Database forensics is a field that has not received much research attention, partly due to the complexity of database software and a concomitant flooding of assurances regarding the security of mainstream databases from marketing departments that defers serious research into database forensics. Wright’s book squarely aims to change this image by demonstrating that database forensics is feasible and, in many situations, mandatory.
The book is organized into 17 chapters and three appendices. A short introduction sets the scene by defining the intended audience: Oracle database administrators (DBAs), security officers, and forensic incident handlers.
In chapter 2, the author steps through the ten stages of a network attack, pointing to a number of Web sites for further information. Chapter 3 is an Oracle database primer, with the addition of a few useful SQL commands, a script, and a few Web links. In chapter 4, the author goes into the details of Oracle security, gives a good explanation of the Oracle patching process, and introduces the main venues of attack--privilege escalation, SQL injection, buffer overflow, and Java security make up the bulk of this important chapter. In chapter 5, current Oracle server attack scenarios demonstrate how easy it is to break into most versions of the Oracle database by using default login information to gain access to passwords, exploiting an operating system (OS)-level vulnerability to gain an administrator account, escalating privileges for a low-privilege user, or gaining access by mere brute force--connecting SYS AS SYSDBA by using utility software. The chapter ends by providing the stressed DBA who is running scared with traditional ways to defend against these attacks.
Chapter 6 goes into computer forensic incident handling, offering an overview of the ten generic forensics phases. Wright then maps core forensics tasks from OS to Oracle database. This chapter occupies about one-third of the book’s length, paying special attention to details that parallel OS and database techniques. Logs are covered at length, demonstrating their use to detect hackers and monitor the database.
Chapter 7 goes into new vulnerability research, with the quest for buffer overflow defects in old and new packages. Finding vulnerability includes revisiting previous defects, after scheduled or unscheduled maintenance. Wright points to complementary research conducted by third-party scanning tools commonly used to discover vulnerabilities, such as AppDetective or NGSSQuirreL.
In a short chapter 8, the author explains how to use the DB version number to identify vulnerability status. Chapter 9 warns the reader about Oracle patch problems due to their inherent complexity, and the potential for introducing new vulnerabilities through modified packages. The short chapter 10 introduces the use of the OS to ascertain patch activity, and is followed by a chapter on establishing DB vulnerability status. Checksums are used to find out what packages have been changed.
In chapter 12, the author defines zero-day risks and shows how flashback can reintroduce previously patched vulnerabilities. In chapter 13, Wright identifies Oracle malware, such as rootkits. This is followed by a chapter on defeating Oracle anti-forensics and another on depository review. The book ends by covering forensic investigation data and recapping the lessons learned.
Given the rarity of resources that cover database forensics, this book certainly fills a niche in the market. The book’s material and its references can help the DBA to both protect the Oracle database and take the necessary steps to track the hacker if the database has been breached. Wright is a well-known expert in Oracle forensics, and studying his book goes a long way toward a better understanding of the topics. I wish the publisher had provided the code listed in the book; this would facilitate learning by enabling the reader to apply the lessons learned while going through the chapters. Although the depth of coverage is uneven among chapters, overall, the author should be commended for his attempt to clarify Oracle database forensics.