Recovering Deleted Data
Oracle Forensics tips by Paul Wright
OS Forensics - Coroners
Toolkit, Sleuthkit, Autopsy and Encase. For example To extract
unallocated/ deleted data ..
# dls -f linux-ext2
/driveimage.img > /driveimage.img.dls
Lazarus to read the .dls file or easier still mount the drive in
Autopsy and let it do the work for you. (Lazarus is part of the
Coroners Toolkit (http://www.porcupine.org/forensics/tct.html
automatically display deleted files.
I have taken a
screen shot of the display Autopsy uses to show the deleted data
that it recovers on the next page. The file names are all files that
Autopsy was able to recover automatically.
security deletion of data on hard drives a product like DBAN is
http://dban.sourceforge.net/ However, it should be noted
even with DoD compliant multiple wipes it is still possible to
recover data off the drive. Companies such as Vogons offer physical
recovery of data from drives that have been physically damaged
maliciously (e.g. hammer blows).
The only sure
way to completely avoid the chance of data being recovered is to
physically shred/burn the drive, which is the process used by many
This is an
interesting paper on using OS level file recovery to recover
datafiles in Postgres and may have some relevance to Oracle as well
but this is in the ?future work? category.
Example Listing from Autopsy automatic undeletion of files
Forensics equivalent ?
RMAN, Cold restore, Hot recovery, Import logical data using imp OS
level command, JDUL, BBED,
Oracle Recyclebin, Logminer and Archived redo logs.
is automated but loses flexibility and control and introduces more
chance of mistakes as it a more complex piece of software. Recommend
using the low level manual methods.
requires shutting down of the database and then copying over the OS
level database files back to the correct directory e.g on Windows it
would be something like:
is different. Recovery means that instead of just restoring the
files they will actually be recovered to a current state by applying
changes from the redo files to the datafiles.
alter tablespace data offline
Copy over the datafiles and control
files. Redo logs will be there as they are keeping the current data.
recover datafile 'path'
alter tablespace data online
import of the database
would use the imp utility available in the ORACLE_HOME/bin
imp scott/tiger file=emp.dmp full=yes
JDUL or DUDE.
Is a direct
datafile tool that bypasses the Oracle RDBMS and can recover
corrupted data at the block level. It is a commercial tool.
is a tool that Oracle support
have used for a number of years to allow direct access to datafiles
at the block level. This tool can be used to read, modify and
recover data from a datafile effectively bypassing the Oracle RDBMS
software. See section 6.6 for a demonstration of how it can be used
to change the SYS password or by a forensic analyst to locate
deleted malicious data after an attack. (This activity would render
your database unsupported by Oracle so it is ?last resort? and
should only be practiced on development servers when testing).
Flashback is a
feature that allows users to recover data they have deleted. It
works because when users delete data instead of being deleted it is
actually just renamed and placed in their Recyclebin. When flashing
back, one decision to make is whether to refer to historical points
in the past by using timestamp or SCN. SCN is Oracle?s sequential
machine number and this is linked to the system clock.
You can gain
the system time by using this query:
SQL> select systimestamp from
06-FEB-07 04.54.38.413000 PM +00:00
There will be a
variation between the SCN and sidereal time due to some inaccuracy
but this should only be in the order of minutes, however it would be
more accurate to refer to data states by their transaction ID which
is the SCN (System Change Number).
A mapping of
SCN to time is a very important factor in securing an Oracle
database forensically because during correlation with other logs and
human experiences of an incident Oracle will probably have to be
referenced using time as the central reference. We can gain the SCN
and the corresponding current timestamp using this query below.
'dd/mm/yyyy hh24:mi:ss'), SCN_BAS FROM SYS.SMON_SCN_TIME;
30/04/2006 10:07:00 9637921
30/04/2006 10:01:53 9637140
30/04/2006 09:56:46 9636359
30/04/2006 09:51:39 9635645
recycle bin new in 10g
select owner, original_name, object_name, droptime from
dba_recyclebin order by droptime;
SQUIRRELTEST TMP_G4FS3C_CPU BIN$D4bCAe00OJ3gRAgAILI2/w==$0
SQUIRRELTEST2 SQUIRRELPATCH BIN$D4bsd7TqOLngRAgAILI2/w==$0
table can still be directly accessed using its new name
. It has just been renamed.
This is an excerpt from the book "Oracle
Forensics: Oracle Security Best Practices", by Paul M. Wright,
the father of Oracle Forensics.