Examine SQL Server Transaction Log Using SQL Log Analyzer

Stacy Brown | July 7th, 2015 | SQL Transaction Log |

Microsoft SQL Server Prologue

In computing, Microsoft SQL Server is a type of RDBMS, which means relational database management system. The Microsoft SQL Server came into existence after the development of relational model. The primary function of SQL server is to store, retrieve and manipulate the database through SQL queries.

The SQL server stores its database into three categories. The .mdf file, which stores primary data (tables, functions, rules, stored procedures) of SQL server. Secondary database files are .ndf files which are user defined and the third one is .ldf files, to which SQL server use to store log information.

This mission critical application provides a faster insight on any data as well as provides a hybrid environment in term of secrecy.

SQL Server Implementation in Forensic Science

The techniques described in MS SQL Server Forensics can be used to examine unauthorized data access, scam, etc. as well as to gather the information recommended for intrusion detection by restoring the tempered database files. Although forensics experts usually use entrusted way to examine SQL Server transaction log, which reduces extra efforts in the investigation.

SQL Server Database Forensics and Overview

Storage In SQL Server

Database forensics are the subdivision of digital forensic science that are related to the forensic aspects of the database and their corresponding metadata.

SQL Server provides the services like database engine, analysis services, integration services, reporting services and SQL Server compact to manipulate database easefully. While utilizing database engine System database and the user define database plays vital role in the database integrity.

SQL Server stores user defined database in a particular primary storage call MDF file, Secondary storage NDF file and saves its transactional operation in LDF file. Such files are very useful and beneficial for forensic analysis and research.

MS SQL Server 2014 stores its data into two files, i.e. .mdf file and .ndf file. The .mdf file contains tables, functions, rules and stored procedures, XML Data types and schema while the .ndf file is a secondary storage of SQL Server, which is user defined and the .ldf file holds the information about the transactions like INSERT, DELETE, UPDATE, etc.

Need of SQL Server Forensics

SQL Server provides highly secure environment to store the database in huge amount, but there are some factors where SQL server forensics come into existence.

1. The SQL injection is a technique used by hackers to access unauthorized crucial information from the user’s database.In such situation SQL Server forensics is a technique to determine the changes that are made in the database.

2. SQL Server forensics can be useful to identify manipulated data

3. SQL Server forensics help in determining the root cause

Forensics evidences on SQL Server

SQL Server stores its transaction logs in a separate file named .ldf. So this .ldf file is also used for forensics whenever required, because it stores all the transactional information of the database.

For Example: if any unauthorized activities like modification in the database is done by an intruder, in such case the .ldf file captures all that activity, which was performed at that time.

Forensic Implications:

Although preliminary, the SQL forensics technique is very easy while using an undocumented function fn_dblog, but there is a problem when the fn_dblog function doesn’t shows the proper result when a user want to show the meta information of the transaction. In such situation a log analyzer tool is a better option to see the Meta information of the transaction operations.

Forensic Analysis Of A SQL Server With SQL Log Analyzer Tool

While performing a forensic analysis task the SQL Server takes several steps to find the detail about the transactions, but at the end it shows a very complicated result. Complicated result means it only shows the information about the operation, but doesn’t show what’s inside of the operation.

The SQL log analyzer helps in investigating the overall transactional operations and show the whole information with evidence and also recover the SQL server .ldf file.

Operation performance of SQL log Analyzer:

  1. Analyze the transactions of a log file and rapidly accomplish SQL data recovery
  2. Preview all the activity of a ldf file like: Transaction type, Id, Time, Table Name & Transaction Query
  3. Filter transactions, according to date, Time, Transaction types
  4. Fast scan, Analyze the LDF file and find its associated MDF file


This mission critical application is very recommended in most of the cases which deals with server attack by intruders, fraud, scam, attacking default, Exploiting Unpatched Services. A SQL log Analyzer tool is highly appreciable in such scenarios to preform MS SQL Server forensics tasks.