A new database forensics tool being developed by database security guru David Litchfield could help data breach investigators build evidence against attackers.
Litchfield, managing director at NGS (Next Generation Security) Software . plans to release the Forensic Examiners Database Scalpel. The new tool is designed for Oracle database management systems and automates the process of sifting through mountains of system metadata to discover the cause and extent of a data security breach.
In his presentation at the Black Hat USA 2007 Briefings in Las Vegas, Litchfield, called for further research in the area of database forensics. Litchfield, who has focused his research on Oracle database security, said he has been conducting forensics research on Oracle 10g database management system for about six months.
"We've seen database breaches occurring all the time and we need to see how they are occurring," he said.
Litchfield said he has a legal hurdle to overcome with Oracle since the tool uses some of Oracle's proprietary algorithms. The new tool would be the first of its kind once it is released, he said. There are no database specific forensic analysis tools on the market.
"There are tools that allow you to ascertain a compromise or not, but by running those tools, you could compromise evidence," Litchfield said. "There are tools that allow you to fudge your way through, but by running them you can change a system in a drastic way."
Litchfield said that investigators examine redo logs, data files and Apache logs to follow the patch of a hacker.
The process of examining metadata and statistics could yield evidence of the creation of foreign database objects and database row deletions. Investigators can find hidden clues that reveal the path a hacker took and build a case using the information.
"An attacker may go around creating objects and then go and attempt to clean up and hide evidence," Litchfield said.
But often, hidden deep within an Oracle data block, hackers leave traces of their past presence. The header and row directory in a data block correspond to areas within a database that can yield revealing clues, Litchfield said.
Litchfield said that forensic analysis conducted by investigators should always be done in the presence of the database administrator, who should be able to recognize problems.
A database administrator who attended Litchfield's presentation, wished to remain anonymous, but said the new tool is vital to conducting forensics research on specific data blocks. Without the tool, the work is too time consuming, he said.
"A tool like this could make a difference," he said. "There are ways to conduct an analysis with other tools, but they can alter tables and possibly damage evidence."
In recent years, database-related news at Black Hat has been dominated by Litchfield. He has focused on flaws in Oracle databases, though last year he focused instead on flaws in IBM's Informix family of database products.