![\"\"](\"https:\/\/e3mag.com\/wp-content\/uploads\/2026\/03\/banner_26-04_29_1200x150-1.jpg\")
<\/a><\/div>\nBy selecting and linking the correct tables, a business process can be completely mapped in terms of data analysis and analyzed according to a wide range of aspects (e.g. violation of functional separation, fraudulent actions).<\/p>\n
For example, the complete document and payment run information of financial accounting is stored in five tables (BKPF, BSEG, BSEC, REGUH and REGUP), the essential process steps in purchasing in eight tables (EBAN, EKKO, EKPO, MKPF, MSEG, RBKP, RSEG and EKBE).<\/p>\n
The biggest hurdle in table-oriented testing is determining the tables with the desired information and how they are linked to each other. However, SAP provides numerous aids here, for example the logical databases (transaction SLDB), in which process-related tables are grouped together with their links.<\/p>\n
In the logical database BRF, for example, all important information about the document activity of financial accounting is summarized. SAP provides several tools for linking the tables. The transactions SE16H (extended table display), SQVI (QuickViewer) or SQ01-SQ03 (queries) can be used to link tables within SAP.<\/p>\n
Export data manually<\/h3>\n
For more extensive analyses, it is necessary to export the required data from the SAP system using external tools. This export should be performed manually to ensure that the export was performed without errors or manipulation.<\/p>\n
Analyze changes over time<\/h3>\n
In forensic data analysis, the analysis of changes in data over time plays a major role. If only key date-related analysis is performed, statements can only be made on the key date.<\/p>\n
Especially in the case of fraudulent actions, the perpetrator will try to remove the traces of his fraudulent actions after they have been executed. However, these cover-up actions leave traces in the logs of the SAP system.<\/p>\n
If changes are made in the Customizing of the SAP system, these are recorded in the table change logs. Changes to master and transaction data are logged in the change documents.<\/p>\n
The table changes are stored in table DBTABLOG and can be evaluated with transaction SCU3. The change documents are stored in the two tables CDHDR (who made a change when with which transaction) and CDPOS (on which table field was the change made and what was the field content before and after the change).<\/p>\n
To display only certain types of changes, you can filter by the change document object. For example, if you only want to display changes to vendor master data, filter by change document object KRED.<\/p>\n
However, to ensure the reliability of logging, it is necessary to make sure that it has been configured correctly and that no user has permissions to manipulate logging settings and entries.<\/p>","protected":false},"excerpt":{"rendered":"
SAP is a table-driven application. The contents of these tables are the starting point for forensic data analysis in the SAP system. In the following, some principles and tools of forensic data analysis will be presented.<\/p>","protected":false},"author":1274,"featured_media":15608,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"pmpro_default_level":"","footnotes":""},"categories":[21,7,18533],"tags":[750],"coauthors":[22303],"class_list":["post-30045","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it-security","category-meinung","category-mag-1711","tag-spot","pmpro-has-access"],"acf":[],"featured_image_urls_v2":{"full":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",1000,431,false],"thumbnail":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security-150x150.jpg",150,150,true],"medium":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",400,172,false],"medium_large":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security-768x331.jpg",768,331,true],"large":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",1000,431,false],"image-100":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security-100x43.jpg",100,43,true],"image-480":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security-480x207.jpg",480,207,true],"image-640":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security-640x276.jpg",640,276,true],"image-720":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security-720x310.jpg",720,310,true],"image-960":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security-960x414.jpg",960,414,true],"image-1168":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",1000,431,false],"image-1440":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",1000,431,false],"image-1920":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",1000,431,false],"1536x1536":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",1000,431,false],"2048x2048":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",1000,431,false],"trp-custom-language-flag":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",18,8,false],"bricks_large_16x9":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",1000,431,false],"bricks_large":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",1000,431,false],"bricks_large_square":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",1000,431,false],"bricks_medium":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",600,259,false],"bricks_medium_square":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security.jpg",600,259,false],"profile_24":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security-24x24.jpg",24,24,true],"profile_48":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security-48x48.jpg",48,48,true],"profile_96":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security-96x96.jpg",96,96,true],"profile_150":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security-150x150.jpg",150,150,true],"profile_300":["https:\/\/e3mag.com\/wp-content\/uploads\/2017\/03\/It-Security-300x300.jpg",300,300,true]},"post_excerpt_stackable_v2":"
SAP ist eine tabellengesteuerte Applikation. Die Inhalte dieser Tabellen sind der Ausgangspunkt f\u00fcr forensische Datenanalysen im SAP-System. Im Folgenden sollen einige Grunds\u00e4tze und Tools der forensischen Datenanalyse vorgestellt werden.<\/p>\n","category_list_v2":"IT-Security Kolumne<\/a>, Die Meinung der SAP-Community<\/a>, MAG 17-11<\/a>","author_info_v2":{"name":"Marcus Herold, IBS Schreiber","url":"https:\/\/e3mag.com\/en\/author\/marcus-herold\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/posts\/30045","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/users\/1274"}],"replies":[{"embeddable":true,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/comments?post=30045"}],"version-history":[{"count":0,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/posts\/30045\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/media\/15608"}],"wp:attachment":[{"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/media?parent=30045"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/categories?post=30045"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/tags?post=30045"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/coauthors?post=30045"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}