Incident Investigation

Incident Investigation is the analysis of security events and breaches after the fact to determine how they occurred, and what happened.


Incident investigations are initially focused on preventing further damage, and preserving evidence. Evidence being the key problem in these investigations as they are the key to creating a timeline of what happened and how.
Evidence can be collected from various logs on various systems including firewalls, Unix, Windows, web servers, app servers, etc. Evidence can also be collected by scraping file systems (e.g. NTFS) for deleted evidence, or deliberate anti-forensics techniques.

The Evidence Gap

Most systems maintain logs of all logins, and your Oracle database can keep similar evidence. Some systems contain detailed activity logs. For example, web servers log every page request. Unfortunately, Oracle does not log every SQL executed in the database, as such logging will bring the database to a halt.
Modifications made in the database (insert/update/delete) can be gathered from the Redo logs (whether online or archived), but such evidence is only useful when the breach modified information.
Most breaches deal with data theft, and from the time the attackers entered the Oracle database until the time they left, there is no evidence to collect.


Since there is no way to know what an attacker did in the database, forensic analysts have to assume everything in the database has been compromised.
That is why database breaches tend to report compromised records rather than stolen records. That is also the reason that breaches are expensive – one must assume everything was stolen.

Declarative Auditing

Declarative auditing is auditing of specific pre-defined activities. Declarative auditing can sometimes bridge the time gap of what happened during the otherwise black-out period between login and logout.
The contribution of declarative auditing to the investigation depends on the “mines” the attacker stepped on. For example, if an attacker exploited a stolen DBA password, and all DBA activity is automatically logged, than there will be plenty of evidence.
On the other hand, if the attacker compromised the application account password, or used a SQL injection through the application, than there will probably be no evidence of what occurred

Complete Picture

Complete Picture
Complete Picture is an automatic feature in Core Audit that covers all the activity in the database. It can feel in the gaps that were not covered by declarative auditing or other means.
While complete picture only keeps 5 minute aggregates and not detailed transcripts (like declarative auditing), it can provide with excellent forensic evidence about what transpired anywhere in the database by anyone at any time.
Complete Picture gives you the comfort of knowing that whether you thought of monitoring for it or not, there will always be a record of everything that happened.
Complete Picture is equipped with interactive graphical direct investigation tools for postmortem analysis that can help pinpoint the offensive activity in a few minutes. For automatic mining of the Complete Picture repository, see Intelligent Auditing.

What's next?

I want to know more about Core Audit!
Great! Here are a few options:
  • Read more about Core Audit features, reports, etc.
  • Try our Online Demo and play with Core Audit right now
  • Ask for a Personal Demo from one of our experts and get all your questions answered
  • Download a Free Trial and experience Core Audit on your systems
I only want more information, not a product
Not a problem, here is a list of relevant pages, and we are always available to answer any question
  • Detective guide to forensic investigation – Read
  • More features in Core Audit – Read
  • Fraud – Read
  • Hackers – Read
  • Oracle Database Vault security problems – Read
  • Cost of a database breach – Read
  • How to prevent a database breach – Read
  • Oracle database security – Read