Recovering Deleted Data Oracle Forensics tips by Paul Wright

Traditional OS Forensics - Coroners Toolkit, Sleuthkit, Autopsy and Encase. For example To extract unallocated/ deleted data ..

# dls -f linux-ext2 /driveimage.img > /driveimage.img.dls

Then use Lazarus to read the .dls file or easier still mount the drive in Autopsy and let it do the work for you. (Lazarus is part of the Coroners Toolkit (http://www.porcupine.org/forensics/tct.html )

Autopsy will automatically display deleted files.

I have taken a screen shot of the display Autopsy uses to show the deleted data that it recovers on the next page. The file names are all files that Autopsy was able to recover automatically.

For low security deletion of data on hard drives a product like DBAN is recommended. http://dban.sourceforge.net/  However, it should be noted even with DoD compliant multiple wipes it is still possible to recover data off the drive. Companies such as Vogons offer physical recovery of data from drives that have been physically damaged maliciously (e.g. hammer blows).

The only sure way to completely avoid the chance of data being recovered is to physically shred/burn the drive, which is the process used by many government departments.

This is an interesting paper on using OS level file recovery to recover datafiles in Postgres and may have some relevance to Oracle as well but this is in the “future work” category. 

             

Figure 6.0 Example Listing from Autopsy automatic undeletion of files

Oracle Forensics equivalent – RMAN, Cold restore, Hot recovery, Import logical data using imp OS level command, JDUL, BBED,

Flashback using Oracle Recyclebin, Logminer and Archived redo logs.

RMAN is automated but loses flexibility and control and introduces more chance of mistakes as it a more complex piece of software. Recommend using the low level manual methods.

Cold restore requires shutting down of the database and then copying over the OS level database files back to the correct directory e.g on Windows it would be something like:

E:\oracle\product\10.2.0\oradata\XP10r2ja\

Hot recovery is different. Recovery means that instead of just restoring the files they will actually be recovered to a current state by applying changes from the redo files to the datafiles.

alter tablespace data offline

Copy over the datafiles and control files. Redo logs will be there as they are keeping the current data. Then run:

recover datafile 'path'
alter tablespace data online

A logical import of the database would use the imp utility available in the ORACLE_HOME/bin

    imp scott/tiger file=emp.dmp full=yes

JDUL or DUDE. http://www.ora600.nl/DUDE_PRIMER.pdf

Is a direct datafile tool that bypasses the Oracle RDBMS and can recover corrupted data at the block level. It is a commercial tool.

BBED is a tool that Oracle support have used for a number of years to allow direct access to datafiles at the block level. This tool can be used to read, modify and recover data from a datafile effectively bypassing the Oracle RDBMS software. See section 6.6 for a demonstration of how it can be used to change the SYS password or by a forensic analyst to locate deleted malicious data after an attack. (This activity would render your database unsupported by Oracle so it is “last resort” and should only be practiced on development servers when testing).

Flashback

Flashback is a feature that allows users to recover data they have deleted. It works because when users delete data instead of being deleted it is actually just renamed and placed in their Recyclebin. When flashing back, one decision to make is whether to refer to historical points in the past by using timestamp or SCN. SCN is Oracle’s sequential machine number and this is linked to the system clock.

You can gain the system time by using this query:

SQL> select systimestamp from dual;
SYSTIMESTAMP
----------------------------------------
06-FEB-07 04.54.38.413000 PM +00:00

There will be a variation between the SCN and sidereal time due to some inaccuracy but this should only be in the order of minutes, however it would be more accurate to refer to data states by their transaction ID which is the SCN (System Change Number).

A mapping of SCN to time is a very important factor in securing an Oracle database forensically because during correlation with other logs and human experiences of an incident Oracle will probably have to be referenced using time as the central reference. We can gain the SCN and the corresponding current timestamp using this query below.

SELECT To_Char(TIME_DP, 'dd/mm/yyyy hh24:mi:ss'), SCN_BAS FROM SYS.SMON_SCN_TIME;
30/04/2006 10:07:00  9637921
30/04/2006 10:01:53  9637140
30/04/2006 09:56:46  9636359
30/04/2006 09:51:39  9635645

Standard recycle bin new in 10g

SQL> select owner, original_name, object_name, droptime from dba_recyclebin order by droptime;

OWNER               ORIGINAL_NAME              OBJECT_NAME         DROPTIME
------------------------------ -------------------------------- ------------
SQUIRRELTEST  SQUIRRELPATCH  BIN$D4bCAe0zOJ3gRAgAILI2/w==$0 2006-03-21:18:51:06
SQUIRRELTEST  TMP_G4FS3C_CPU BIN$D4bCAe00OJ3gRAgAILI2/w==$0 2006-03-21:18:51:07
SQUIRRELTEST2  SQUIRRELPATCH BIN$D4bsd7TqOLngRAgAILI2/w==$0 2006-03-21:19:02:59 

SQUIRRELPATCH table can still be directly accessed using its new name BIN$D4bCAe0zOJ3gRAgAILI2/w==$0   . It has just been renamed.

 

This is an excerpt from the book "Oracle Forensics: Oracle Security Best Practices", by Paul M. Wright, the father of Oracle Forensics.