Oracle Forensics - A new series of papers by David Litchfield

NGSSoftware’s David Litchfield has written a brand new series of white papers on performing a forensic analysis of a compromised Oracle Database server.

Part 1 is entitled: Dissecting the Redo Logs

“The Oracle RDBMS has been designed with resiliency in mind and part of that is enabled by the redo logs. Whenever a change to the database state occurs, for example a table is created or dropped, or some row updated, a record of exactly what was done is written to a log file so, if necessary, in the event of a failure, any changes can be redone.”

Part 2 is entitled: Locating Dropped Objects

“After a successful compromise of a database server an attacker will usually attempt to hide their activities and this may include the dropping and purging of objects that they have created along the way, for example tables, functions and procedures. As this second paper in the Oracle Forensics series will show, even when an object has been dropped and purged from the system there will be, in the vast majority of cases, fragments left “lying around” which can be sewn together to build an accurate picture of what the actions the attacker took.”

Part 3 is entitled: Isolating Evidence of Attacks Against the Authentication Mechanism

“In this section we’ll look at attacks against the authentication mechanism and evidence from the TNS Listener log file and audit trail, assuming CREATE SESSION is audited of course, and to check whether a logon attempt was successful or not. We’ll also look at other attacks levelled at the authentication process including SID guessing, user enumeration and brute forcing of passwords over the network.”

Part 4 is entitled: Live Response

“An organization should have a clear understanding of what actions should be taken in the event of an incident occurring. For those that don’t have a plan often the knee-jerk response is to pull the plug or disconnect the system from the network. This prevents further incursions and theft of data so it is an understandable reaction to have. In taking this action however, useful evidence such as volatile, in-memory data may be lost.”

Part 5 is entitled: Finding Evidence of Data Theft in the Absence of Auditing

“The forensic analysis of a compromised database server presents its own unique challenges. In other areas of computer forensics it’s often obvious that a crime has been committed: pornographic images are discovered on a hard drive; a rootkit has been installed; a system has been trashed. In the case of a database intrusion however it may appear at first glance that nothing untoward has happened - prima facie evidence appears absent.”

Part 6 is entitled: Examining Undo Segments, Flashback and the Oracle Recycle Bin

“This paper examines the ways in which a forensic examiner or incident responder may look for evidence in those places and technologies designed by Oracle for disaster recovery purposes – namely Undo segments, Flashback and the Recycle Bin - of a compromise and the actions an attacker may have taken. Please note that the research conducted for this paper was performed on Oracle 10g Release 2 and the information therefore should only be considered as pertaining to that version. This paper, however, can act as a suitable guideline for researching other versions of Oracle.“