Three Tier Oracle Security in London ~ Paul M. Wright

As well as carrying out a forensics analysis of an Oracle database I am also interested in using an RDBMS as a tool in a forensics investigation. This link is relevant to that subject.
http://computer.forensikblog.de/en/2006/05/ftk_2_0_will_be_based_on_oracle_database.html
http://www.accessdata.com/media/en_US/press/Press.Oracle_Partnership.en_us.pdf
The pdf above describes using Oracle 10g to handle and sort the data/evidence of many investigations conducted by many analysts with the [...]

March 29th, 2007 | Category: Uncategorized | Comments Off

I have written a short paper to give an overview of the essential basics of Oracle Forensics which will be useful as an introductory crib sheet where time in short supply. Feel free to let me know how best to update the paper. OracleForensicsInANutshell.pdf
This is a taster for the full version available from Rampant Techpress [...]

March 25th, 2007 | Category: Uncategorized | Comments Off

http://www.securityfocus.com/news/11453
The metalink site is available to all licensed Oracle users and one cannot help but make a copy of a web page when one downloads it BUT offering this on again as third party support is questionable imo ..allegedly.
This case maybe interesting from a forensics perspective because of the question of which geographic legal [...]

March 23rd, 2007 | Category: Uncategorized | Comments Off

These two queries should be helpful especially in the absence of a timestamp column: SQL> select ora_rowscn, name from sys.user$;
ORA_ROWSCN NAME
———- ——————————
5072905 SYS
5072905 PUBLIC
5072905 CONNECT
5072905 RESOURCE
5072905 DBA
5072905 SYSTEM
5072905 SELECT_CATALOG_ROLE
5072905 EXECUTE_CATALOG_ROLE
5072905 DELETE_CATALOG_ROLE
5072905 EXP_FULL_DATABASE
5072905 IMP_FULL_DATABASE
SELECT To_Char(TIME_DP,’dd/mm/yyyy hh24:mi:ss’), SCN_BAS FROM SYS.SMON_SCN_TIME;
30/04/2006 10:07:00 9637921
30/04/2006 10:01:53 9637140
30/04/2006 09:56:46 9636359
30/04/2006 09:51:39 9635645

March 22nd, 2007 | Category: Uncategorized | Comments (2)

This is QI IMO.

SQL> CONN SCOTT/TIGER
Connected.
SQL> CREATE TABLE TEST(INPUT VARCHAR2(20));
Table created.
SQL> INSERT INTO TEST VALUES(’FIRSTROW’);
1 row created.
SQL> SELECT * FROM TEST;
INPUT
——————–
FIRSTROW

SQL> UPDATE TEST SET INPUT=’FIRSTROWUPATED’ WHERE INPUT=’FIRSTROW’;
1 row updated.
SQL> SELECT * FROM TEST;
INPUT
——————–
FIRSTROWUPATED
Wait 5 minute and the row is updated in the table with the new value AND the old value is kept.

The DBF file [...]

March 21st, 2007 | Category: Uncategorized | Comments (2)

An IDS evading attack:
SQL> SELECT paSsWOrd, username from DBA_USERS where username = (chr(83)|| chr(89)||chr(83));
PASSWORD                       USERNAME
—————————— ——————————
0C15939594CE60D2               SYS
DB Extended audit will record the text of the attack in the extra column called SQLTEXT which is a CLOB.
This is a query that can be used to search it in a case agnostic manner.
select auditid, sqltext from sys.aud$ [...]

March 20th, 2007 | Category: Uncategorized | Comments Off

The checksum process can be done using the MD5 algorithm. For high security purposes it is preferable to check integrity using both MD5 and SHA1 due to the fact that collisions in MD5 allow for two files with differing content to have the same checksum. http://www.doxpara.com/md5_someday.pdf
Also by using a tool called stripwire http://www.doxpara.com/stripwire-1.1.tar.gz it is [...]

March 19th, 2007 | Category: Uncategorized | Comments Off

DB EXTENDED adds two extra columns to the SYS.AUD$ table which includes sqltext and sqlbind:
SQLBIND [...]

March 19th, 2007 | Category: Uncategorized | Comments Off

10gR2 logging to SYSLOG means that central loghost tools can now be used to collect Oracle Audit
SQL> ALTER SYSTEM SET audit_trail=OS SCOPE=SPFILE;

SQL> ALTER SYSTEM SET audit_syslog_level=’USER.ALERT’ SCOPE=SPFILE;
System altered.

SQL> SHUTDOWN IMMEDIATE
SQL> startup
A good syslogd is minirsyslogd at the URL below:
http://bent.latency.net/bent/darcs/minirsyslogd-1.02/src/minirsyslogd-1.02.tar.gz

March 15th, 2007 | Category: Uncategorized | Comments Off