Computer Hacking Forensic Investigator (CHFI v10) — Question 295

A forensic investigator is examining an attack on a MySQL database. The investigator has been given access to a server, but the physical MySQL data files are encrypted, and the database is currently inaccessible. The attacker seems to have tampered with the data. Which MySQL utility program would most likely assist the investigator in determining the changes that occurred during the attack?

Answer options

• A. Mysqlbinlog, because it reads the binary log files directly and displays them in text format
• B. Myisamchk, because it views the status of the MylSAM table or checks, repairs, and optimizes them
• C. Mysqldump, because it allows dumping a database for backup purposes
• D. Mysqlaccess, because it checks the access privileges defined for a hostname or username

Correct answer: A

Explanation

Mysqlbinlog is the correct choice because it can read the binary log files, which record all changes made to the database, providing insights into what alterations occurred during the attack. Myisamchk is used for managing MyISAM tables but does not provide information on changes. Mysqldump is primarily for creating backups and does not help in forensic analysis. Mysqlaccess is focused on access privileges and is not relevant to identifying data changes.