When investigating a breach, one of the most important questions is “What data walked out the door?” As forensic analysts, we need to be able to examine every artifact available to us - including the databases themselves. As a continuation of last year’s brief intro to SQL database artifacts, this session will perform a deeper-dive analysis on MS SQL artifacts. In this lab, we will conduct an investigation on a compromised SQL server, learning how to analyze volatile and non-volatile data, including database records, transaction logs, memory dumps, and other system-level artifacts. It’s time to roll up our sleeves and go right to the data.