In the WEB 2.0 generation, web attack has become a common issue and is widely used by intruders to exploit and access a system without any authorization. According to a survey from OWASP (Open Web Application Security Project’s), SQL injection attack (SQLIA) is placed first in the OWASP 2013’s top 10 list of cyber threats that is faced by the web service. SQLIA is a technique of inserting SQL meta-characters and commands into web-based input fields to change the original meaning of the SQL queries in order to manipulate the execution of the malicious SQL queries to access the databases unauthorized. SQLIA cannot be detected by any firewall or antivirus because it involves only the injection of one or many meta-characters and hence do not contain any malicious. Hence, forensic analysis is performed to find out the evidence of an attack and this plays an important role to make a conclusion on an incident whether to prove or disprove an intruder’s guilt. In previous researches, there were three ways of performing a forensic analysis namely, simple statistical analysis, parsing capabilities matching and simple signature matching. Thus, a method is proposed by analyzing the URL attack request and decoding the request before analyzing the request with the rule set that is provided by PHPIDS and then cluster these attacks by calculating the distance between every cluster and assigns the distance to the cluster with the nearest centroid point. To find the pattern of the SQL injection to cluster these attacks, a method is proposed whereby the SQL keyword is extracted as a token set from the URL request and then this token set is analyzed based on the K-mean method to find the standard centroid to cluster these attacks.