[Dshield] Access Database Forensics

TRushing@hollandco.com TRushing at hollandco.com
Mon Nov 28 20:35:31 GMT 2005


You might see if the author of MDBTools is still available.  Home page is 
at http://mdbtools.sourceforge.net/

The last file release was in June of 2004, but that project was an attempt 
to reverse engineer the MDB file format for direct access of the 
information.

Access databases store all data (schema, indexes, actual data) in a single 
file.  As far as I know there is nothing inherent in the information 
available to an end user that would allow you to determine when data was 
edited/added.  However, it may still be possible to make some guesses. 
Because it is a monolithic file and because MS wanted to make it speedy, 
data that is removed/edited is not always automatically removed from the 
file.  That is why there is an option in the tools menu to compact the 
database.  What this actually does is write out a new copy with only the 
data that should be there and then delete the original.

I have no clue if the data that is marked as stale includes edit 
information or simply contains deleted data that has not been cleaned yet. 
 Possibly if an edit significantly changed the record length, it might be 
quicker to mark the record as stale and create a new one.  It is certain 
that MS would be able to answer that question.  It is likely that the 
MDBTools author could answer it.  I doubt that you are going to find much 
out there otherwise regarding the internal file structure of MDB files.  I 
do feel pretty confident saying that with the exception of what may be 
hidden in an uncompacted Access database, there is not going to be any 
reliable way to tell when a record was created--and even with information 
regarding the file structure I'm only guessing that you *MIGHT* be able to 
get at some information.

Even timestamp fields or autonumbers, if they exist in a database, allow 
any data to be placed inside them.  In other words, an Access AutoNumber 
field will start at 1 and increment from there for each data entry. 
Deleted AutoNumbers will not be re-used (unless the deletion occurs at the 
end of the sequence and the database is then compacted.)  However, if you 
are adding a new record, you can insert any number you want into an Access 
AutoNumber field so long as you aren't inserting a number that is already 
in use.  So, if record 12 has been deleted, I can create a brand new 
record and manually assign it an AutoNumber of 12.

Likewise with any timestamps.  An AutoNumber or timestamp in Access is 
simply a default value to use if no other value is supplied, and except in 
very limited circumstances, anyone who can open the database can change 
anything inside it without any trace.

Tim Rushing


More information about the list mailing list