Kbase P60528: How to determine who deleted specific records from a database using After Image files?
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
12/30/2004 |
|
Status: Unverified
GOAL:
how to determine who deleted records using after image files?
GOAL:
How to scan an after image file to determine if a user deleted data
GOAL:
How to use the scan verbose option to rfutil to scan the after image files to determine who deleted data
FIX:
1. From a backup that contains the records determine the recids of the deleted data.
2. Convert the recid's to dbkeys.
3. Issue a aimage scan with the verbose option against the after image file.
Command: rfutil dbname -C aimage scan verbose -a afterimage.a1
4. Search the output of the verbose scan for the dbkey, and a code of RL_RMDEL.
code = RL_RMDEL (1637) /* delete a record (fragment) */
5. From the output between the RL_TBGN (transaction begin) and the RL_TEND (transaction end). The username and date will be listed.
Sample Delete Output:
code = RL_TBGN (1637)
transaction index = 1486 (1638)
dbkey = 0 update counter = 0 (1639)
Trid: 1486 Tue Dec 23 09:40:09 2003. (2598)
User Id: user1. (2599)
code = RL_CXREM (1637)
transaction index = 1486 (1638)
area = 10 dbkey = 320 update counter = 187 (9016)
code = RL_CXREM (1637)
transaction index = 1486 (1638)
area = 10 dbkey = 2144 update counter = 26 (9016)
code = RL_CXREM (1637)
transaction index = 1486 (1638)
area = 10 dbkey = 288 update counter = 116 (9016)
code = RL_CXREM (1637)
transaction index = 1486 (1638)
area = 10 dbkey = 1280 update counter = 315 (9016)
code = RL_RMDEL (1637)
transaction index = 1486 (1638)
area = 9 dbkey = 5888 update counter = 10 (9016)
code = RL_RMCR (1637)
transaction index = 1486 (1638)
area = 9 dbkey = 5888 update counter = 11 (9016)
code = RL_TEND (1637)