This paper is the 5th in a series of papers by David Litchfield exploring the topic of Oracle Forensics, in this installment David will be discussing forensic analysis of a compromised database server.
When investigating other areas of computer forensics it is often obvious that a crime has been committed however with database intrusion this may be harder to detect. When information has been taken from a database only a copy is taken and the original remains and therefore it is not immediately clear that a theft has taken place.
This paper will show how an incident responder can determine if such a breach of an Oracle database server has occurred if it is suspected that a breach has occurred but there is no audit trail.