Oninit® Forensic Tools — Overview

The Oninit® forensic line targets the recovery and inspection of data that lives behind storage-layer encryption in IBM® Informix® instances. The current deliverable is ondebug — a pure-C library that reads a single page out of a raw chunk file from an encrypted dbspace, given the necessary unwrapped key material plus the chunk and page identifiers. A thin CLI front-end of the same name exposes the library against a live chunk file for one-page-at-a-time inspection.

Informix's Encryption-At-Rest (EAR) sits below the engine's page-cache boundary: pages are plaintext in the buffer cache, in oncheck -pP output, in dbexport/onunload, and in unencrypted backups; the on-disk transform applies only as pages cross between the cache and chunk storage. ondebug's role is offline: given the chunk file in hand and the appropriate key material recovered out-of-band, it produces the plaintext page without needing a running engine.

Configuration discovery happens through the standard Informix surfaces (onconfig, onstat -d). The library itself is self-contained: it has no Informix linkage and no third- party crypto library dependency at link time.

What this is not

• Not a keystore extractor. The page-decrypt library accepts unwrapped key material as input; obtaining those bytes is a sibling concern, kept out of this deliverable.
• Not an offline replacement for oncheck. oncheck -pP already produces plaintext pages via the running engine; ondebug is for the forensic case where the engine is unavailable, the chunk file is in hand, and the key material has been recovered through other means.
• Not a key-rotation or remote-keystore (KMIP / AWS KMS / Azure KeyVault) integration. The library handles unwrapped keys only.