This paper is the 1st in a series of papers by David Litchfield exploring the topic of Oracle Forensics. In this 1st paper David will explain how the redo logs can be a rich source of evidence for a forensic examiner when they are investigating a compromised Oracle database server.
Whenever a change is made to the database state a record of exactly what has happened is written to a log file so in the event of a failure any changes can be redone. This also means that any action an attacker makes that change the state of the database can be traced in the redo logs.
This paper will show how a forensics examiner how information can be drawn from these logs and also show the ways an attacker can attempt to cover their tracks and ways to spot this.