David Litchfield has posted a new whitepaper „Using the Oracle System Change Number in Forensic Investigations„. He published also 2 tools called oratime and orablock. Oratime is converting a SCN to a timestamp.
C:\oratools>oratime 671406483
21/11/2008 21:48:03
The second tool from the whitepaper „orablock“ can extract data from a data block.
C:\cadfile>orablock
Orablock v1.0
(c) David Litchfield
(david@davidlitchfield.com)
-h (show help)
-f data_file (required)
-c column_template
-z block_size (default 8192)
-o object_id
-b block_number
-s seperator (default newline)
-a action
Actions are:
A DUMPALL
D SHOWDELETED
O DUMPNOTVIAOFFSETS
S SHOWDELETEDNOTVIAOFFSETS
C DUMPSCNS