I posted the other day links to my upcoming presentations, one of which at the main UKOUG is about Oracle Forensics. Alex Gorbachev was good enough to email me a link to an article on his blog titled "Forensic DBA: Oracle LogMiner Helps Detect Sabotage
". This is a great article that shows how Alex investigate using Log Miner how a departing DBA made some changes to various procedures in the database. Alex also points to a second article that he wrote last year titled "Security Issues
". This is a great story that shows where a database had a 1017 error on a materialised view and the management started to worry that someone had changed the password without authorisation. This is a really good example of how to investigate an issue where audit was not enabled. Alex checks timestamps, SYS connection audit files, log Miner to find the changes to USER$ and then he dumps the archive logs to see the actual changes. Alex found that the session was local, the terminal and the process ID. He was able to correllate with with /var/log/message and also found the person who made the change and why. This is a great pair of articles and good background for my UKOUG paper!