数据库是信息系统中不可或缺的部分。随着大数据时代的到来,数据库已经成为犯罪分子的目标,大量数据库被“拖库”用于网络盗窃和网络诈骗等活动。数据库具备完善的日志,因此案件现场的数据库蕴含了大量证据,可以根据这些证据回溯犯罪过程、固定证据并确定入侵者。传统的数据库取证一般都是停机后进行静态取证,由于数据库时刻处于运行状态,停机分析将会灭失大量证据,不具有实际意义。在线数据库操作比较复杂,同时数据不断更新,使得数据库取证一直成为取证的难点。此外,不同数据库的运行各有特点,不具备相应数据库知识的取证人员很难对数据进行完整有效的取证。文章以使用最为广泛的Microsoft SQL数据库为例,对数据库取证进行了深入研究,阐述了在线数据库取证的原理和相关技术,力图寻找在线数据库取证的标准方法。%Databases are indispensable parts of the information system. With the arrival of the era of big data, the database has become a target of criminals, and a large number of data are "dragged" for cyber theft and cyber fraud and other activities. The database has perfect log, so the database of crime scene contains a lot of evidences which can be used to derive back criminal process, conifrm evidences and determine the invaders. Traditional database forensic is generally static forensic. Because the database is in a state of operation, a lot of evidences will be lost by the shutdown analysis, which has no practical signiifcance. Because of the high complexity and constantly updating, the database forensic is always a dififcult point of electronic data forensic. Because the operating mechanism of the database is special, it is dififcult to carry out the evidences collection completely and effectively without the relevant database knowledge. Taking the most widely used Microsoft SQL database as an example, this paper conducts deep research on the database forensic, expounds the principle of online database forensic and related technologies, in order to ifnd out the standard method to conduct online database forensic.
展开▼
