Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 E-mail Us
 Oracle Articles
New Oracle Articles

 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog

 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Oracle Support

 SQL Tuning

 Oracle UNIX
 Oracle Linux
 Remote s
 Remote plans
 Application Server

 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S


 Consulting Staff
 Consulting Prices
 Help Wanted!


 Oracle Posters
 Oracle Books

 Oracle Scripts

Don Burleson Blog 









Using BBED to Find Deleted Data

Oracle Forensics tips by Paul Wright


For BBED usage basics, see my Oracle BBED TipsNote:  Using BBED will make your database unsupported, unless it is used as part of a Service Request (SR).

Oracle Forensics Scenario 3 - Using BBED to Find Deleted Data

BBED or Block Browser and Editor allows direct editing of the datafiles therefore bypassing Oracle's access control. Of course you would have to have OS access to the datafiles which should limit the use of this tool to the OS level Oracle account and the rest of OSDBA group.

This tool means that there is effectively no privilege control between the users in the OSDBA group that can access BBED. For instance the tool could be used to change the SYS password and status to a known value.

This would act as a safety measure if Oracle decided to be start lockout on SYS AS SYSDBA in the case of a brute force attack. BBED could also be used by an attacker so it would be a good recommendation to remove the tool from the server.

However it is worth keeping a copy of BBED to hand when it comes to the field of Oracle Forensics in order to recover data from the database that has been deleted by an attacker. BBED is on Windows 8i as bbed.exe or on *nix the object files are included but need to be linked as will be shown. Using Oracle 8 Windows Oracle and opening BBED.exe from oracle/bin/ in UltraEdit we can see the password for BBED is ?xxx?.

This is not a very well secured password as strings is a common command. Perhaps this is good as we want to use BBED for right reasons but remember that it is not supported by Oracle and should not be done on production servers. (This is last resort territory).

Figure 6.2 Finding the password for BBED using binary editor on BBED.exe

The beginning of this process is partly inspired by Graham Thornton?s paper disassembling the Oracle data block at

On UNIX the object files are included but need to be linked.

As the Oracle os user:

cd $ORACLE_HOME/rdbms/lib
make -f $ORACLE_HOME/rdbms/lib/bbed.

[oracle@localhost lib]$ file bbed
bbed: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped

Create a listfile for BBED to work from 

SQL> SELECT FILE#|| ' '||name||' '||bytes from v$datafile;

1 /u01/app/oracle/oradata/orcl/system01.dbf 513802240
2 /u01/app/oracle/oradata/orcl/undotbs01.dbf 52428800
3 /u01/app/oracle/oradata/orcl/sysaux01.dbf 293601280
4 /u01/app/oracle/oradata/orcl/users01.dbf 5242880
5 /u01/app/oracle/oradata/orcl/example01.dbf 104857600

And input the result into a text file called listfile.txt

listfile.txt is then referenced in the BBED parameter file as below.

[oracle@localhost lib]$ vi bbed.par

The password is ?xxx? as we have seen using UltraEdit.

[[oracle@localhost lib]$ ./bbed parfile=bbed.par
BBED: Release - Limited Production on Sun Feb 4 05:52:28 2007
Copyright (c) 1982, 2005, Oracle.  All rights reserved.
************* !!! For Oracle Internal Use only !!! *************** 


This shows the commands available


This shows the current configuration of bbed  


DBMS_ROWID is the package to use to get the necessary information to feed into bbed.

This is an excerpt from the book "Oracle Forensics: Oracle Security Best Practices", by Paul M. Wright, the father of Oracle Forensics.



Oracle Training at Sea
oracle dba poster

Follow us on Twitter 
Oracle performance tuning software 
Oracle Linux poster


Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


Copyright © 1996 -  2017

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

Remote Emergency Support provided by Conversational