Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« Reducing Risks from New Database Attack | Main | Security Issues with Desktop Search and Hybrid Desktop/Online Frameworks »

Better Database Forensic Tool on the Horizon

David Litchfield, well known database security researcher and author of The Database Hacker's Handbook: Defending Database Servers announced he plans to release a database forensic tool for tracing database breaches, known as Forensic Examiners Database Scalpel. The tool should solve two problems with forensic techniques used up to now: (1) tools make changes to system under investigation and (2) manual methods are too time consuming. He is running into legal issues with Oracle, though.

Litchfield described where forensic evidence can be found within a compromised database:

An attacker may go around creating objects and then go and attempt to clean up and hide evidence," Litchfield said.

But often, hidden deep within an Oracle data block, hackers leave traces of their past presence. The header and row directory in a data block correspond to areas within a database that can yield revealing clues, Litchfield said.

He also warned against other tools that can change system data:


"There are tools that allow you to fudge your way through, but by running them you can change a system in a drastic way."

The sticking point for Litchfield is that it uses Oracle proprietary algorithms. Litchfield hasn't focused on making friends at Oracle over the years and his past efforts to expose security vulnerabilities in the top selling RDBMS probably hasn't left Oracle inclined to work with Litchfield on this. That would be a loss of all of us.

We need tools like this and the best of them are going to use detailed knowledge of database algorithms and data structures, just like the best attackers. Oracle shouldn't block this one, for its customer's sake.

Tags:          
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on August 2, 2007 7:45 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/369

Comments

Does David Litchfield provide a training course on Oracle forensic? I would like to attend one. TQ.

Posted by: Sarah | September 11, 2007 5:23 AM

I'm not sure if David Litchfield offers training courses. Peter Finnigan is another well known Oracle security expert, his web site is http://www.petefinnigan.com/. He has offered training in the past and might be a good source for forensic training.

Posted by: Dan | September 11, 2007 12:42 PM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net