Presentation Title: Practical Oracle Forensics
Oracle forensics is a new discipline without special tools/scripts. Most presentations about Oracle forensics are still very basic. The typical approach in these presentations is to show what tools/(log)files are available to do forensics. In the real world with huge databases (many GB, sometimes TB) it is normally not helpful.
This presentation is using a different approach. Based on the different type of attackers (leaving employee, nosy DBA/employee, external hacker etc.) we have different traces in Oracle and we show in different scenarios how to find evidence. We provide a free toolset to do a (basic) forensic analysis without having deep Oracle knowledge.
* Classification of database hackers (leaving employee, nosy DBA/employee, external hacker, …)
* Typical incidents (copying account data, stealing credit card information, lookup personal data of celebrities/VIP, cover own faults)
* Different types of investigation (suspected employee, what happened in this period of time)
* Collect evidence from the various Oracle files/tables (with working scripts)
* How to do such an analysis on a real database (RAC, Multiple-Instance, Single-Instance, …)
Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle Anti-hacker trainings and gave various presentations on security conferences like Black Hat, Defcon, Bluehat, IT Underground and Syscan. Alexander has worked with Oracle products as an Oracle DBA and Oracle developer since 1992. During the last six years, Alexander reported over 320 security bugs in different Oracle products.