Menu
Events
Products
Research
News
About
Download DDLDUMP (version 0.1 beta)
You don't have to register to download ddldump but if you'd be interested in either a full tool
for dumping and exploring Oracle redo logs, i.e. dumping DDL, INSERTs, DELETEs,
UPDATEs, index operations etc, or a version that can be used in forensic investigations,
then please let us know.
About DDLDUMP
DDLDUMP parses an Oracle redo log (transaction file) and dumps all DDL statements, such as
GRANT, CREATE, ALTER, DROP, REVOKE, etc, in XML.
C:\app\david\oradata\orcl11g>ddldump REDO01.log ddl
<?xml version="1.0"?>
<LOG>
<FILENAME>REDO01.log</FILENAME>
<database_sid>ORCL11G</database_sid>
<version>11.1</version>
<ltimestamp>01/02/2010 15:26:02</ltimestamp>
<blocksize>512</blocksize>
<nab>234</nab>
<lowscn>3977649</lowscn>
<nextscn>3977776</nextscn>
<ENTRIES>
<ENTRY>
<TIMESTAMP>04/03/2010 01:16:34</TIMESTAMP>
<RDRCOFST>0x0001CB2C</RDRCOFST>
<CHVCOFST>0x0001CB5C</CHVCOFST>
<SESSION_USER>SYS</SESSION_USER>
<CURRENT_USER>SYS</CURRENT_USER>
<SQL_STATETMENT>create user hax0r identified by VALUES '9A3502887F7210C4' </SQL_STATETMENT>
<SCHEMA>hax0r</SCHEMA>
<OBJECT></OBJECT>
</ENTRY>
</ENTRIES>
</LOG>
C:\>
RDRCOFST is the hexadecimal offset into the redolog file where the redo entry containing the DDL statement can be found © V3rity Limited, 2010.
CHVCOFST is the hexadecimal offset into the redolog file where the change vector containing the DDL statement can be found
TIMESTAMP is the time and date when the redo entry was written to the log file.
SESSION_USER is the user that is logged on and initiated the DDL statement
CURRENT_USER is the user under whose authority the DDL actually executes. If session_user and current_user are different it could be indicitive of a SQL injection attack.
SQL_STATEMENT is the DDL that was executed.
SCHEMA, if present, is the schema upon which the DDL acts.
OBJECT, if present, is the object upon which the DDL acts.
|
SANS DFIR Summit EU 2001 |