Over view
Why Oracle Forensic California Breach security Act Oracle Logical Structure Oracle System Change Number Oracle Data Block Structure Oracle Memory Structure Redo logs Automatic Undo management Flash back Queries Recycle Bin Finding Evidence of Data Theft in the Absence of
Auditing Conclusion
Why Oracle Forensic
Database servers hold critical and sensitive information
Database Security Breaches In Jan 2007 TJX announced that they
have suffered a database security breach with 4.5 million credit card information stolen
CardSystem Solution announce that 200,000 credit/debit information stolen
California Security Breach Information Act
Began on July 1 of 2003 government agencies and companies must
notify customers if personal information maintained in computerized data files have been compromised by unauthorized access.
34 more states have passed similar legislation The details of this law can be found at
http://www.leginfo.ca.gov
Logical Structure
Specifies how the physical space of a database is used
consisting of tablespaces, segments,extents, and blocks
System change Number (SCN) used by Oracle to keep track of changes
made to the database server. With each change the SCN is incremented. The database's SMON background process
keeps track of these SCNs and their timestamps in the SMON_SCN_TIME table.
SCN and its timestamp whether a block of data has been changed useful in those cases where there is an
absence of other evidence
Database Block
Data is stored in tables and, at the file level, these tables are split across data blocks.
Each data block contains A header
Located at bytes 9 to 12 of the data block header is a 4 byte SCN.
The SCN is updated each time the data block is written the value of the SCN at the time of the last committed
update insert or delete to occur on data in that block. A row directory
The row directory contains a list of offsets pointing to each row of data
Flag indicating if the row is deleted or not The data itself which is stored in rows
Block Structure
Memory Structure
An Oracle Instance: Is a mean to access an Oracle database Consists of memory and background process
Database Buffer cache
Stores copies of data blocks that have beenretrieved from the datafiles
Redo log Buffer
Records all changes made to the database data blocks
Changes recorded within a redo log buffer are called redo entries
Redo entries contain information to reconstruct or redo changes
LGWR process
LGWR writes: At commit When one-third full When there is 1 MB of redo Every three seconds
Archiver Process (ARCn)
Automatically archives online redo logs when ARCHIVELOG mode is set
Preserves the record of all changes made to the database
Redo Log Insert Entry
Automatic Undo Management
An undo tablespace is maintained contains 10 undo segments.
Whenever a transaction takes place an image of the data before changes, is recorded in an undo segment
UPDATE A copy of data before changes is stored
DELETE A copy of the data that was deleted is stored
INSERT The file number, row and slot is stored
Undo Segment Mangement
To get a hex dump of undo segment SQL> SELECT FILE_ID, BLOCKS FROM
DBA_DATA_FILES WHERE TABLESPACE_NAME ='UNDOTBS1';
FILE_ID BLOCKS---------- ----------2 4480 SQL> ALTER SYSTEM DUMP
DATAFILE 2 BLOCK MIN 0 BLOCK MAX 4480;
Flash Back Queries
query data from an older version or snapshot of a given table
Data for flashback queries undo data and the redo logs may not be available for long.
On a “quiet” system data may linger for a day or two but considerably less so in a “busy” system.
an incident responder or DBA gets there in “time” they will be able to quickly ascertain what an attacker may or may not have done.
Flash Back Query
To find new objects that aren’t in the older version of database execute:
SQL> SELECT NAME FROM SYS.OBJ$ MINUS SELECT NAME FROM SYS.OBJ$ AS OFTIMESTAMP(SYSDATE - INTERVAL '156' MINUTE);
NAME------------------------------
TESTTEST
Flashback Queries
To find recently dropped objects execute:
SQL> SELECT NAME FROM SYS.OBJ$ AS OF TIMESTAMP(SYSDATE - INTERVAL '156'
MINUTE) MINUS SELECT NAME FROM SYS.OBJ$;
NAME------------------------------GET_DBA_FUNCTION
The Oracle Recycle Bin
Any dropped objects are moved to the Recycle Bin.
Recycle Bin is implemented as a table RECYCLEBIN$ in the SYSTEM tablespace.
When a table is dropped name of the table is changed in SYS.OBJ$ A row is inserted into the RECYCLEBIN$
original table name the object ID the owner the time
Recycle Bin
The SQL below shows the relationship between a dropped object’s row data in SYS.OBJ$ and SYS.RECYCLEBIN$:
SQL> SELECT DROPTIME, OBJ#, OWNER#, ORIGINAL_NAME FROM SYS.RECYCLEBIN$;
DROPTIME OBJ# OWNER# ORIGINAL_NAME
--------------------- -------- ------- --------------------2007-08-16 09:27:45 53137 104
FOOBAR
SQL> SELECT MTIME, OBJ#, OWNER#, NAME FROM SYS.OBJ$ WHERE OBJ#=53137;
MTIME OBJ# OWNER# NAME
--------------------- -------- ------- -------------------
2007-08-16 09:27:46 53137 104 BIN$tjjNZzJ2RSWgPAOcVwnmQg==$0
Finding Evidence of Data Theftin the Absence of Auditing when data is stolen, only a copy is
taken and the original remains. If an attacker breaks in and simply
silently SELECTs some data, evidence can be found in tables used by Cost-Based Optimizer Fixed V$ views in the Shared Pool
Cost Base Optimizer (CBO)
Whenever a user executes a SQL query, the server compiles the query into an
execution plan. Statistics about the CBO are recorded in
COL_USAGE$ table COL_USAGE$ table holds information
Which Tables used in the from clause Which columns used in a WHERE clause Which predicates such as equals, like, range
Cost Base Optimizer cont..
SQL> SELECT C.TIMESTAMP, O.NAME, C.INTCOL#, C.LIKE_PREDS FROM COL_USAGE$ C, OBJ$ O WHERE C.OBJ#=O.OBJ# AND C.LIKE_PREDS > 0;
TIMESTAMP NAME INTCOL# LIKE_PREDS
------------------- -------------- ------- ----------
2007-08-08 06:10:27 COL$ 6 1
2007-08-09 18:06:55 OBJ$ 4 2
V$ views in the Shared Pool Maintained for performance purposes
Accessible to DBAs Often contain evidence of attacks Two of these views
V$SQL V$DB_OBJECT_CACHE.
V$SQL views
The V$SQL view Contains a list of recently executed
queries It is a circular buffer so as it fills up new
information pushes out old information. buffer can hold a large number of
queries (7000). can be cleared executing
‘ALTER SYSTEM FLUSH SHARED_POOL’.
V$DB_OBJECT_CACHE.V$DB_OBJECT_CACHE.
Contains details about objects in the library cache
if an object exists in the cache then it has probably been accessed recently
can contain snippets of recently executed queries
To access a list of recently accessed tables and procedures :
SQL> SELECT OWNER, NAME FROM V$DB_OBJECT_CACHE WHERE NAMESPACE =
'TABLE/PROCEDURE' ORDER BY 1; V$DB_OBJECT_CACHE view cannot be clear by
an attacker
Oracle Forensic Tool
Orablock To dump data from a "cold" Oracle data
file To locate "stale" data (deleted) To dump SCNs for data blocks no need to load up the data file in the
database which would cause the data file to be modified
using orablock preserves the evidence. http://www.databasesecurity.com/.
Forensic Tool
Oracle LogMiner part of Oracle Database query
online redo log and archived redo log
Oracle Forensic Book
Oracle ForensicsOracle Security Best Practices
Paul M. Wright
Summary
Evidence of an attack can found SCN Redo log file Archive redo log file Recycle Bin Undo segment Flash Back queries Cost Base Optimizer Views$ share pool
References
http://www.databasesecurity.com/dbsec/oracle-forensics-scns.pdf
http://www.databasesecurity.com/dbsec/oracle-forensics-6.pdf
http://www.datagovernance.com/adl_data_laws_california_security_breach_notifi.html
http://www.databasesecurity.com/dbsec/OracleForensicsPt5.pdf
http://www.databasesecurity.com/dbsec/dissecting-the-redo-logs.pdf
http://www.databasesecurity.com/dbsec/Locating-Dropped-Objects.pdf
QUESTIONS ?