Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 
 Home
 E-mail Us
 Oracle Articles
New Oracle Articles


 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security

 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote s
upport
 Remote plans
 Remote
services
 Application Server

 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S
upport  
 Development  

 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


 Oracle Posters
 Oracle Books

 Oracle Scripts
 Ion
 Excel-DB  

Don Burleson Blog 


 

 

 


 

 

 

 

 

Recovering Deleted Data

Oracle Forensics tips by Paul Wright

Traditional OS Forensics - Coroners Toolkit, Sleuthkit, Autopsy and Encase. For example To extract unallocated/ deleted data ..

# dls -f linux-ext2 /driveimage.img > /driveimage.img.dls

Then use Lazarus to read the .dls file or easier still mount the drive in Autopsy and let it do the work for you. (Lazarus is part of the Coroners Toolkit (http://www.porcupine.org/forensics/tct.html )

Autopsy will automatically display deleted files.

I have taken a screen shot of the display Autopsy uses to show the deleted data that it recovers on the next page. The file names are all files that Autopsy was able to recover automatically.

For low security deletion of data on hard drives a product like DBAN is recommended. http://dban.sourceforge.net/  However, it should be noted even with DoD compliant multiple wipes it is still possible to recover data off the drive. Companies such as Vogons offer physical recovery of data from drives that have been physically damaged maliciously (e.g. hammer blows).

The only sure way to completely avoid the chance of data being recovered is to physically shred/burn the drive, which is the process used by many government departments.

This is an interesting paper on using OS level file recovery to recover datafiles in Postgres and may have some relevance to Oracle as well but this is in the ?future work? category. 

             

Figure 6.0 Example Listing from Autopsy automatic undeletion of files

Oracle Forensics equivalent ? RMAN, Cold restore, Hot recovery, Import logical data using imp OS level command, JDUL, BBED,

Flashback using Oracle Recyclebin, Logminer and Archived redo logs.

RMAN is automated but loses flexibility and control and introduces more chance of mistakes as it a more complex piece of software. Recommend using the low level manual methods.

Cold restore requires shutting down of the database and then copying over the OS level database files back to the correct directory e.g on Windows it would be something like:

E:\oracle\product\10.2.0\oradata\XP10r2ja\

Hot recovery is different. Recovery means that instead of just restoring the files they will actually be recovered to a current state by applying changes from the redo files to the datafiles.

alter tablespace data offline

Copy over the datafiles and control files. Redo logs will be there as they are keeping the current data. Then run:

recover datafile 'path'
alter tablespace data online

A logical import of the database would use the imp utility available in the ORACLE_HOME/bin

    imp scott/tiger file=emp.dmp full=yes

JDUL or DUDE. http://www.ora600.nl/DUDE_PRIMER.pdf

Is a direct datafile tool that bypasses the Oracle RDBMS and can recover corrupted data at the block level. It is a commercial tool.

BBED is a tool that Oracle support have used for a number of years to allow direct access to datafiles at the block level. This tool can be used to read, modify and recover data from a datafile effectively bypassing the Oracle RDBMS software. See section 6.6 for a demonstration of how it can be used to change the SYS password or by a forensic analyst to locate deleted malicious data after an attack. (This activity would render your database unsupported by Oracle so it is ?last resort? and should only be practiced on development servers when testing).

Flashback

Flashback is a feature that allows users to recover data they have deleted. It works because when users delete data instead of being deleted it is actually just renamed and placed in their Recyclebin. When flashing back, one decision to make is whether to refer to historical points in the past by using timestamp or SCN. SCN is Oracle?s sequential machine number and this is linked to the system clock.

You can gain the system time by using this query:

SQL> select systimestamp from dual;
SYSTIMESTAMP
----------------------------------------
06-FEB-07 04.54.38.413000 PM +00:00

There will be a variation between the SCN and sidereal time due to some inaccuracy but this should only be in the order of minutes, however it would be more accurate to refer to data states by their transaction ID which is the SCN (System Change Number).

A mapping of SCN to time is a very important factor in securing an Oracle database forensically because during correlation with other logs and human experiences of an incident Oracle will probably have to be referenced using time as the central reference. We can gain the SCN and the corresponding current timestamp using this query below.

SELECT To_Char(TIME_DP, 'dd/mm/yyyy hh24:mi:ss'), SCN_BAS FROM SYS.SMON_SCN_TIME;
30/04/2006 10:07:00  9637921
30/04/2006 10:01:53  9637140
30/04/2006 09:56:46  9636359
30/04/2006 09:51:39  9635645

Standard recycle bin new in 10g

SQL> select owner, original_name, object_name, droptime from dba_recyclebin order by droptime;

OWNER               ORIGINAL_NAME              OBJECT_NAME         DROPTIME
------------------------------ -------------------------------- ------------
SQUIRRELTEST  SQUIRRELPATCH  BIN$D4bCAe0zOJ3gRAgAILI2/w==$0 2006-03-21:18:51:06
SQUIRRELTEST  TMP_G4FS3C_CPU BIN$D4bCAe00OJ3gRAgAILI2/w==$0 2006-03-21:18:51:07

SQUIRRELTEST2  SQUIRRELPATCH BIN$D4bsd7TqOLngRAgAILI2/w==$0 2006-03-21:19:02:59
 

SQUIRRELPATCH table can still be directly accessed using its new name BIN$D4bCAe0zOJ3gRAgAILI2/w==$0   . It has just been renamed.

 

This is an excerpt from the book "Oracle Forensics: Oracle Security Best Practices", by Paul M. Wright, the father of Oracle Forensics.

 


 

 
��  
 
 
Oracle Training at Sea
 
 
 
 
oracle dba poster
 

 
Follow us on Twitter 
 
Oracle performance tuning software 
 
Oracle Linux poster
 
 
 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2017

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

Remote Emergency Support provided by Conversational