be of help ( esp.  if you had file/object access audit enabled.)

Unfortunately I don't think Access has transaction logs.

-EdTr.
-----Original Message-----
From: "Nemo Omen" <nemoaus at hotmail.com>
Date: Thu, 24 Nov 2005 09:24:47 
To:list at lists.dshield.org
Subject: Re: [Dshield] Access Database Forensics

Hello John,

Good suggestions, but think "suspect" rather than "client". The database is 
on a forensic image with no access to luxuries like backup tapes.  Does 
Access have a transaction journal that I could check to see recent activity 
on the database? If anyone knows of a better place to ask this question, let 
me know.

Regards.  Nemo

>I'm not sure how detailed a timeframe you're looking for, but one option
>would be to compare that record against older copies on backup tapes.
>That should get you to the proper day at least.
>
>For future reference, perhaps add a date/time field into the database
>with a default value of 'Now()'.  Is it possible to go in and change it?
>Yes, but for the less adept end users, it should at least give you some
>visibility.
>
>John

_________________________________________________________________
REALESTATE: biggest buy/rent/share listings   
http://ninemsn.realestate.com.au

_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Cheers,
-E D Truitt

Sent via my BlackBerry from Cingular Wireless


More information about the list mailing list