Im in urgent need of help to do a live acquisition on a sun solaris sparc server running oracle ent database.
My goal is to acquire the oracle database server but all the tricks have failes i.e.
My biggest problem was to mount a usb 2.0 external hdd. It failed to read because the server does not have patches for usb 2.0
Im hoping to do a network acquisition using the dd command and pipe the data to a networked machine.
Any ideas on how to achieve this and any other ideas would be appreciated.
What is the purpose of your acquisition ? Is it the server you're after or the contents of the database ?
Is the Database Mounted/Open or shutdown - if it's not shutdown there is no point doing a live acquisition. The database will be unusable.
If it's the database you have a couple of options
1. Shutdown the database and take a cold backup copy of all of the database files/spfiles etc, but unless you're an experienced Oracle DBA rebuilding this to a usable state will be difficult and will require same disk layouts, Oracle Versions, Solaris Version, Hardware
2. Use RMAN to take a backup of the database and then copy the backup set pieces onto your external drive over the n/w. Depending on Oracle version you will have more options for the destination of your database.
Im after the database.
Im supposed to analyze the content of the db using forensic tools i.e. encase whereby the contents are not modified.
The Unix server and the oracle database are all running and are critical systems so shutting down will be the last option.
using rman for acquisition sounds great to get the contents but i will need to restore using oracle and unfortunately i dont have oracle running in my company. or are there other methods of restoration of the backup that doesnt require oracle platform.
In these cases advise from a DBA will be the most help to you. If you found a forensics examiner with DBA skills, even better.
i've been working (amongst other things) as an oracle dba for the past 14 years so may be able to help. A few questions for starters
- what version is the database
- what size is the database
- what type of activity are you interested in (is it backend or application side data manipulation)
- what is the attitude of the dba's on-site (helpful or defensive)
- is database running in archivelog mode
- is there a specific point in time you're interested in
- what type of data do you need to analyze
- what is backup frequency
- what type of auditing (if any) is enabled
answers to the above may point to potential investigation strategies.