The contents of this paper and the previous 4 are also summarised in a presentation given by David at Blackhat. The presentation is titled "Oracle Forensics". This is an interesting area and one that I am also interested in.
A couple of comments though. In the part 5 paper and also in the presentation there is descriptions of how to use the AWR views to examine the database for evidence of attack. The subject of this feature and views has been discussed by a number of bloggers recently. The pythian blog summed this up with an open letter to Larry Ellison to request a lifting of the licensing for AWR and ASH views. This is summed up in the post "Open Letter to Larry Ellison on AWR and ASH Licensing" The issue is that these views exist and are populated and are available but to look at the contents requires the purchase of an additional license on top of the enterprise edition license. So to suggest using these views as part of a forensics analysis and tools is not strictly correct as most sites probably do not have licensing for the use of these views.
The second comment I have is in regards to one of the early slides in the Blackhat presentation; it states "There are 0 (zero) database-specific forensic analysis and incident response tools on the market – free or commercial." - Whilst this is true in a literal sense, the tool David previews on the last slide FEDS (Forensic Examiners Database Scalpel) is a tool for reading Oracle blocks on first analsys of the slide presented. There are many tools commercial and internal to Oracle that can be used to examine blocks. I have listed a few here in the past, these include BBED, DUL, Ora*Dude and more. Reading data blocks is not new, Oracle even provide dump commands to allow you to do this either as raw binary or formatted blocks. I hope that David is planning to include much more in FEDS than just block dumps.