Computer Hacking Forensic Investigator (CHFI v10) — Question 409

During a digital forensics investigation, you discovered an SQL injection attack that occurred on a MySQL database using the MyISAM storage engine. You found the '.MYD' and '.MYI' files for the attacked table in the MySQL data directory. You also identified the type of SQL injection attack as a UNION-based attack. Which of the following steps would be the most effective in your investigation?

Answer options

• A. Analyzing the MySQL error log (HOSTNAME.err) for irregularities
• B. Checking the '.MYD' file to find evidence of the attack in the table data
• C. Investigating the '.MYI' file to inspect the index of the attacked table
• D. Inspecting the Binary log (HOSTNAME-bin.nnnnnn) for unusual transactions

Correct answer: D

Explanation

Inspecting the Binary log (HOSTNAME-bin.nnnnnn) is crucial as it records all changes made to the database, making it the most effective way to identify unauthorized alterations resulting from the SQL injection attack. Analyzing the MySQL error log may provide some insights, but it won't directly reveal the actions taken by the attacker. Checking the '.MYD' and '.MYI' files can provide additional context, but they are less likely to show the full scope of the attack compared to the Binary log.