[Dshield] Access Database Forensics
TRushing at hollandco.com
Mon Nov 28 20:35:31 GMT 2005
You might see if the author of MDBTools is still available. Home page is
The last file release was in June of 2004, but that project was an attempt
to reverse engineer the MDB file format for direct access of the
Access databases store all data (schema, indexes, actual data) in a single
file. As far as I know there is nothing inherent in the information
available to an end user that would allow you to determine when data was
edited/added. However, it may still be possible to make some guesses.
Because it is a monolithic file and because MS wanted to make it speedy,
data that is removed/edited is not always automatically removed from the
file. That is why there is an option in the tools menu to compact the
database. What this actually does is write out a new copy with only the
data that should be there and then delete the original.
I have no clue if the data that is marked as stale includes edit
information or simply contains deleted data that has not been cleaned yet.
Possibly if an edit significantly changed the record length, it might be
quicker to mark the record as stale and create a new one. It is certain
that MS would be able to answer that question. It is likely that the
MDBTools author could answer it. I doubt that you are going to find much
out there otherwise regarding the internal file structure of MDB files. I
do feel pretty confident saying that with the exception of what may be
hidden in an uncompacted Access database, there is not going to be any
reliable way to tell when a record was created--and even with information
regarding the file structure I'm only guessing that you *MIGHT* be able to
get at some information.
Even timestamp fields or autonumbers, if they exist in a database, allow
any data to be placed inside them. In other words, an Access AutoNumber
field will start at 1 and increment from there for each data entry.
Deleted AutoNumbers will not be re-used (unless the deletion occurs at the
end of the sequence and the database is then compacted.) However, if you
are adding a new record, you can insert any number you want into an Access
AutoNumber field so long as you aren't inserting a number that is already
in use. So, if record 12 has been deleted, I can create a brand new
record and manually assign it an AutoNumber of 12.
Likewise with any timestamps. An AutoNumber or timestamp in Access is
simply a default value to use if no other value is supplied, and except in
very limited circumstances, anyone who can open the database can change
anything inside it without any trace.
More information about the list