[Dshield] Access Database Forensics

Brenden Walker BKWalker at drbsystems.com
Mon Nov 28 19:11:30 GMT 2005


> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Don Jackson
> Sent: Monday, November 28, 2005 11:04 AM
> To: list at lists.dshield.org
> Subject: Re: [Dshield] Access Database Forensics
> 
> Here's a response from another list.  I have not verified this info.
> I'm not even sure if he means the autonumber field is an 
> internal data structure, or if he means "if the database 
> designer included one, then..." this is true.  Waiting on a response.
> 
> Most of the bests lists/forums  are reserved for owners of 
> products like AcesssData's FTK or Guidance Software's EnCase, 
> or for law enforcement/prosecution expert witnesses (in an 
> effort to keep the how-to info out of the hands of criminals 
> and criminal defense attorney's, I suppose).


Sounds like he's simply talking about an autoincrement type field in the
table in question.  Most auto-increment field types (or fields setup
with triggers/generators) the current starting number can be
manipulated, as well as the field numbers themselves.  Perhaps this type
of analysis might be useful in some ways, but I doubt it would qualify
as evidence.

> 
> >>>> "CWright" <cwright at softtrakz.com> 11/23/2005 10:30:08 am >>>
> >Access has an "autonumber" field type -- basically a long integer --
> that 
> >sequentates the records in the order in which they were entered.  You
> may 
> >need to insert a temp field in the table; once done you can 
> either set
> the 
> >index to the field or simply sort on it.  Either way will tell you
> exactly 
> >the order in which records were added.  Unless there is a date and/or
> time 
> >field for the record you are out of luck as far as determining the
> exact 
> >date/time stamp.
> >
> >Hope this helps,
> >Chuck Wright
> >
> >
> >>>> nemoaus at hotmail.com 11/23/2005 4:24:47 pm >>>
> >Hello John,
> >
> >Good suggestions, but think "suspect" rather than "client". The
> database is 
> >on a forensic image with no access to luxuries like backup tapes. 
> Does 
> >Access have a transaction journal that I could check to see recent
> activity 
> >on the database? If anyone knows of a better place to ask this
> question, let 
> >me know.
> >
> >Regards.  Nemo
> >
> >>I'm not sure how detailed a timeframe you're looking for, but one
> option
> >>would be to compare that record against older copies on backup
> tapes.
> >>That should get you to the proper day at least.
> >>
> >>For future reference, perhaps add a date/time field into the
> database
> >>with a default value of 'Now()'.  Is it possible to go in and change
> it?
> >>Yes, but for the less adept end users, it should at least give you
> some
> >>visibility.
> >>
> >>John
> 
> 
> *** *** *** *** *** *** *** *** *** ***
>   CONFIDENTIALITY NOTICE
> This e-mail is intended for the sole use of the individual(s) 
> to whom it is addressed, and may contain information that is 
> privileged, confidential and exempt from disclosure under 
> applicable law.  You are hereby notified that any 
> dissemination, duplication, or distribution of this 
> transmission by someone other than the intended addressee or 
> its designated agent is strictly prohibited.  If you receive 
> this e-mail in error, please notify me immediately by 
> replying to this e-mail.
> *** *** *** *** *** *** *** *** *** ***
> _________________________________________
> Using .Net? Need to know more about .Net Security?
> http://isc.sans.org/banner_count.php?dest=dotnet
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your 
> subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 



More information about the list mailing list