You are investigating a suspected data exfiltration incident at a financial institution. The database is MySQL 8.0 running on Linux. The security team suspects that a user with administrative privileges exported sensitive customer records via SELECT INTO OUTFILE and then deleted the output file. The MySQL general log is enabled and located at /var/log/mysql/mysql.log. However, the log file appears to be truncated and only contains entries from the last hour. The binary log is also enabled, and the binary log files are stored in /var/lib/mysql/binlog.000001 through binlog.000005. The database is actively being used. Which of the following is the BEST course of action to recover evidence of the SELECT INTO OUTFILE command that may have occurred 3 hours ago?
Binary logs contain historical SQL statements including SELECT INTO OUTFILE.
Why this answer
The binary log records all data-changing statements (including DDL and DML) and is not truncated like the general log. Since the incident occurred 3 hours ago and the general log only covers the last hour, the binary log files (binlog.000001–000005) are the only persistent record. Using mysqlbinlog to parse these files can recover the SELECT INTO OUTFILE statement from the relevant time period, even if the output file was deleted.
Exam trap
EC-Council often tests the misconception that the general log is the primary source for all SQL statements, but here the trap is that candidates overlook the binary log's persistence and time-range filtering capability, assuming only the general log can capture SELECT INTO OUTFILE.
How to eliminate wrong answers
Option B is wrong because the general log is truncated to the last hour, so it cannot contain entries from 3 hours ago; grep and tail would find nothing. Option C is wrong because InnoDB redo logs record physical changes to data pages (e.g., row modifications) and do not log SQL statements like SELECT INTO OUTFILE, which is a logical operation that writes to the filesystem, not to InnoDB tables. Option D is wrong because enabling audit logging now would only capture future activity, not the historical command that occurred 3 hours ago; it provides no retrospective evidence.