This papers is the 4th in a series of papers covering Oracle forensics, in this paper David Litchfield will cover reactions to a security incident occurring.
For many organisations without a plan of action in the event of a security incident the instinctive response is to disconnect the system from the network to prevent further theft of data. While this is an understandable reaction but it can cause data to be lost and wiping the audit trail, making a forensic investigators job more difficult.
This paper will explore the alternative solution for Oracle databases, Live Response which recovers and safely stores volatile data for later analysis. The paper will start with an overview of general Live Response steps before moving on to focus on those aspects that are Oracle specific.