May 17th, 2007
by Pete
David sent me an email today to let me know that he has released part 4 in his Oracle forensics series. The paper is titled http://www.databasesecurity.com/dbsec/LiveResponse.pdf - (broken link) Oracle Forensics Part 4: Live Response. This is a good paper taking you through the steps of live response in an Oracle database. This is really about how to read the structure/state/config of the database and also to gather evidence of what the database was doing when the incident occured without affecting the state of the database all with the purpose of being able to assure the state of the data for potential use in court.
There are useful lists of what to gather, system related, files, and then database queries including previously executed SQL queries. Also how to get logons, users, privileges, objects including checksumming of objects.
The most interesting sentence is that David announces that a commercial unwrapper is available for sale.