A forensic engineer determines that the root cause of a compromise is a SQL injection attack. Which of the following should the engineer review to identify the command used by the threat actor?

Metadata typically provides information about data such as its creation date, file size, and author, but it does not contain the actual content or commands executed within an application. In the context of a SQL injection attack, metadata would not reveal the specific SQL commands that were used by the threat actor.

System logs generally track system-level events, such as system errors, hardware failures, or service status changes. While these logs can provide some context about the overall system behavior during the attack, they do not specifically document the database commands executed by the application, which are key to understanding a SQL injection incident.

Netflow logs focus on network traffic analysis, capturing data about the flow of packets in and out of network devices. While they can provide insights into the volume and types of traffic associated with the attack, they do not record the actual SQL commands or queries that were executed by the threat actor within the application.