Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Archive for March, 2007

Using Oracle 10g database as a forensics tool

As well as carrying out a forensics analysis of an Oracle database I am also interested in using an RDBMS as a tool in a forensics investigation. This link is relevant to that subject. http://computer.forensikblog.de/en/2006/05/ftk_2_0_will_be_based_on_oracle_database.html http://www.accessdata.com/media/en_US/press/Press.Oracle_Partnership.en_us.pdf The pdf above describes using Oracle 10g to handle and sort the data/evidence of many investigations conducted by many [...]

Oracle Forensics In A Nutshell

I have written a short paper to give an overview of the essential basics of Oracle Forensics which will be useful as an introductory crib sheet where time in short supply. Feel free to let me know how best to update the paper. OracleForensicsInANutshell.pdf This is a taster for the full version available from Rampant [...]

Oracle SAP legal battle

http://www.securityfocus.com/news/11453 The metalink site is available to all licensed Oracle users and one cannot help but make a copy of a web page when one downloads it BUT offering this on again as third party support is questionable imo ..allegedly. This case maybe interesting from a forensics perspective because of the question of which geographic [...]

Action to SCN and SCN to time mapping

These two queries should be helpful especially in the absence of a timestamp column: SQL> select ora_rowscn, name from sys.user$; ORA_ROWSCN NAME ———- —————————— 5072905 SYS 5072905 PUBLIC 5072905 CONNECT 5072905 RESOURCE 5072905 DBA 5072905 SYSTEM 5072905 SELECT_CATALOG_ROLE 5072905 EXECUTE_CATALOG_ROLE 5072905 DELETE_CATALOG_ROLE 5072905 EXP_FULL_DATABASE 5072905 IMP_FULL_DATABASE SELECT To_Char(TIME_DP,’dd/mm/yyyy hh24:mi:ss’), SCN_BAS FROM SYS.SMON_SCN_TIME; 30/04/2006 10:07:00 9637921 [...]

dbf records previous state of each row

This is QI IMO. SQL> CONN SCOTT/TIGER Connected. SQL> CREATE TABLE TEST(INPUT VARCHAR2(20)); Table created. SQL> INSERT INTO TEST VALUES(‘FIRSTROW’); 1 row created. SQL> SELECT * FROM TEST; INPUT ——————– FIRSTROW SQL> UPDATE TEST SET INPUT=’FIRSTROWUPATED’ WHERE INPUT=’FIRSTROW’; 1 row updated. SQL> SELECT * FROM TEST; INPUT ——————– FIRSTROWUPATED Wait 5 minute and the row [...]

Searching extended audit using case insensitive search

An IDS evading attack: SQL> SELECT paSsWOrd, username from DBA_USERS where username = (chr(83)|| chr(89)||chr(83)); PASSWORD                       USERNAME —————————— —————————— 0C15939594CE60D2               SYS DB Extended audit will record the text of the attack in the extra column called SQLTEXT which is a CLOB. This is a query that can be used to search it in a case [...]

MD5 and SHA1 for high security checksums

The checksum process can be done using the MD5 algorithm. For high security purposes it is preferable to check integrity using both MD5 and SHA1 due to the fact that collisions in MD5 allow for two files with differing content to have the same checksum. http://www.doxpara.com/md5_someday.pdf Also by using a tool called stripwire http://www.doxpara.com/stripwire-1.1.tar.gz it [...]

Auditing using DB EXTENDED

DB EXTENDED adds two extra columns to the SYS.AUD$ table which includes sqltext and sqlbind: SQLBIND CLOB SQLTEXT CLOB SQLTEXT is the actual text that the user typed in. This could be very useful to trace back unauthorised access. One problem is that because the audit is from the database then an attacker could easily [...]

Central SYSLOG host for Oracle

10gR2 logging to SYSLOG means that central loghost tools can now be used to collect Oracle Audit SQL> ALTER SYSTEM SET audit_trail=OS SCOPE=SPFILE; SQL> ALTER SYSTEM SET audit_syslog_level=’USER.ALERT’ SCOPE=SPFILE; System altered. SQL> SHUTDOWN IMMEDIATE SQL> startup A good syslogd is minirsyslogd at the URL below: http://bent.latency.net/bent/darcs/minirsyslogd-1.02/src/minirsyslogd-1.02.tar.gz

Recovery at OS level to recover DB files

This is an interesting paper on using OS level file recovery to recover datafiles in Postgres and could theoretically work on Oracle as well. http://www-edlab.cs.umass.edu/cs691i/files/DBforensics.pdf I will post here and when I have tried this process out on Oracle.