Investigation Forensics - How to Find Evidence from Oracle Data Base - Research Paper Example

? Full Paper Expanded Literature Review Log miner is a recommendation for correcting errors efficiently and robustly in projects related to military medical industry. It was implemented to provide two functions i.e. mining and analyzing the redo log files that are created by the database powered by Oracle. The military medical program demonstrated the core concept of ‘Logminer’ in terms of configuration and utilizing its features within the register program (Application of LogMiner in no.1 military medical project-- Chinese medical equipment Journal 2008). The register program was the sub program of the project. Likewise, the errors occurred were efficiently detected by SQL statements via UNDO_VALUE field. After reviewing its pinpoint accuracy, Log miner was recommended for maintenance personnel programs associated with hospital information systems (Application of LogMiner in no.1 military medical project-- Chinese medical equipment Journal 2008). Moreover, one more research was conducted by (Pucciani, Domenici, Donno, & Stockinger, 2010) that was related to a performance study on the synchronization of heterogeneous Grid databases using ‘CONStanza’. The study was implementing on grid computing that links with high performance computing. The grid environment is composed of many heterogeneous database management systems. Likewise, these database management systems serve their purpose for many administrative tasks. The study illustrated the evaluation of system components for further future developments (Case_LogMiner.pdf (application/pdf object)). Moreover, one more study was conducted related to the utilization of ‘LogMiner’ to locate Archive Logs Flow. The researchers analyzed rapid disk possession without creating new jobs. Consequently, the new log archive is developed every 60 seconds along with the rapid increment in disk possession (Case_LogMiner.pdf (application/pdf object)). The conclusion of the study demonstrated that the internal processes related to the ‘STATPACK’, were the foundation of unnecessary log archives. Furthermore, the time intervals were not configured correctly for STATPACK (Case_LogMiner.pdf (application/pdf object)). Methodology In order to conduct data forensics on the database, some of the particular methods are mentioned below: Data dictionary extraction is achievable in flat files and ‘redo’ log files. However, in Oracle 9i, if an investigator is analyzing a ‘redo’ log file that is created within the same database, the online dictionary data can be utilized as a replacement for a ‘redo’ log file or a flat file. The extraction of information encapsulated in the data dictionary is possible via DBMS_LOGMNR_D package. The package provides certain features such as: Incarcerating extraction of data dictionary of flat files Incarcerating extraction of data dictionary of the redo log files Modifying the location and storage, where the tables are stored, and are utilized to incarcerate data dictionary extraction in the redo log files. However, by default, the table storage is located in ‘SYSTEM tablespace’ (TOO CLEVER FOR WORDS: ORACLE9I LOG MINER - ORACLE). Apart from the features, the package also supports procedural outcomes that are associated with ‘DBMS_LOGMNR_D’ package. The procedural outcomes are named as ‘PROCEDURE BUILD’ ‘PROCEDURE SET_TABLESPACE’ and ‘IDENTIFYING REDO LOG FILES’. In order to start a session of the Log minor, there is a requirement of redo log files, as the log miner reads the information that is present in the ‘redo’ log files. The information in the ‘redo’ log files comes from the data dictionary extraction (TOO CLEVER FOR WORDS: ORACLE9I LOG MINER - ORACLE). Moreover, the value ‘DBMS_LOGMNR.DICT_FROM_REDO_LOGS’ I configured in the options parameter. The value ‘DBMS_LOGMNR.COMMITTED_DATA_ONLY’ is configured for the automated filtration of transactions that are uncommitted in the database. The filtration separates the uncommitted transactions so that only committed transactions can be displayed (TOO CLEVER FOR WORDS: ORACLE9I LOG MINER - ORACLE). The value ‘DBMS_LOGMNR.DICT_FROM_ONLINE_CATALOG’ is configured if the redo log files are developed within the same database. In this case, the implementation of online data dictionary takes place, in order to start the translation map of data dictionary. Moreover, many additional features can only be implemented while log miner sessions are in progress. Some of the names of these processes include (TOO CLEVER FOR WORDS: ORACLE9I LOG MINER - ORACLE): V$LOGMNR_DICTIONARY V$LOGMNR_LOGS $LOGMNR_LOGFILE V$LOGMNR_PARAMETERS V$LOGMNR_SESSION V$LOGMNR_PROCESS V$LOGMNR_TRANSACTION V$LOGMNR_REGION V$LOGMNR_CALLBACK V$LOGMNR_STATS In the end, the log miner session can be ended by the DBMS_LOGMNR.END_LOGMNR procedure (TOO CLEVER FOR WORDS: ORACLE9I LOG MINER - ORACLE). Milestone One and Milestone Two Summary In milestone one the evaluation of database forensic tool named as log miner was discussed. The researchers evaluated the capability and performance of this tool, in order to analyze timelines and audit trails of databases. The testing or evaluation of this tool concluded that it could analyze Oracle generated redo files. The redo files contain information that contributes in file recovery or tracking audit trails. Therefore, following tests were conducted in order to check the integrity an accuracy of Log miner: General forensic capability: Accuracy level Find out source of inaccuracy After conducting the above-mentioned tests, all the results were successful and hence the tool was considered as an efficient product for recovering lost data from a database. Moreover, the expanded literature review and methodology concluded its usage in different industries including military and hospitals. A study was conducted on synchronizing heterogeneous grid databases by utilizing ‘CONStanza’. Furthermore, another study was demonstrated associated with ‘LogMiner’ to locate archive log flow. In this study, hard drive and storage devices were examined closely. Results In the results section, Logminer will retrieve data of interest from a database. Several steps and procedures needs to be followed in order to retrieve data. The steps are as follows (Using LogMiner to analyze redo log files): First step: The first step is to locate a logminer dictionary. However, there are many types of dictionaries, and depends on the data needs to be retrieved as demonstrated in Fig 1.1. Logminer will initialize DBMS_LOGMNR_D.BUILD. Figure 1.1 image retrieved from (DBAsupport.com : Oracle 9i central : Striking gold with LogMiner - part 1: Getting started ) Second step: The second step will identify redo log files that needs to be examined by initializing DBMS_LOGMNR.ADD_LOGFILE procedure as shown in Fig 1.2. Figure 1.2 image retrieved from (B.Oracle9i DBA JumpStart San Francisco, Calif.; SYBEX, c2003) Third Step: In the third step, log miner will start its operations by initializing DBMS_LOGMNR.START_LOGMNR procedure. Fourth Step: In this step log miner will request the redo data, which is specifically required by querying V$LOGMNR_CONTENTS view. Fifth Step: Logminer session is over by executing DBMS_LOGMNR.END_LOGMNR. Results will be shown in the results tab as shown in Fig 1.3 Figure 1.3 image retrieved from (Zorac - my oracle home: EXTRACTING INFORMATION FROM REDO LOGS WITH LOGMINER Retrieved 6/17/2011, 2011, from http://jzorac.blogspot.com/2010/04/extracting-information-from-redo-logs.html) Moreover, a forensic tool kit is also a powerful tools used for retrieving data from a database. However, this tool also requires some steps to follow. The steps are as follows (LIVE FORENSICS: FORENSIC TOOL: ENCASE OR FTK): First Step: The first step involves the collection of data from the database or any other possible location. Second Step: The second step includes preservation i.e. replication of data that was gathered in step 1. Likewise, the verification of data is conducted by ‘MD5’ and ‘SHA -1’ algorithm techniques. Third Step: This step analyzes and extracts the recovered data on the screen nu filtering and searching. Fourth Step: At the end the FTK provide options to produce a customized report of data recovery. Conclusion By analyzing all the functions of a powerful forensic tool named as ‘Logminer’, data can be retrieved to an extent. However, data files that are overwritten cannot be retrieved. ‘Logminer’ has several dictionaries that can be used along with certain commands, according to the nature of data to be retrieved. Moreover, forensic tool kit also provides efficient data recovery by encompassing several steps. Future Work In future, online labs providing testing environment will facilitate students. Moreover, these tools must also integrate these functions: Decryption tools Volatile data analysis Gaining information from operating system’s log files Retrieving passwords / cracking passwords Tracking hidden data References Application of LogMiner in no.1 military medical project-- Chinese medical equipment Journal 2008 Retrieved 6/6/2011, 2011, from http://en.cnki.com.cn/Article_en/CJFDTOTAL-YNWS200810016.htm Pucciani, G., Domenici, A., Donno, F., & Stockinger, H. (2010). A performance study on the synchronisation of heterogeneous grid databases using CONStanza Future Generation Computer Systems, 26(6), 820 834. doi:10.1016/j.future.2010.03.001 Case_LogMiner.pdf (application/pdf object) Retrieved 6/6/2011, 2011, from http://oraclepoint.com/oralife/mnt/w0807/d24/s36/b02ab542/www/oraclepoint.com/oralife/wp-content/uploads/2007/07/Case_LogMiner.pdf TOO CLEVER FOR WORDS: ORACLE9I LOG MINER - ORACLE. (n.d.). Retrieved from http://blogold.chinaunix.net/u/3787/showart_26417.htm Using LogMiner to analyze redo log files Retrieved 6/16/2011, 2011, from http://download.oracle.com/docs/cd/B19306_01/server.102/b14215/logminer.htm LIVE FORENSICS: FORENSIC TOOL: ENCASE OR FTK Retrieved 6/16/2011, 2011, from http://liveforensic.blogspot.com/2009/09/forensic-tool-encase-or-ftk.html DBAsupport.com : Oracle 9i central : Striking gold with LogMiner - part 1: Getting started Retrieved 6/17/2011, 2011, from http://www.dbasupport.com/oracle/ora9i/logminer01.shtml Read More