[Dshield] Access Database Forensics
ed.truitt at etee2k.net
Thu Nov 24 16:07:34 GMT 2005
Nemo, have you tried contacting MSFT about this? It looks as if you are looking for some type of metadata in the file to help you - also if the database was accessed over the network maybe the event logs of the machine it was on would be of help ( esp. if you had file/object access audit enabled.)
Unfortunately I don't think Access has transaction logs.
From: "Nemo Omen" <nemoaus at hotmail.com>
Date: Thu, 24 Nov 2005 09:24:47
To:list at lists.dshield.org
Subject: Re: [Dshield] Access Database Forensics
Good suggestions, but think "suspect" rather than "client". The database is
on a forensic image with no access to luxuries like backup tapes. Does
Access have a transaction journal that I could check to see recent activity
on the database? If anyone knows of a better place to ask this question, let
>I'm not sure how detailed a timeframe you're looking for, but one option
>would be to compare that record against older copies on backup tapes.
>That should get you to the proper day at least.
>For future reference, perhaps add a date/time field into the database
>with a default value of 'Now()'. Is it possible to go in and change it?
>Yes, but for the less adept end users, it should at least give you some
REALESTATE: biggest buy/rent/share listings
Using .Net? Need to know more about .Net Security?
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-E D Truitt
Sent via my BlackBerry from Cingular Wireless
More information about the list