[Dshield] Access Database Forensics

Don Jackson dwjackson at bcbsal.org
Mon Nov 28 16:03:50 GMT 2005


Here's a response from another list.  I have not verified this info.
I'm not even sure if he means the autonumber field is an internal
data structure, or if he means "if the database designer included one,
then..." this is true.  Waiting on a response.

Most of the bests lists/forums  are reserved for owners of products
like AcesssData's FTK or Guidance Software's EnCase, or for law
enforcement/prosecution expert witnesses (in an effort to keep the
how-to info out of the hands of criminals and criminal defense
attorney's, I suppose).

>>>> "CWright" <cwright at softtrakz.com> 11/23/2005 10:30:08 am >>>
>Access has an "autonumber" field type -- basically a long integer --
that 
>sequentates the records in the order in which they were entered.  You
may 
>need to insert a temp field in the table; once done you can either set
the 
>index to the field or simply sort on it.  Either way will tell you
exactly 
>the order in which records were added.  Unless there is a date and/or
time 
>field for the record you are out of luck as far as determining the
exact 
>date/time stamp.
>
>Hope this helps,
>Chuck Wright
>
>
>>>> nemoaus at hotmail.com 11/23/2005 4:24:47 pm >>>
>Hello John,
>
>Good suggestions, but think "suspect" rather than "client". The
database is 
>on a forensic image with no access to luxuries like backup tapes. 
Does 
>Access have a transaction journal that I could check to see recent
activity 
>on the database? If anyone knows of a better place to ask this
question, let 
>me know.
>
>Regards.  Nemo
>
>>I'm not sure how detailed a timeframe you're looking for, but one
option
>>would be to compare that record against older copies on backup
tapes.
>>That should get you to the proper day at least.
>>
>>For future reference, perhaps add a date/time field into the
database
>>with a default value of 'Now()'.  Is it possible to go in and change
it?
>>Yes, but for the less adept end users, it should at least give you
some
>>visibility.
>>
>>John


*** *** *** *** *** *** *** *** *** ***
  CONFIDENTIALITY NOTICE  
This e-mail is intended for the sole use of the individual(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  You are hereby notified that any dissemination, duplication, or distribution of this transmission by someone other than the intended addressee or its designated agent is strictly prohibited.  If you receive this e-mail in error, please notify me immediately by replying to this e-mail.
*** *** *** *** *** *** *** *** *** ***


More information about the list mailing list