Pete Finnigan's Oracle Security Weblog

David has released part 5 of his Oracle forensics paper series. Thi part is titled " http://databasesecurity.com/dbsec/OracleForensicsPt5.pdf - (broken link) Finding evidence of data theft in the absense of auditing. The paper concentrates on finding evedence of SQL being executed by examining the CBO usage and statistics from the COL_USAGE$ table. The V$ fixed views are looked at including the object cache, SQL text and more. Finally David looks at the AWR views briefly for a snapshot of SQL executed.

The contents of this paper and the previous 4 are also summarised in a presentation given by David at Blackhat. The presentation is titled http://databasesecurity.com/dbsec/forensics.ppt - (broken link) Oracle Forensics. This is an interesting area and one that I am also interested in.

A couple of comments though. In the part 5 paper and also in the presentation there is descriptions of how to use the AWR views to examine the database for evidence of attack. The subject of this feature and views has been discussed by a number of bloggers recently. The pythian blog summed this up with an open letter to Larry Ellison to request a lifting of the licensing for AWR and ASH views. This is summed up in the post http://www.pythian.com/blogs/526/an-open-letter-to-larry-ellison-on-awr-and-ash-licensing#comment-84626 - (broken link) Open Letter to Larry Ellison on AWR and ASH Licensing The issue is that these views exist and are populated and are available but to look at the contents requires the purchase of an additional license on top of the enterprise edition license. So to suggest using these views as part of a forensics analysis and tools is not strictly correct as most sites probably do not have licensing for the use of these views.

The second comment I have is in regards to one of the early slides in the Blackhat presentation; it states "There are 0 (zero) database-specific forensic analysis and incident response tools on the market – free or commercial." - Whilst this is true in a literal sense, the tool David previews on the last slide FEDS (Forensic Examiners Database Scalpel) is a tool for reading Oracle blocks on first analsys of the slide presented. There are many tools commercial and internal to Oracle that can be used to examine blocks. I have listed a few here in the past, these include BBED, DUL, Ora*Dude and more. Reading data blocks is not new, Oracle even provide dump commands to allow you to do this either as raw binary or formatted blocks. I hope that David is planning to include much more in FEDS than just block dumps.