Three Tier Oracle Security in London ~ Paul M. Wright

As well as carrying out a forensics analysis of an Oracle database I am also interested in using an RDBMS as a tool in a forensics investigation. This link is relevant to that subject. http://computer.forensikblog.de/en/2006/05/ftk_2_0_will_be_based_on_oracle_database.html http://www.accessdata.com/media/en_US/press/Press.Oracle_Partnership.en_us.pdf The pdf above describes using Oracle 10g to handle and sort the data/evidence of many investigations conducted by many [...]

March 29th, 2007 | Category: Uncategorized | Leave a comment

I have written a short paper to give an overview of the essential basics of Oracle Forensics which will be useful as an introductory crib sheet where time in short supply. Feel free to let me know how best to update the paper. OracleForensicsInANutshell.pdf This is a taster for the full version available from Rampant [...]

March 25th, 2007 | Category: Uncategorized | Leave a comment

http://www.securityfocus.com/news/11453 The metalink site is available to all licensed Oracle users and one cannot help but make a copy of a web page when one downloads it BUT offering this on again as third party support is questionable imo ..allegedly. This case maybe interesting from a forensics perspective because of the question of which geographic [...]

March 23rd, 2007 | Category: Uncategorized | Leave a comment

These two queries should be helpful especially in the absence of a timestamp column: SQL> select ora_rowscn, name from sys.user$; ORA_ROWSCN NAME ———- —————————— 5072905 SYS 5072905 PUBLIC 5072905 CONNECT 5072905 RESOURCE 5072905 DBA 5072905 SYSTEM 5072905 SELECT_CATALOG_ROLE 5072905 EXECUTE_CATALOG_ROLE 5072905 DELETE_CATALOG_ROLE 5072905 EXP_FULL_DATABASE 5072905 IMP_FULL_DATABASE SELECT To_Char(TIME_DP,’dd/mm/yyyy hh24:mi:ss’), SCN_BAS FROM SYS.SMON_SCN_TIME; 30/04/2006 10:07:00 9637921 [...]

March 22nd, 2007 | Category: Uncategorized | Comments (2)

This is QI IMO. SQL> CONN SCOTT/TIGER Connected. SQL> CREATE TABLE TEST(INPUT VARCHAR2(20)); Table created. SQL> INSERT INTO TEST VALUES(‘FIRSTROW’); 1 row created. SQL> SELECT * FROM TEST; INPUT ——————– FIRSTROW SQL> UPDATE TEST SET INPUT=’FIRSTROWUPATED’ WHERE INPUT=’FIRSTROW’; 1 row updated. SQL> SELECT * FROM TEST; INPUT ——————– FIRSTROWUPATED Wait 5 minute and the row [...]

March 21st, 2007 | Category: Uncategorized | Comments (2)

An IDS evading attack: SQL> SELECT paSsWOrd, username from DBA_USERS where username = (chr(83)|| chr(89)||chr(83)); PASSWORD                       USERNAME —————————— —————————— 0C15939594CE60D2               SYS DB Extended audit will record the text of the attack in the extra column called SQLTEXT which is a CLOB. This is a query that can be used to search it in a case [...]

March 20th, 2007 | Category: Uncategorized | Leave a comment

The checksum process can be done using the MD5 algorithm. For high security purposes it is preferable to check integrity using both MD5 and SHA1 due to the fact that collisions in MD5 allow for two files with differing content to have the same checksum. http://www.doxpara.com/md5_someday.pdf Also by using a tool called stripwire http://www.doxpara.com/stripwire-1.1.tar.gz it [...]

March 19th, 2007 | Category: Uncategorized | Leave a comment

DB EXTENDED adds two extra columns to the SYS.AUD$ table which includes sqltext and sqlbind: SQLBIND CLOB SQLTEXT CLOB SQLTEXT is the actual text that the user typed in. This could be very useful to trace back unauthorised access. One problem is that because the audit is from the database then an attacker could easily [...]

March 19th, 2007 | Category: Uncategorized | Leave a comment

10gR2 logging to SYSLOG means that central loghost tools can now be used to collect Oracle Audit SQL> ALTER SYSTEM SET audit_trail=OS SCOPE=SPFILE; SQL> ALTER SYSTEM SET audit_syslog_level=’USER.ALERT’ SCOPE=SPFILE; System altered. SQL> SHUTDOWN IMMEDIATE SQL> startup A good syslogd is minirsyslogd at the URL below: http://bent.latency.net/bent/darcs/minirsyslogd-1.02/src/minirsyslogd-1.02.tar.gz

March 15th, 2007 | Category: Uncategorized | Leave a comment