Using BBED to Find Deleted
Oracle Forensics tips by Paul Wright
For BBED usage basics,
see my Oracle BBED
Tips. Note: Using BBED will
make your database unsupported, unless it is used as part of a
Service Request (SR).
Oracle Forensics Scenario 3 - Using BBED to
Find Deleted Data
BBED or Block Browser and Editor allows direct editing of the
datafiles therefore bypassing Oracle's access control. Of course you
would have to have OS access to the datafiles which should limit the
use of this tool to the OS level Oracle account and the rest of
This tool means that there is effectively no privilege
control between the users in the OSDBA group that can access BBED.
For instance the tool could be used to change the SYS password and
status to a known value.
This would act as a safety measure if
Oracle decided to be start lockout on SYS AS SYSDBA in the case of a
brute force attack. BBED could also be used by an attacker so it
would be a good recommendation to remove the tool from the server.
However it is worth keeping a copy of BBED to hand when it comes to
the field of Oracle Forensics in order to recover data from the
database that has been deleted by an attacker. BBED is on Windows 8i
as bbed.exe or on *nix the object files are included but need to be
linked as will be shown. Using Oracle 8 Windows Oracle and opening
BBED.exe from oracle/bin/ in UltraEdit we can see the password for
BBED is ?xxx?.
This is not a very well secured password as
strings is a common command. Perhaps this is good as we want to use
BBED for right reasons but remember that it is not supported by
Oracle and should not be done on production servers. (This is last
Figure 6.2 Finding the
password for BBED using binary editor on BBED.exe
The beginning of this process is partly inspired by Graham
Thornton?s paper disassembling the Oracle data block at
On UNIX the object files are included but need to be linked.
As the Oracle os user:
make -f ins_rdbms.mk $ORACLE_HOME/rdbms/lib/bbed.
[oracle@localhost lib]$ file bbed
bbed: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped
Create a listfile for
BBED to work from
SQL> SELECT FILE#|| '
'||name||' '||bytes from v$datafile;
2 /u01/app/oracle/oradata/orcl/undotbs01.dbf 52428800
3 /u01/app/oracle/oradata/orcl/sysaux01.dbf 293601280
4 /u01/app/oracle/oradata/orcl/users01.dbf 5242880
5 /u01/app/oracle/oradata/orcl/example01.dbf 104857600
And input the result into a text file called listfile.txt
listfile.txt is then referenced in the BBED parameter file as below.
[oracle@localhost lib]$ vi
The password is ?xxx? as we have seen using UltraEdit.
[[oracle@localhost lib]$ ./bbed
BBED: Release 18.104.22.168.0 - Limited Production on Sun Feb 4 05:52:28
Copyright (c) 1982, 2005, Oracle. All rights reserved.
************* !!! For Oracle Internal Use only !!! ***************
This shows the commands available
BBED> HELP ALL
This shows the current
configuration of bbed
BBED> SHOW ALL
DBMS_ROWID is the package to use to get the necessary information to
feed into bbed.
This is an excerpt from the book "Oracle
Forensics: Oracle Security Best Practices", by Paul M. Wright,
the father of Oracle Forensics.