Old data stored in database file
-
22-08-2019 - |
Question
How can I ensure that all data that I've erase from the db tables, is no longer stored in the mdb files (and others) on the hard disk?
Here's my situation:
My client used to store non-encrypted credit card data, in their database (SQL Server). Thanks to PCI requirements, they now encrypt all that data... However, the mdb file still has some of the old, unencrypted CC written to it.
We've verified that there are no more CC's in the database; we've compressed the database; we've backed it up to a file and restored it anew, to a new database; we've even run sp_cleandb.
Yet, still, when we analyze the persisted file on disk, we still find a handful of non-encrypted CCs - that are not stored in the DB, they're not part of SPs, views, or UDFs, and they do not appear in any table metadata.
So, my question - how can I ensure all the "bad" CC data is gone? Or, more generally, how do I force MSSQL to store only current data, and clean the file from any "garbage"?
Solution
Based on what you've done, I'd suggest creating a new database, and moving all your data into that.
That way you know you're only working with your new data, and no legacy data will somehow be stored in files.
OTHER TIPS
Have you tried freeing up unused space in the database files (and log files)?
To be absolutely sure:
- dump your data in some textual format, such as CSV
- search the CSV for any unencrypted data & remove it
- create a new empty database
- load the CSV into the new database
script out the database
bulk copy the data out to flat files
look in the flat files for unencrypted data
drop the database
delete the database files with a secure delete: http://www.snapfiles.com/Freeware/security/fwerase.html
create a new database on the server with your scripts
load the data from the flat files
If you are interested in this topic, I recommend:
Threats to privacy in the forensic analysis of database systems, International Conference on Management of Data archive, Proceedings of the 2007 ACM SIGMOD international conference on Management of data http://www.cs.umass.edu/~miklau/pubs/sigmod2007LMS/stahlberg07forensicDB.pdf