[Dshield] Access Database Forensics

Don Jackson dwjackson at bcbsal.org
Mon Nov 28 20:58:57 GMT 2005


>>>> BKWalker at drbsystems.com 11/28/2005 1:11 pm >>>
>Sounds like he's simply talking about an autoincrement type field in
the
>table in question.  Most auto-increment field types (or fields setup
>with triggers/generators) the current starting number can be
>manipulated, as well as the field numbers themselves.  Perhaps this
type
>of analysis might be useful in some ways, but I doubt it would
qualify
>as evidence.

If he's followed proper procedures in acquiring an image of the
suspect's original data and uses methods that can reproduce his
results from it, it will probably be admitted should it go to trial.

It'll be up to the defense attorney to argue any doubt regarding
it.

Electronic discovery is a very exciting and unpredicable field.
We could be in courtrooms across the hall from each other
and get two different rulings on admissibility of something like this.

 - Don J.
"Secan, Scearu, Findan"

PS -- As for the presence of such a field, it looks like it may depend
on the version of Access used:

>>>> <j.burnette at srs.gov> 11/28/2005 11:48 am >>>
>When Access was first written in the 90's it did time stamp the
records 
>and also held a programmable modification date, however, those areas
where 
>were traded to give visual basic more operability very early on.  Your

>best bet is to make a comparison with an earlier backup.  Row ID would

>only exist if it was an established in put by the user.
>
>John D. "JD" Burnette
>Lead, Cyber Security Engr and
>Classified Computing Program Mgr



*** *** *** *** *** *** *** *** *** ***
  CONFIDENTIALITY NOTICE  
This e-mail is intended for the sole use of the individual(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  You are hereby notified that any dissemination, duplication, or distribution of this transmission by someone other than the intended addressee or its designated agent is strictly prohibited.  If you receive this e-mail in error, please notify me immediately by replying to this e-mail.
*** *** *** *** *** *** *** *** *** ***


More information about the list mailing list