Hypnosis v1.1 - Readme

Developed by: Kevvie Fowler | kevvie.fowler@ringzero.ca
	        ringzero.ca | applicationforensics.com


Overview
==========

SQL Server maintains several database caches that record previously executed statements.  These caches can contain evidence of successfully executed database attacks including those launched from SQL injection attack tools, worms or even by interactively logged on users.
 
Hypnosis is the first cache-based incident response utility that interrogates the always-on caching feature of SQL Server to help confirm or discount a successful database attack.


Zip file contents
==================

Hypnosis.exe		Executable file
CacheRules.txt		Rules file containing Regex expressions for use during database cache interrogation


** Note: During execution both Hypnosis.exe and CacheRules.txt must exist within the same directory **

Usage
======

hypnosis -i:instance_name -o:out_file -t: -u:dbuser -p:dbpassword ")

  instance_name The name of the SQL Server instance you would like to investigate 
  out_file      The name and path of the file that will store the interrogation results
  dbuser        The name of the database user for use during connection (must have sysadmin privilleges)
  dbpassword    The password of the dbuser account (dbuser account explained above)
  -t:           Replaces dbuser and dbpassword arguments and indicates a trusted database connection should be used



  
Examples

  Trusted connection example: 		        hypnosis -i:DB01\SQL2K8 -o:z:\result.txt -t: (or -u:sa -p:P@$$w0rd)

  SQL Server authentication connection example: hypnosis -i:DB01\SQL2K8 -o:z:\result.txt -u:sa -p:P@$$w0rd
                    