Forensic ABAP Analysis: Uncovering Hidden Changes in SAP

A structured approach to forensic ABAP analysis—tracking changes, identifying anomalies, and ensuring compliance in SAP systems.

Forensic ABAP Analysis: Uncovering Hidden Changes in SAP

In SAP environments, understanding how and why code changes occur is critical for compliance, security, and system integrity. Forensic ABAP analysis is the process of tracing changes, detecting anomalies, and ensuring that modifications align with business and regulatory requirements.

This post explores the importance of forensic analysis, the key methodologies, and the tools available to uncover hidden changes in SAP systems.

Why Forensic ABAP Analysis Matters

  • Compliance & Auditing – Ensuring changes adhere to internal policies and external regulations.
  • Security Investigations – Identifying unauthorized modifications that could introduce vulnerabilities.
  • Change Tracking – Understanding when, why, and by whom critical objects were modified.
  • Performance & Stability – Detecting unintended changes that may impact system behavior.

Key Steps in Forensic ABAP Analysis

1. Identifying Target Objects

Before diving into analysis, define the scope by identifying key objects that require review, such as:

  • Programs (Reports, Function Modules, Classes)
  • Dictionary Objects (Tables, Structures, Data Elements)
  • Enhancements (User Exits, BAdIs, Implicit Enhancements)
  • Custom Development (Z-namespace or customer-specific objects)

2. Reviewing Change History

Analyze version history and transport requests to track modifications:

  • Object Versions – Compare previous versions of an object to detect functional differences.
  • Transport Analysis – Investigate how and when objects were transported between systems.
  • User Activity Logs – Determine who made changes and whether they were authorized.

3. Detecting Anomalies & Unauthorized Changes

Look for irregularities such as:

  • Missing or bypassed transport requests
  • Changes made directly in production without documentation
  • Duplicate or shadow developments with unclear ownership

4. Code & Structural Analysis

Use automated tools to scan for issues:

  • Static Code Analysis – Identify hardcoded values, inefficient logic, or security risks.
  • Custom Code Review – Check for redundant or duplicated logic across objects.
  • Cross-System Comparison – Ensure consistency between development, test, and production environments.

5. Command-Line Forensic Analysis in Linux

For SAP or other systems with code stored in local repositories or accessed via mounted file shares, command-line tools can be leveraged for deeper forensic analysis. While some situations will require much more complex queries, here are some simple examples:

  • Searching for Key Terms in ABAP Code
    Use grep to quickly locate specific keywords, such as function calls or table references:

    grep -r "SELECT * FROM" /path/to/abap/source/

    Or, to find where a specific transport request number appears:

    grep -r "DEVK900123" /path/to/transports/

  • Comparing Code Versions
    To analyze differences between two versions of an ABAP source file:

    diff -u old_version.abap new_version.abap

    For directory-wide comparisons (e.g., between development and production versions):

    diff -rq /path/to/dev/ /path/to/prod/

  • Detecting Duplicate or Similar Code
    Use awk to extract function definitions or select statements for comparison:

    awk '/^FORM /,/^ENDFORM./' *.abap | sort | uniq -c | sort -nr

    Or detect copied blocks of code with simian:

    java -jar simian-2.3.33.jar -includes=*.abap

  • Tracking File Changes Over Time
    If ABAP files are stored in a Git or file-based repository, use:

    git log -p -- abap_program.abap

    For non-Git environments, track file modifications with:

    find /path/to/abap/source/ -type f -printf "%TY-%Tm-%Td %p\n" | sort

These tools enable quick pattern detection, history tracking, and comparative analysis to uncover unauthorized changes, inconsistencies, or potential security risks.

6. Reporting & Documentation

Compile findings into structured reports to support business decisions and compliance efforts:

  • Summary of key findings and potential risks
  • Recommended actions for cleanup, rollback, or improvement
  • Documentation of impacted business processes

Tools & Technologies for Forensic ABAP Analysis

A variety of tools can assist in forensic investigations, including:

Tool Purpose
SE80 / SE38 Reviewing object versions and comparisons
SCI / ATC Static code inspection and performance checks
STMS Transport tracking and system-wide change history
SE03 Transport Organizer Tools for detailed analysis
STAD / SM20 User activity and system logs
ABAPGit Version control for ABAP developments
grep / diff Command-line code search and comparison
find Tracking modified ABAP source files

A locally-installed large language model (LLM) can also enhance forensic ABAP analysis. By analyzing code at scale, the LLM can identify patterns and potential vulnerabilities, including inefficient database queries, poorly optimized logic, and unauthorized changes. It can detect anomalies, flag risky code, and provide insight into undocumented changes. This AI-driven approach can be generalized for other languages, offering a scalable solution for uncovering hidden changes, ensuring compliance, and identifying security risks.

Final Thoughts

Forensic ABAP analysis is an essential process for maintaining transparency, compliance, and security in SAP systems. By leveraging the right tools and methodologies, organizations can uncover hidden changes, ensure accountability, and maintain system integrity.

At Metrics.Consulting, we specialize in helping businesses analyze and secure their SAP landscapes. If you’re looking for expert guidance, contact us today to find out how we can help you with your forensic ABAP or other technology consulting needs.