This paper is the 3rd in a series of papers by David Litchfield exploring the topic of Oracle Forensics. In this installment David will be looking at ways to understand if a breach has been successful.
The paper will start by exploring attacks against the authentication mechanism and evidence from the TNS Listener log file and audit trail, assuming CREATE SESSION is audited of course, and to check whether a logon attempt was successful or not. Then moving on to look at other attacks levelled at the authentication process and looking look at the differences between a logon attempt via the FTP and Web services provided with the XML Database and directly with the RDBMS itself.