Here are some notes for Oracle related forensics concerning Toad from Quest Software.
CONNECTIONS.INI File
The CONNECTIONS.INI file stores connection information related to previously used connections. It contains the passwords, usernames, and servers the user connected to using Toad. During a forensics review, you will find bits and pieces of this file all over unallocated space and slack space depending on how much the user used Toad.
In my experience with Oracle developers, I have found this file being traded among them as it offers an easy way to pass connection information. Based on that you should be able to see how easy it is for one user to obtain credentials of another user and log in with them. All the user has to do is put the file in the proper spot, bring up Toad, and then click on the connection to log in. No password checks are made by Toad provided that previous connection listed in the file was successful.
Below is a sample of a CONNECTIONS.INI file.
Sample Connection entry:
[LOGIN{#}]
SERVER={server name}
USER={user id}
PASSWORD=**{encrypted or plain text password}**
PROTOCOL=TNS
LASTCONNECT=39443.961710544
CONNECTAS=NORMAL
AUTOCONNECT=0
SAVEPASSWORD=0
FAVORITE=0
ALIAS
Note: I replaced sensitive information with the bracketed entries — { } above.
The breakdown of the File
Next I am going to breakdown some of the fields from the file and give some the insights I have found during my review.
[LOGIN{#}]
Each successful login gets an entry into the CONNECTIONS.INI file. Each entry gets a number associated with it. For example the first entry would look like [LOGIN1] and the next would be [LOGIN2]. In the Toad interface, a user can delete connection entries. When an entry is deleted, Toad does not go back and adjust the numbers for the LOGIN lines. Hence, in a file with deleted entries you might find [LOGIN1] and [LOGIN3] with no entry for [LOGIN2].
PASSWORD=**{encrypted or plain text password}**
Per Mr. Scalzo's paper on securing Toad, the password entry for older versions (8.6-) of Toad may use the Caesar-Chiffre encryption algorithm. Newer versions, my guess versions 9.0+, switched to AES for the password encryption. Somewhere after 9.0 they switched to two seperate files, with CONNECTIONSPWDS.INI for the encrypted passwords and CONNECTIONS.INI for the rest of the connection information.
The Caesar-Chiffre encryption algorithm is trivial to break. My colleague, Mr. D. Blaine, determined that it used a 16 character shift algorithm. The other thing we noticed is that it used the entire printable ASCII chart. As part of the analysis I had to recover the passwords used. I used a C++ program that I found on the Internet and modified it to meet my needs. The program is listed in the section entitled Simple Caesar Decryption C++ Program below.
Something to consider during your analysis is to search for the encrypted password hash and the decrypted password during your string searches. You never know what might turn up.
LASTCONNECT=39443.961710544
This field is a date and time stamp for the last connection. I ended up using Toad to find out the contents of this field. You can download Toad Freeware at http://www.toadsoft.com/lic_agree.html and then install the program under Wine. Then pick out the entries you want to review and place in the following file:
~/.wine/drive_c/Program Files/Quest Software/Toad for Oracle FREEWARE/User Files/CONNECTIONS.INI. Finally, start Toad. If you did it right, you should get a screen similar to this:
Notice that the field has now been converted to the date and time for the last connection. Combine that information with the Oracle connections logs and OS connection logs to your time line and you have yourself a beginnings of a road map to who did what.
Check out my post on using Perl for keyword searches as there is a Perl program there that can be used recover the CONNECTION.INI entries in unallocated space. The post can be found at: Perl and Forensics: Keyword searches and Toad (Quest Software)
SQLS.DAT
SQLS.DAT is a log file of the 100 most recent SQL statements that were run from Toad. By default Toad will only track the last 100 SQL statements, however, the user can change this to whatever they wish. Also, like the CONNECTIONS.INI file, you will find bits and pieces of this all over the file system.
An Example Entry in the SQLS.DAT File
#TOAD#11/15/2008 1:32:14 PM/\not_real@testserver#TOAD# /// SELECT receipt_number FROM rcv_shipment WHERE id = 18 AND receipt_number= 453267564
The beginning of each entry starts with #TOAD# followed by the date and time of when the SQL statement was executed against the database. After that is the userid @ database server with a final #TOAD# at the end of the line. Finally, the rest after that to the next #TOAD# is pure SQL code. As it stands this is a very good file to have even if you don't have the whole thing.
Putting It All Together
For your time line you should be able to combine:
- OS logs
- Oracle logs
- Add in any relevant entries from the CONNECTION.INI file and including those entries you recovered
- Add in any relevant entries from the SQLS.DAT file and including those entries you recovered
Based upon that, you should have a good picture of what happened and the start of a good time line.
Simple Caesar Decryption C++ Program
// Simple Caesar Decryption
//
// Description: Decodes the Caesar encryted text.
// Note: It will use the whole ASCII table and is not just alpha based.
// Simple Caesar Decryption
/
// To compile: g++ caesar_decode.c++ -o caesar_decode
#include <iostream>
#include <string.h>
using namespace std;
int main() {
char password[150];
int i = 0;
int offset;
cout << "Enter password to be decrypted: \n";
cin >> password;
cout << "Enter the offset used: \n";
cin >> offset;
cout << "Password is: ";
while(i<strlen(password)){
password[i] = int(passwd[i]) + offset;
i++;
}
cout << password<<endl;
cout << "\n\n";
return 0;
}
References:
Scalzo, Bert. Toad_in_Secure_Database_Environment, http://www.toadsoft.com/Toad_in_Secure_Database_Environment.pdf
Keven Murphy, GCFA Gold #24, is a IT security manager contracted to a fortune 100 defense contractor.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
