David Litchfield has published a new tool and paper on forensics on Oracle Databases. From his email to the Websecurity mailing list.

"I've just posted a new tool and paper for Oracle forensics. The tool,
orablock, allows a forensic investigator to dump data from a "cold" Oracle
data file - i.e. there's no need to load up the data file in the database
which would cause the data file to be modified, so using orablock preserves
the evidence. Orablock can also be used to locate "stale" data - i.e. data
that has been deleted or updated. It can also be used to dump SCNs for data
blocks which can be useful during the examination of a compromised Oracle
box. Indeed, this is the subject of the paper "Oracle Forensics Part 7:
Using the Oracle System Change Number in Forensic Examinations". Both the
tool (which compiles on Linux, Mac OS X and Windows) and the paper are
available from http://www.databasesecurity.com/."

Paper Link: http://www.databasesecurity.com/dbsec/oracle-forensics-scns.pdf
Tool download: http://www.databasesecurity.com/cadfile.zip