Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Cadfile

David Litchfield has written a new paper on Oracle Forensics which describes the usage of a new tool authored by David called Cadfile as a pun on Cadfael.

The aim of both tools is to analyse the datafile without having to load it up into the Oracle Server software. The idea would be to first make a copy of the data file in question and then use Cadfile to analyse the copy. Analysis takes the form of reading the datafile using orablock.exe and also converting SCNs in the datafile to time values using oratime.exe . Please note that the source code has been included so that these forensic tools can be extended and their workings understood which is excellent.

This is the functionality of orablock.exe

C:\Documents and Settings\PaulWright\Desktop\cadfile>orablock.exe
Orablock v1.00 [beta]
(c) David Litchfield
(david@davidlitchfield.com)
-h (show help)
-f data_file (required)
-c column_template
-z block_size (default 8192)
-o object_id
-b block_number
-s seperator (default newline)
-a action
Actions are:
A DUMPALL
D SHOWDELETED
O DUMPNOTVIAOFFSETS
S SHOWDELETEDNOTVIAOFFSETS
C DUMPSCNS

oratime.exe simply takes the SCN as argument and returns the timestamp as follows.

C:\Documents and Settings\PaulWright\Desktop\cadfile>oratime 672306678
01/12/2008 07:51:18

This is how you would have to do it via the Server software which would not be as forensically sound.

SQL> select DBMS_FLASHBACK.GET_SYSTEM_CHANGE_NUMBER from dual;
SQL> select scn_to_timestamp(xxx) as timestamp from dual;
SQL> select timestamp_to_scn(to_timestamp(’01/12/2008 14:24:54′,’DD/MM/YYYY HH24:MI:SS’)) as scn from dual;

These tools will come in useful in the future.

Cheers,
Paul

Leave a Reply

You must be logged in to post a comment.