Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Database Vault without Database Vault"] [Next entry: "ERP Oracle Database Security"]

Oracle Forensics Response

I have spoken a few times on this blog about forensics and Oracle and in 2021 I did a talk at the UKOUG about Oracle forensics. I have just posted the slides from that talk just now to our site. This is OracleIncident Response and Forensics and I have also updated our Oracle security papers page and added a link to these new PowerPoint slides.

The talk is about what to do if there is a breach of an Oracle database. This covers the response process which is in essence a checklist of actions to take when there is a breach and also some suggestion of who should be involved and why. The first step is to assess what if any incident has occurred and if we can prove the incident is real then we must hand over control to the incident co-ordinator. This person manages the process and who is involved and what access is granted and allowed. I discuss this process in details so please have a look at the slides.

The next step is to do Live Response. This is the process of gathering the evidence in the correct order so that the evidence gathering itself does not affect the evidence! So in simple terms you may want to gather SQL statements that have been executed to see if any of them are dodgy BUT gathering the SQL statements means running SQL so this affects the historic statements. We discuss this and other issues in the area of gathering evidence in the slides.

The final part of a breach response and analysis is the process of actual forensic analysis of a breach that has occurred in the Oracle database. This means placing the evidence in time line and assessing if its relevant to the investigation and what part does it play and what other evidence must be gathered or sought. We aim to ask certain questions:

  • Was there a breach?

  • How did they get in?

  • Who did they get in as?

  • What did they do?

  • Did they change anything?

  • What could they have done with the reach they had if they had more skill?

The slides cover a lot more material and they are new to my site, so please have a look

#oracleace #oracle #database #forensics #security #gdpr #liveresponse #databreach