recover the data from database

2 New Member

Challenge! A member of staff’s record has been deleted erroneously possibly maliciously and we wish to find the user who did it, what time they did it and also recover the data to before they did it so that we can compare before and after versions of the same data.

This is what the deleter did. They connected as another user.
CONN SCOTT/TIGER;
SELECT * FROM emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7566 JONES MANAGER 7839 02-APR-81 2975 20
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7698 BLAKE MANAGER 7839 01-MAY-81 2850 30
7782 CLARK MANAGER 7839 09-JUN-81 2450 10
7788 SCOTT ANALYST 7566 19-APR-87 3000 20
7839 KING PRESIDENT 17-NOV-81 5000 10
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
7876 ADAMS CLERK 7788 23-MAY-87 1100 20
7900 JAMES CLERK 7698 03-DEC-81 950 30
7902 FORD ANALYST 7566 03-DEC-81 3000 20
7934 MILLER CLERK 7782 23-JAN-82 1300 10
DELETE FROM EMP WHERE EMPNO = 7499;
The DBA Security person notices something wrong when they issue this query.
SELECT * FROM emp; --an employee has disappeared from the emp table.
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7566 JONES MANAGER 7839 02-APR-81 2975 20
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7698 BLAKE MANAGER 7839 01-MAY-81 2850 30
7782 CLARK MANAGER 7839 09-JUN-81 2450 10
7788 SCOTT ANALYST 7566 19-APR-87 3000 20
7839 KING PRESIDENT 17-NOV-81 5000 10
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
7876 ADAMS CLERK 7788 23-MAY-87 1100 20
7900 JAMES CLERK 7698 03-DEC-81 950 30
7902 FORD ANALYST 7566 03-DEC-81 3000 20
7934 MILLER CLERK 7782 23-JAN-82 1300 10
Given that the database has not been rebooted for a long time there is a good chance that the DBA is going to be able to collect evidence that will allow them to find what has happened and if there has been malicious activity.
The DBA Security person needs to know what audit is recorded.

SELECT NAME, value FROM v$parameter WHERE NAME LIKE 'audit%';
SQL> SELECT NAME, value FROM v$parameter WHERE NAME LIKE 'audit%';
NAME
----------------------------------------------------------------------
VALUE
----------------------------------------------------------------------
audit_sys_opera tions
FALSE
audit_file_dest
E:\ORACLE\PRODU CT\10.2.0\ADMIN \XP10R2JAN\ADUM P
audit_trail
DB

The audit is being done to the DB
SQL> desc dba_audit_trail ;
Name Null? Type
----------------------------------------- -------- ---------------------------
OS_USERNAME VARCHAR2(255)
USERNAME VARCHAR2(30)
USERHOST VARCHAR2(128)
TERMINAL VARCHAR2(255)
TIMESTAMP NOT NULL DATE
OWNER VARCHAR2(30)
OBJ_NAME VARCHAR2(128)
ACTION NOT NULL NUMBER
ACTION_NAME VARCHAR2(27)
NEW_OWNER VARCHAR2(30)
NEW_NAME VARCHAR2(128)
OBJ_PRIVILEGE VARCHAR2(16)
SYS_PRIVILEGE VARCHAR2(40)
ADMIN_OPTION VARCHAR2(1)
GRANTEE VARCHAR2(30)
AUDIT_OPTION VARCHAR2(40)
SES_ACTIONS VARCHAR2(19)
LOGOFF_TIME DATE
LOGOFF_LREAD NUMBER
LOGOFF_PREAD NUMBER
LOGOFF_LWRITE NUMBER
LOGOFF_DLOCK VARCHAR2(40)
COMMENT_TEXT VARCHAR2(4000)
SESSIONID NOT NULL NUMBER
ENTRYID NOT NULL NUMBER
STATEMENTID NOT NULL NUMBER
RETURNCODE NOT NULL NUMBER
PRIV_USED VARCHAR2(40)
CLIENT_ID VARCHAR2(64)
SESSION_CPU NUMBER
The analyst has been reading this book so they know that a VIEW could be root kitted therefore more forensically sound to get the data from the underlying base table SYS.AUD$
SELECT userid, action#, STATEMENT, OBJ$NAME, To_Char (timestamp#, 'mm/dd/yyyy hh24:mi:ss') FROM sys.aud$ ORDER BY timestamp# asc;
Timeline from the database audit:
USERID ACTION# STATEMENT OBJ$NAME TIMESTAMP
SCOTT 101 1 04/30/2006 09:11:36
SCOTT 3 2 X$NLS_PARAMETER S 04/30/2006 09:29:07
SCOTT 3 2 GV$NLS_PARAMETE RS 04/30/2006 09:29:07
SCOTT 3 2 V$NLS_PARAMETER S 04/30/2006 09:29:07
SCOTT 3 2 NLS_SESSION_PAR AMETERS 04/30/2006 09:29:07
SCOTT 3 5 DUAL 04/30/2006 09:29:07
SCOTT 100 1 04/30/2006 09:29:41
SCOTT 3 22 OBJ$ 04/30/2006 09:31:07
SCOTT 3 22 USER_OBJECTS 04/30/2006 09:31:07
SCOTT 3 28 EMP 04/30/2006 09:32:01
SCOTT 3 31 EMP 04/30/2006 09:32:20
SCOTT 7 37 EMP 04/30/2006 09:33:28
SCOTT 3 46 EMP 04/30/2006 09:35:24
SCOTT 7 52 EMP 04/30/2006 09:37:04
SCOTT 7 55 EMP 04/30/2006 09:37:13
SCOTT 3 61 EMP 04/30/2006 09:37:28
Need to read the actions and statements manually.
SELECT * FROM AUDIT_ACTIONS;
Action 7 is a delete so we can see that SCOTT has deleted from emp at 9.37. So we want to flashback to before then so have to get the recorded timestamp. Oracle does not actually record a full timeline. Only takes the time every 5 minutes with the relevant SCN. Every 5 minutes new SCN added and old one taken away to give a maximum 5 day rolling figure to an accuracy of 5 minutes using timestamp.
SELECT To_Char(TIME_DP , 'dd/mm/yyyy hh24:mi:ss'), SCN_BAS FROM SYS.SMON_SCN_TI ME;
30/04/2006 10:07:00 9637921
30/04/2006 10:01:53 9637140
30/04/2006 09:56:46 9636359
30/04/2006 09:51:39 9635645
30/04/2006 09:46:31 9634864
30/04/2006 09:41:24 9634083
30/04/2006 09:36:17 9633367
30/04/2006 09:31:10 9632579
30/04/2006 09:26:03 9631772
30/04/2006 09:20:55 9631059
30/04/2006 09:15:48 9630277
30/04/2006 09:10:41 9629478
30/04/2006 09:05:34 9628692
CREATE TABLE EMPRECOVER AS SELECT * FROM SCOTT.EMP AS OF TIMESTAMP (TO_TIMESTAMP(' 30/04/2006 09:31:10','DD-MM-YYYY:HH24:MI:SS '));
SELECT * FROM EMPRECOVER;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7566 JONES MANAGER 7839 02-APR-81 2975 20
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7698 BLAKE MANAGER 7839 01-MAY-81 2850 30
7782 CLARK MANAGER 7839 09-JUN-81 2450 10
7788 SCOTT ANALYST 7566 19-APR-87 3000 20
7839 KING PRESIDENT 17-NOV-81 5000 10
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
7876 ADAMS CLERK 7788 23-MAY-87 1100 20
7900 JAMES CLERK 7698 03-DEC-81 950 30
7902 FORD ANALYST 7566 03-DEC-81 3000 20
7934 MILLER CLERK 7782 23-JAN-82 1300 10
So the DBA security person has found the deletion, time and user, and recovered the data. Good job! ? But not finished yet as simply assuming that SCOTT is the culprit is simplistic since SCOTT would have to be incredibly stupid to simply delete their adversaries row in the emp table. Perhaps a different user committed this malicious act pretending to be SCOTT in order to get them into trouble? Therefore the OS username and machine terminal columns of the audit trail are also queried below from SYS.AUD$.
SELECT userid, USERHOST, TERMINAL, SPARE1, action#, STATEMENT, OBJ$NAME, To_Char (timestamp#, 'mm/dd/yyyy hh24:mi:ss') FROM sys.aud$ ORDER BY timestamp# asc;
This additional data shows that SCOTT was coming from a different workstation from normal additionally the SPARE1 column shows that the Windows username was in fact GEORGE and not SCOTT.
The investigation passes to the Windows and network administrators in order to verify if that account was also being used fraudulently. This highlights the requirements for cross platform knowledge for security officers.

Jan 25 '12 #1

Subscribe Reply

3061

Similar topics

1991

recover data from html form

by: Armand Federico - INFO | last post by:

How can i recover data from an html module? I have a form that send 3 or 4 text field I wanna to recover this data, to analyse, and process, and insert in MySQL (mod_python, Mysql4, Apache1.3)

Python

640

recover a database just from the filesystem.

by: anonymous | last post by:

I've got a disk that had the data files for my mysql server on it. From these files can I rebuild the database? I didn't do backups or anything like that, but I have the whole file system. What I was looking to do was reinstall mysql and then somehow import those files to recreate the database, is this possible? Thanks, Fenton

MySQL Database

3494

Recover Master database fron only MDF file

by: Moti | last post by:

I have SQL server 2000 which recently crashed. I try to recover it and found out that the Master database is corrupt. I never backup my server using inline sql backup nor any third party backup program that aware to SQL server. But I have full system backup of volume c on tape (using NTBackup), which includes old version of Master database. My...

Microsoft SQL Server

2938

Recover A Database From Another Hard Disk With A Corrupted Windows 2000 Installation.

by: Nate | last post by:

Hello, I am trying to recover a SQL Server 7 database from another hard disk drive that has a corrupted Windows 2000 Advanced Server installation. I am not able to repair the corrupted Windows 2000 Advanced Server installation but the file system is intact. I have installed a new copy of SQL Server 7 onto a new hard disk and have used the...

Microsoft SQL Server

4931

How to recover SQL database from a removed laptop hard drive?

by: q2face | last post by:

Dear group: I have removed my hard drive from my laptop (which is now toast) and have managed to recover nearly all the data from it by installing the drive into my desktop. I was hoping to reboot the dektop to see if I could load the operating system on the laptop's hard drive so I could do a manual backup of the SQL database on it. This...

Microsoft SQL Server

2355

Create EnterpriseLibrary.Data.Database object from connection stri

by: Jake_adl | last post by:

Is there any way to create a Microsoft.Practices.EnterpriseLibrary.Data.Database object without reading from a configuration file? I am writing a utility that manages databases in SQL Server. The utility queries SQL Server for the database names. So I don't know the names of the databases beforehand, but I will know the names and connection...

.NET Framework

8963

How do I recover data from SQL Server's log files?

by: laststubborn | last post by:

Dear All, One of our employee made a mistake and deleted something from database. I would like to recover that log file without restoring the backup and the other log files. The reason I want to do this is our database is getting real time information I cannot shut down the database. Is there any way to do this please let me know and help...

Microsoft SQL Server

1644

Recover Mysql database

by: pcornaille | last post by:

HelHello, I used Mysql with a lot of databases (580 databases today). I have only one binary log for all theses databases. If I have to recover one database because a bad SQL stament has destroye some datas. The method : 1. I restore the database xxxx using mysqldump < xxxx.sql 2. I made a file with all the binary logs from the date of the...

MySQL Database

1744

Recover user database password

by: kbrci | last post by:

We used software from a now defunct company for many years and all of our data is stored in an access database. Two years ago our software was updated, but we never burned the new version to disk. The computer has now crashed and data recover is not possible on the drive. We have a backup of the database but only an older version of the program to...

Microsoft Access / VBA

2478

How to recover data from a partition that disappeared?

by: serdar | last post by:

Hi, My partition in d:\ suddenly gone. Windows (XP pro) shows it like a raw, empty harddisk. And when I try to read data from d (like scanning the drive with avast) I get a CRC error. Is there any way to repair it or if not what's the best tool to recover data from the partition? Thanks. edit: I tried to type d: in the command prompt...

Microsoft Windows

7723

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...

C / C++

7817

Discussion: How does Zigbee compare with other wireless protocols in smart home applications?

by: tracyyun | last post by:

Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...

General

6051

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...

Career Advice

5375

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...

Microsoft Access / VBA

5092

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...

C# / C Sharp

3504

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...

Networking - Hardware / Configuration

3487

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

1949

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

1063

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP