WO2014194471A1 - Database evidence collection method and apparatus - Google Patents

Database evidence collection method and apparatus Download PDF

Info

Publication number
WO2014194471A1
WO2014194471A1 PCT/CN2013/076719 CN2013076719W WO2014194471A1 WO 2014194471 A1 WO2014194471 A1 WO 2014194471A1 CN 2013076719 W CN2013076719 W CN 2013076719W WO 2014194471 A1 WO2014194471 A1 WO 2014194471A1
Authority
WO
WIPO (PCT)
Prior art keywords
database
target database
record
save
verification value
Prior art date
Application number
PCT/CN2013/076719
Other languages
French (fr)
Chinese (zh)
Inventor
韩晟
王盈
Original Assignee
安世盾信息技术(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 安世盾信息技术(北京)有限公司 filed Critical 安世盾信息技术(北京)有限公司
Priority to PCT/CN2013/076719 priority Critical patent/WO2014194471A1/en
Publication of WO2014194471A1 publication Critical patent/WO2014194471A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor

Definitions

  • the present invention relates to database technology, and in particular to a database forensic method and apparatus. Background technique
  • the database forensic method usually includes: performing the backup and export operation of the entire target database, installing the same platform and the same version of the database software on the operator's computer, and then importing the exported database backup file to obtain the target database.
  • a substantially consistent results database the operator analyzes and forensics based on the results database.
  • the embodiment of the present invention provides a database forensic method and device, which is used to solve the problem that the existing database forensic method has a complicated process for obtaining a target database and low operational efficiency.
  • a database forensic method includes: establishing and saving a blank result database having a consistent structure with a target database but not including a specific data entry according to a database structure of the target database and a table structure of each table included in the target database; Each record in each table is checked to obtain a check value, and the check value of each record in the target database is saved; the record in the target database meeting the set condition is obtained, and the acquired record is saved.
  • a database forensic device comprising: a first saving module, configured to establish and save a blank result database having a consistent structure with the target database according to a database structure of the target database and a table structure of each table included in the target database;
  • the saving module is configured to check each record of each table in the target database to obtain a check value, and save the check value of each record in the target database;
  • the third save module obtains the record in the target database that meets the set condition , save the acquired record.
  • Embodiments of the present invention pass a table according to a database structure of a target database and respective tables included in a target database Structure, establish and save a blank result database with a consistent structure with the target database, can copy the structure of the target database, verify the value by checking each record of each table in the target database, and save each item in the target database.
  • the recorded check value can be used to archive the records in the target database, obtain the records in the target database that meet the set conditions, save the acquired records, and copy only the required recorded content, so that the embodiment of the present invention provides
  • the technical solution duplicates the structure of the target database, archives the data records, and copies only the required content, and can acquire the content necessary for database forensics in the target database, thereby avoiding the acquisition of the entire content of the target database,
  • the operation process is improved, and the operation efficiency is improved, so that the problem of obtaining the target database in the existing database forensic method is complicated and the operation efficiency is low.
  • FIG. 1 is a flowchart of a method for database forensics provided by an embodiment of the present invention
  • FIG. 2 is another working flowchart of a database forensics method according to an embodiment of the present invention.
  • FIG. 3 is another working flowchart of a database forensics method according to an embodiment of the present invention.
  • FIG. 4 is a structural block diagram of a database forensics device according to an embodiment of the present invention.
  • FIG. 5 is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • 6a is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • 6b is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • FIG. 7a is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • FIG. 7b is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • FIG. 7c is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • FIG. 7 is a block diagram of another structure of a database forensics device according to an embodiment of the present invention.
  • FIG. 8a is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • FIG. 8b is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • 9a is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • FIG. 9b is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • 10a is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • FIG. 10b is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • FIG. 10c is another structural block diagram of a database forensics device according to an embodiment of the present invention.
  • FIG. 10 is a block diagram of another structure of a database forensics device according to an embodiment of the present invention. detailed description
  • the embodiment of the present invention provides a database forensic scheme for solving the problem.
  • only the recorded content in the required target database is copied, the structure of the target database is copied, and the contents of each record in the target database are sealed, and the target database can be obtained.
  • the necessary content for database forensics avoids the acquisition of the entire contents of the target database, can streamline the operation process, improve the operation efficiency, and thus can solve the complicated process and operation of acquiring the target database existing in the existing database forensics method.
  • Inefficiency and, only copying the required content in the target database, verifying and storing all the data records of the target database, ensuring the security of the data records in the target database, and avoiding unnecessary data records being leaked. risk.
  • FIG. 1 is a flowchart of a method for database forensics provided by an embodiment of the present invention.
  • the method includes: Step 101: Establish and save a target database according to a database structure of a target database and a table structure of each table included in the target database. a blank result database with a consistent structure;
  • the database export file and/or the database backup file and/or the database file in the target database may be loaded through a preset interface to obtain the database structure of the target database and each of the target database.
  • Table structure of the table for the online target database of the network, it can be connected to the online target database through a preset interface according to the address information of the target database, and according to known authentication information or permission information (such as user name and user password) Obtaining the database structure of the target database and the table structure of each table included in the target database;
  • the structure of the acquired target database includes: an identifier of the target database, a number of tables included in the target database, an identifier of each table, a field name included in each table, and a definition of the field;
  • the result database is an empty library.
  • the result database has the same structure as the target database, that is, the identifier of the same database, the number of tables included in the database, the identifier of each table, the field names and fields of each table. Definition
  • Step 102 Perform verification on each record of each table in the target database to obtain a check value, and save a check value of each record in the target database;
  • the primary key of each record in the target database and the recorded content of each record are respectively verified, and the primary key check value and the record content check value of each record are obtained;
  • the verification operation may be a HASH check, that is, the object to be verified is subjected to HASH calculation to obtain a check value of the object, that is, a HASH value;
  • the verification operation in the following may be a HASH check, and the corresponding check value. That is the HASH value;
  • Step 103 Obtain a record in the target database that meets the set condition, and save the acquired record.
  • the record matching the set condition may be obtained in the target database by using a keyword search, a SQL query, or a conditional filter.
  • the set condition may be set according to the needs of the specific application scenario, for example, may be a table of the target database.
  • the target database when copying the target database, the target database is not directly exported and the exported database is imported into the target database, but only the structure and establishment of the target database are acquired.
  • a blank result database with the same structure as the target database which can acquire and save the structural features of the target database, and perform verification and storage on each data record in the target database, and only perform the required content, that is, the records that meet the set conditions.
  • Copy and save can only obtain the content that is actually needed, and the acquired content is significantly reduced compared with the prior art, and the above-mentioned automatic processing procedure is effective, and does not require the intervention of a technician, and can improve the operation efficiency, especially in having In the case of multiple target databases, the above process can significantly streamline the operation process and improve operational efficiency.
  • FIG. 2 is a flowchart showing another working process of the database forensic method according to the embodiment of the present invention.
  • the method includes: Step 201: Establish and save according to a database structure of a target database and a table structure of each table included in the target database.
  • the target database has a blank result database with a consistent structure;
  • the target database in the offline device may be accessed by loading the target database, or the online target database may be accessed through a preset interface to obtain the structure of the target database, and the result database is established according to the acquired target database structure;
  • Step 202 Perform verification on the target database to obtain a check value of the target database, and check each table included in the target database to obtain a check value of each table; save the check value of the target database and the calibration of each table of the target database. Test value
  • the entire database of the target database is verified, for example, the HASH check obtains the HASH value of the target database, and the storage condition of the entire database of the target database can be sealed, that is, the overall storage feature of the target database is sealed; It is also possible to check the change of the target database according to the saved check value if necessary.
  • the specific check operation includes: performing a HASH check on the target database at a certain time after the database forensics to obtain a check value, and comparing the Whether the check value is consistent with the check value of the target database saved in the database forensics process, Consistent circumstances indicate that the target database does not change after the forensic operation, otherwise there is a change, so as evidence of the electronic data forensics presentation, letter and shield;
  • Step 203 Perform a check on the blank result database to obtain a check value of the result database, and respectively check each table included in the result database to obtain a check value of each table, and save the check value of the result database and each result database.
  • Check value of the table
  • the results database and each table in the result database are respectively verified, for example, HASH check, and the database structure of the blank result database can be sealed, that is, obtained during the database forensics process.
  • the structural characteristics of the result database and the structural features of each table in the result database are sealed; it is also possible to check the change of the result database according to the saved check value if necessary, and the consistency of the result database and the target database.
  • the comparison is checked, and the principle of the verification operation is as described in the above step 202, and will not be described here, so as evidence of the electronic data forensics presentation, the letter and the shield;
  • Step 204 Perform verification on the primary key of each record in the target database and the recorded content of each record, and obtain a primary key check value and a record content check value of each record; and save the primary key of each record in the target database.
  • the verification value and the recorded content check value, and the correspondence between the primary key check value and the record content check value of each record are saved;
  • each data record in the target database is verified and sealed, and the storage of the data record content in the target database can be sealed, thereby avoiding the content of irrelevant data records in the target database.
  • Step 205 Obtain a record in the target database that meets the set condition, and save the acquired record.
  • step 103 The operation of acquiring and saving the record that meets the set condition is as shown in step 103 above, and is not described here.
  • the record that meets the set condition is acquired and saved, and the target database that is actually needed can be obtained. Records to reduce the amount of content required to obtain the target database, reduce access to content, improve access efficiency, avoid the risk of unwanted data leakage, and ensure data security;
  • Step 206 Perform verification on the obtained record to obtain a check value of the record that meets the set condition, and save the obtained check value of the record that meets the set condition;
  • the acquired records satisfying the set conditions are verified, for example, HASH check, and the characteristics and contents of the acquired records can be sealed, so as to be in the target database if necessary.
  • Checking the change of the records that meet the set conditions checking the changes of the saved records that meet the set conditions, and checking the records in the target database that meet the set conditions and the records that match the set conditions.
  • the comparison is checked, and the principle of the verification operation is as described in the above step 202, and will not be described again here, so as an electron.
  • Step 207 Perform analysis and processing on the acquired content.
  • the acquired and saved content ie, the established result database, the check value of the target database, the check value of each table of the target database, and the result database
  • the check value, the check value of each table of the result database, the check value of each data record of the target database, the obtained data record meeting the set condition and its check value), and the analysis result is included in the database forensics 4 in the report.
  • the target database, the result database, the acquired records that meet the set conditions are respectively verified, and the check value is saved, so as to facilitate the application scenario in the electronic data forensics.
  • the original attribute and the original content of the target database and the result database are archived, which can be used as a basis for checking the target database and the acquired content, and as evidence for credit, presentation and shield in electronic data forensics.
  • the embodiment of the present invention further provides a database forensic method.
  • the method is based on the first embodiment or the second embodiment. As shown in FIG. 3, the method further includes the following processing:
  • Step 301 Obtain and save user information and log information of the target database.
  • the log information includes one or a combination of the following: a login log, an operation log, an SQL log, an import and export log, a backup log, an error log, and an alarm log, and the log information may further include other types of log information.
  • Obtaining and saving the log information can copy the operation of the target database, and can provide reference for subsequent analysis and processing in an application scenario such as electronic data forensics;
  • Step 302 Perform verification on the obtained user information and log information to obtain a check value of the user information and a check value of the log information, and save the check value of the user information and the check value of the log information.
  • Checking the obtained user information and log information for example, HASH check, so that in the application scenario such as electronic data forensics, the user information and log information of the target database can be sealed without changing the user information of the target database and The original attribute and original content of the log information ensure the uniqueness and integrity of the replication target database. It can also check the change of user information and log information according to the saved check value if necessary, and check the principle of operation. As described in the above step 202, it will not be described here, so as evidence of the presentation, the letter and the shield of the electronic data forensics.
  • the processing procedure of FIG. 3 is not in any order with the processing procedure shown in FIG. 1.
  • the processing procedure shown in FIG. 1 and the execution sequence of the processing procedure shown in FIG. 3 may be set according to the needs of a specific application scenario, or, as shown in FIG.
  • the process shown in FIG. 3 is set before the step 207 of the process, and in step 207, the analysis process of the database forensic can also be performed according to the acquired log information, and the analysis result is included in the database forensics.
  • the user information and the log information of the target database can be saved and verified, so as to analyze or check the user information and the log information, and Evidence of credit, presentation and shield evidence in electronic data forensics.
  • Embodiment 4
  • the invention also provides a database forensic method, which further includes the following processes on the basis of the first embodiment, the second embodiment or the third embodiment:
  • the content to be saved for each target database is stored in a centralized manner with a predetermined database type; wherein, the content to be saved is as described above.
  • the predetermined database type may be a database type set according to a specific application scenario requirement, for example, an oracle database, and the content of the copied multiple target databases is saved by using the set database type, and the copied and obtained may be saved in a unified database type.
  • Content in order to calculate the evidence in the application scenario, the association analysis of the replicated database content; in the prior art, after copying multiple target databases, the same database type for each target database for storage replication
  • the result database in the subsequent analysis operations, it is necessary to perform independent analysis operations in multiple systems, multiple platforms, and multiple databases, and a series of data conversion operations are required in the analysis operation.
  • the method is high in complexity, inefficient, and error-prone; the method of the fourth embodiment of the present invention can reduce the cumbersome operation and improve the operation efficiency caused by different database types;
  • Centrally storing the content of forensics of multiple target databases, compared with the prior art, storing the result database in multiple physical entities, and performing related operations on the saved result database, can facilitate the analysis operation of electronic data forensics, and can improve The efficiency of the copying operation can reduce the cumbersome operation and improve the operating efficiency in subsequent analysis operations.
  • the processing procedure shown in the fourth embodiment is different from the processing procedure shown in FIG. 1, FIG. 2 or FIG. 3, and the processing procedure shown in FIG. 1 and the processing procedure shown in the fourth embodiment may be set according to the needs of the specific application scenario.
  • the execution sequence, or the execution sequence of the processing procedure shown in FIG. 2 and the processing procedure shown in the fourth embodiment, or the processing sequence shown in FIG. 3 and the execution sequence of the processing procedure shown in the fourth embodiment are set.
  • the embodiment of the present invention further provides a database forensic device.
  • the device includes:
  • the first saving module 401 is connected to the target database, and is configured to establish and save a blank result database having a consistent structure with the target database according to the database structure of the target database and the table structure of each table included in the target database;
  • the second saving module 402 is connected to the target database, and is used for verifying each record of each table in the target database to obtain a check value, and saving the check value of each record in the target database;
  • the second saving module 402 respectively checks the primary key of each record in the target database and the recorded content of each record, and obtains a primary key check value and a record content check value of each record;
  • the primary key check value and the record content check value of each record, and the correspondence between the primary key check value and the record content check value of each record are saved;
  • the third saving module 403 is connected to the target database, obtains records in the target database that meet the set conditions, and saves the acquired records.
  • the database forensics apparatus provided by the embodiment of the present invention further includes: an interface module 404, connected to the target database, the first saving module 401, the second saving module 402, and the third saving module 403, Access the target database through a preset database interface.
  • the embodiment of the present invention further provides a database forensic device. As shown in FIG. 6a and FIG. 6b, the device is based on the device shown in FIG. 4 or FIG.
  • the fourth saving module 405 is connected to the first saving module 401 for verifying the target database to obtain a check value of the target database, and checking each table included in the target database to obtain a check value of each table; Check value and check value of each table of the target database;
  • the fifth saving module 406 or connected to the first saving module 401, performs a check on the blank result database saved by the first saving module 401 to obtain a check value of the result database, and checks each table included in the result database to obtain each The check value of the table; the check value of the target database, the check value of the result database, and the check value of each table of the result database;
  • the sixth saving module 407 is connected to the third saving module 403, configured to check the record acquired by the third saving module 403 to obtain a check value of the record that meets the set condition, and save the acquired matching condition. Recorded check value;
  • the analysis processing module 408 is connected to the first saving module 401, the second saving module 402, the third saving module 403, the fourth saving module 405, the fifth saving module 406 and the sixth saving module 407, and is configured to be based on the first saving module. 401.
  • the second save module 402, the third save module 403, the fourth save module 405, the fifth save module 406, and the sixth save module 407 search, compare, and analyze the acquired and/or saved content.
  • the acquired and/or saved content and analysis results are included in the database forensics report.
  • the apparatus shown in FIG. 6a or FIG. 6b on the basis of FIG. 4 or FIG. 5, it is also possible to separately check and save the target database, the blank result database, and the acquired records that meet the set conditions.
  • the check value is used to seal the original attribute and the original content of the target database and the result database in the application scenario of the electronic data forensics, and can be used as a basis for checking the target database and the acquired content, and as an electronic data forensics.
  • the embodiment of the invention further provides a database forensic device, as shown in FIG. 7a, FIG. 7b, FIG. 7c or FIG. 7d,
  • the device is based on the device shown in Figure 4, Figure 5, Figure 6a or Figure 6b, the device further comprising:
  • the seventh saving module 409 is connected to the target database and the analysis processing module 407, or is connected to the interface module 404 and the analysis processing module 407, for acquiring and saving user information and log information of the target database; and acquiring the user information and the log.
  • the information is separately verified to obtain the check value of the user information and the check value of the log information, and the check value of the user information and the check value of the log information are saved; wherein, the log information is at least one or a combination of the following: , operation log, SQL log, import and export log, backup log, error log, and alarm log.
  • the analysis processing module 407 also analyzes the content saved by the seventh saving module 408.
  • the device information and the log information of the target database can also be saved and verified by the device shown in FIG. 7a, FIG. 7b, FIG. 7c or FIG. 7d, and can also be used as a basis for checking the user information and the log information, so that Subsequent analysis or verification of user information and log information, as well as evidence of e-mail, presentation and shield evidence in electronic data forensics.
  • the embodiment of the present invention further provides a database forensic device, as shown in FIG. 8a or FIG. 8b, the device is based on the device shown in FIG. 4 or FIG.
  • the storage control module 410 is connected to the first saving module 401, the second saving module 402, and the third saving module 403, for controlling the first saving module 401, the second saving module 402, and the plurality of target databases.
  • the / third save module 403 centrally stores the content to be saved for each target database in a predetermined database type.
  • the embodiment of the present invention further provides a database forensic device, as shown in FIG. 9a or FIG. 9b.
  • the device On the basis of the device shown in FIG. 6a or FIG. 6b, the device further includes:
  • the storage control module 410 is connected to the first saving module 401, the second saving module 402, the third saving module 403, the fourth saving module 405, and the fifth saving module 406, and is configured to control when there are multiple target databases.
  • the first save module 401, the second save module 402, the third save module 403, the fourth save module 405, the fifth save module 406, and the sixth save module 407 are saved in a predetermined database type for each target database. Saved content.
  • the working principle of the device shown in Fig. 9a or Fig. 9b is the same as that in the fourth embodiment, and will not be described again here.
  • the apparatus shown in Fig. 9a or Fig. 9b can also reduce the cumbersome operation of copying multiple target databases and improve the operation efficiency.
  • Example ten The embodiment of the present invention further provides a database forensic device, as shown in FIG. 10a, FIG. 10b, FIG. 10c or FIG. 10d.
  • the device further includes the device shown in FIG. 7a, FIG. 7b, FIG. 7c or FIG. 7d. :
  • the storage control module 410 is connected to the first saving module 401, the second saving module 402, the third saving module 403, the fourth saving module 405, the fifth saving module 406, the sixth saving module 407, and the seventh saving module 408, In the case of having a plurality of target databases, the first saving module 401, the second saving module 402, the third saving module 403, the fourth saving module 405, the fifth saving module 406, the sixth saving module 407, and the seventh are controlled.
  • the save module 408 centrally stores the content to be saved for each target database in a predetermined database type.
  • each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
  • the integrated modules, if implemented in the form of software functional modules and sold or used as stand-alone products, may also be stored in a computer readable storage medium.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the present invention is in the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) in which computer usable program code is embodied.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory include instructions.
  • the manufacturing device, the instruction device implements the functions specified in one or more blocks of a flow or a flow and/or a block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Abstract

Disclosed are a database evidence collection method and apparatus. According to the structure of a target database and the structures of various tables contained in the target database, an empty result database having a structure consistent with that of the target database is established and saved, thus the structure of the target database can be obtained by copying; check values are obtained by checking each record of the various tables in the target database and the check value of each record in the target database is saved, thus the records in the target database can be stored; the records in the target database, meeting set conditions, are obtained, and the obtained records are saved, thus only the required record contents can be copied; therefore, the embodiment of the present invention avoids obtaining the whole contents of the target database, can simplify the operation process and improve the operation efficiency, and consequently can address the problems in the existing database evidence collection methods that the process of obtaining the target database is complex and the operation efficiency is low.

Description

数据库取证方法及装置  Database forensics method and device
技术领域 Technical field
本发明涉及数据库技术, 具体地涉及一种数据库取证方法及装置。 背景技术  The present invention relates to database technology, and in particular to a database forensic method and apparatus. Background technique
目前, 数据库取证方法通常包括: 将整个目标数据库进行备份导出操作, 在操作人员 的计算机上安装相同的平台、 相同版本的数据库软件, 再对导出的数据库备份文件进行导 入操作, 从而获得与目标数据库基本一致的结果数据库, 操作人员基于结果数据库进行分 析和取证。  At present, the database forensic method usually includes: performing the backup and export operation of the entire target database, installing the same platform and the same version of the database software on the operator's computer, and then importing the exported database backup file to obtain the target database. A substantially consistent results database, the operator analyzes and forensics based on the results database.
但是, 由于数据库取证过程中可能要针对不同平台的数据库进行取证, 通过上述方法 对多个不同平台的数据库进行取证, 要求操作人员熟悉各个平台的操作方法, 这样就导致 上述数据库取证方法流程复杂、 技术要求高, 操作不便的问题。  However, since the database forensics may be used for forensics on different platforms, the above methods are used to obtain evidence for databases of different platforms, and the operators are required to be familiar with the operation methods of the various platforms. High technical requirements and inconvenient operation.
并且, 由于上述数据库取证方法的复杂性, 尤其是在数据库非常庞大的情况下, 导致 上述方法在具体实施过程中效率低下、 容易出错。  Moreover, due to the complexity of the above-mentioned database forensics method, especially in the case where the database is very large, the above method is inefficient and error-prone in the specific implementation process.
可见, 在现有的数据库取证方法中, 存在获取目标数据库的流程复杂、 操作效率低下 的问题。 发明内容  It can be seen that in the existing database forensics method, there is a problem that the process of acquiring the target database is complicated and the operation efficiency is low. Summary of the invention
有鉴于此, 本发明实施例提供了一种数据库取证方法及装置, 用以解决现有的数据库 取证方法中, 存在的获取目标数据库的流程复杂、 操作效率低下的问题。  In view of this, the embodiment of the present invention provides a database forensic method and device, which is used to solve the problem that the existing database forensic method has a complicated process for obtaining a target database and low operational efficiency.
本发明实施例技术方案如下:  The technical solutions of the embodiments of the present invention are as follows:
一种数据库取证方法, 包括: 根据目标数据库的数据库结构和目标数据库所包括的各 个表的表结构, 建立并保存与目标数据库具有一致结构但不包含具体数据条目的空白的结 果数据库; 对目标数据库中各个表的每条记录进行校验得到校验值, 保存目标数据库中每 条记录的校验值; 获取目标数据库中符合设定条件的记录, 保存所获取的记录。  A database forensic method includes: establishing and saving a blank result database having a consistent structure with a target database but not including a specific data entry according to a database structure of the target database and a table structure of each table included in the target database; Each record in each table is checked to obtain a check value, and the check value of each record in the target database is saved; the record in the target database meeting the set condition is obtained, and the acquired record is saved.
一种数据库取证装置, 包括: 第一保存模块, 用于根据目标数据库的数据库结构和目 标数据库所包括的各个表的表结构, 建立并保存与目标数据库具有一致结构的空白的结果 数据库; 第二保存模块, 用于对目标数据库中各个表的每条记录进行校验得到校验值, 保 存目标数据库中每条记录的校验值; 第三保存模块, 获取目标数据库中符合设定条件的记 录, 保存所获取的记录。  A database forensic device, comprising: a first saving module, configured to establish and save a blank result database having a consistent structure with the target database according to a database structure of the target database and a table structure of each table included in the target database; The saving module is configured to check each record of each table in the target database to obtain a check value, and save the check value of each record in the target database; the third save module obtains the record in the target database that meets the set condition , save the acquired record.
本发明实施例通过根据目标数据库的数据库结构和目标数据库所包括的各个表的表 结构, 建立并保存与目标数据库具有一致结构的空白的结果数据库, 能够复制得到目标数 据库的结构, 通过对目标数据库中各个表的每条记录进行校验得到校验值, 保存目标数据 库中每条记录的校验值, 能够对目标数据库中的记录进行封存, 获取目标数据库中符合设 定条件的记录, 保存所获取的记录, 能够仅对所需的记录内容进行复制, 从而本发明实施 例提供的技术方案复制目标数据库的结构、 对数据记录进行封存以及仅对所需的内容进行 复制, 能够获取目标数据库中用于数据库取证必要的内容, 避免了对目标数据库的全部内 容进行获取, 能够筒化操作流程, 提高操作效率, 从而能够解决现有的数据库取证方法中 所存在的获取目标数据库的流程复杂、 操作效率低下的问题。 Embodiments of the present invention pass a table according to a database structure of a target database and respective tables included in a target database Structure, establish and save a blank result database with a consistent structure with the target database, can copy the structure of the target database, verify the value by checking each record of each table in the target database, and save each item in the target database. The recorded check value can be used to archive the records in the target database, obtain the records in the target database that meet the set conditions, save the acquired records, and copy only the required recorded content, so that the embodiment of the present invention provides The technical solution duplicates the structure of the target database, archives the data records, and copies only the required content, and can acquire the content necessary for database forensics in the target database, thereby avoiding the acquisition of the entire content of the target database, The operation process is improved, and the operation efficiency is improved, so that the problem of obtaining the target database in the existing database forensic method is complicated and the operation efficiency is low.
本发明的其它特征和优点将在随后的说明书中阐述, 并且, 部分地从说明书中变得显 而易见, 或者通过实施本发明而了解。 本发明的目的和其他优点可通过在所写的说明书、 权利要求书、 以及附图中所特别指出的结构来实现和获得。 附图说明  Other features and advantages of the invention will be set forth in the description which follows, and The objectives and other advantages of the invention will be realized and attained by the <RTI DRAWINGS
图 1为本发明实施例提供的数据库取证方法的工作流程图;  FIG. 1 is a flowchart of a method for database forensics provided by an embodiment of the present invention;
图 2为本发明实施例提供的数据库取证方法的另一工作流程图;  2 is another working flowchart of a database forensics method according to an embodiment of the present invention;
图 3为本发明实施例提供的数据库取证方法的另一工作流程图;  3 is another working flowchart of a database forensics method according to an embodiment of the present invention;
图 4为本发明实施例提供的数据库取证装置的结构框图;  4 is a structural block diagram of a database forensics device according to an embodiment of the present invention;
图 5为本发明实施例提供的数据库取证装置的另一结构框图;  5 is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 6a为本发明实施例提供的数据库取证装置的另一结构框图;  6a is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 6b为本发明实施例提供的数据库取证装置的另一结构框图;  6b is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 7a为本发明实施例提供的数据库取证装置的另一结构框图;  FIG. 7a is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 7b为本发明实施例提供的数据库取证装置的另一结构框图;  FIG. 7b is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 7c为本发明实施例提供的数据库取证装置的另一结构框图;  FIG. 7c is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 7d为本发明实施例提供的数据库取证装置的另一结构框图;  FIG. 7 is a block diagram of another structure of a database forensics device according to an embodiment of the present invention;
图 8a为本发明实施例提供的数据库取证装置的另一结构框图;  FIG. 8a is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 8b为本发明实施例提供的数据库取证装置的另一结构框图;  FIG. 8b is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 9a为本发明实施例提供的数据库取证装置的另一结构框图;  9a is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 9b为本发明实施例提供的数据库取证装置的另一结构框图;  FIG. 9b is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 10a为本发明实施例提供的数据库取证装置的另一结构框图;  10a is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 10b为本发明实施例提供的数据库取证装置的另一结构框图;  FIG. 10b is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 10c为本发明实施例提供的数据库取证装置的另一结构框图;  FIG. 10c is another structural block diagram of a database forensics device according to an embodiment of the present invention;
图 10d为本发明实施例提供的数据库取证装置的另一结构框图。 具体实施方式 FIG. 10 is a block diagram of another structure of a database forensics device according to an embodiment of the present invention. detailed description
以下结合附图对本发明的实施例进行说明, 应当理解, 此处所描述的实施例仅用于说 明和解释本发明, 并不用于限定本发明。  The embodiments of the present invention are described in the following with reference to the accompanying drawings, and the embodiments of the invention are intended to illustrate and explain the invention.
针对现有的数据库取证方法中所存在的获取目标数据库的流程复杂、 操作效率低下的 问题, 本发明实施例提供了一种数据库取证方案, 用于解决该问题。 在本发明实施例提供 的技术方案中, 仅对所需要的目标数据库中的记录内容进行复制, 对目标数据库的结构进 行复制, 对目标数据库中的各条记录内容进行封存, 能够获取目标数据库中用于数据库取 证必要的内容, 避免了对目标数据库的全部内容进行获取, 能够筒化操作流程, 提高操作 效率, 从而能够解决现有的数据库取证方法中所存在的获取目标数据库的流程复杂、 操作 效率低下的问题; 并且, 仅对目标数据库中需要的内容进行复制, 对目标数据库的全部数 据记录进行校验封存, 能够保证目标数据库中数据记录的安全性, 避免不需要的数据记录 被泄漏的风险。  For the problem that the process of acquiring the target database is complicated and the operation efficiency is low in the existing database forensic method, the embodiment of the present invention provides a database forensic scheme for solving the problem. In the technical solution provided by the embodiment of the present invention, only the recorded content in the required target database is copied, the structure of the target database is copied, and the contents of each record in the target database are sealed, and the target database can be obtained. The necessary content for database forensics avoids the acquisition of the entire contents of the target database, can streamline the operation process, improve the operation efficiency, and thus can solve the complicated process and operation of acquiring the target database existing in the existing database forensics method. Inefficiency; and, only copying the required content in the target database, verifying and storing all the data records of the target database, ensuring the security of the data records in the target database, and avoiding unnecessary data records being leaked. risk.
实施例一  Embodiment 1
图 1示出了本发明实施例提供的数据库取证方法的工作流程图, 该方法包括: 步骤 101、 根据目标数据库的数据库结构和目标数据库所包括的各个表的表结构, 建 立并保存与目标数据库具有一致结构的空白的结果数据库;  FIG. 1 is a flowchart of a method for database forensics provided by an embodiment of the present invention. The method includes: Step 101: Establish and save a target database according to a database structure of a target database and a table structure of each table included in the target database. a blank result database with a consistent structure;
具体地, 针对离线设备中的目标数据库, 可以通过预设接口加载目标数据库中的数据 库导出文件和 /或数据库备份文件和 /或数据库文件, 来获取目标数据库的数据库结构和目 标数据库所包括的各个表的表结构; 针对网络在线的目标数据库, 可以通过预设的接口、 根据目标数据库的地址信息连接至在线的目标数据库, 并根据已知的认证信息或权限信息 (例如用户名和用户密码)来获取目标数据库的数据库结构和目标数据库所包括的各个表 的表结构;  Specifically, for the target database in the offline device, the database export file and/or the database backup file and/or the database file in the target database may be loaded through a preset interface to obtain the database structure of the target database and each of the target database. Table structure of the table; for the online target database of the network, it can be connected to the online target database through a preset interface according to the address information of the target database, and according to known authentication information or permission information (such as user name and user password) Obtaining the database structure of the target database and the table structure of each table included in the target database;
具体地, 获取的目标数据库的结构包括: 目标数据库的标识、 目标数据库包括的表的 数量、 每个表的标识、 每个表包括的字段名称及字段的定义;  Specifically, the structure of the acquired target database includes: an identifier of the target database, a number of tables included in the target database, an identifier of each table, a field name included in each table, and a definition of the field;
所建立的结果数据库为空库, 结果数据库具有与目标数据库一致的结构, 即具有相同 的数据库的标识、 数据库包括的表的数量、 每个表的标识、 每个表包括的字段名称及字段 的定义;  The result database is an empty library. The result database has the same structure as the target database, that is, the identifier of the same database, the number of tables included in the database, the identifier of each table, the field names and fields of each table. Definition
步骤 102、 对目标数据库中各个表的每条记录进行校验得到校验值, 保存目标数据库 中每条记录的校验值;  Step 102: Perform verification on each record of each table in the target database to obtain a check value, and save a check value of each record in the target database;
具体地, 对目标数据库中每条记录的主键和每条记录的记录内容分别进行校验, 得到 每条记录的主键校验值和记录内容校验值;  Specifically, the primary key of each record in the target database and the recorded content of each record are respectively verified, and the primary key check value and the record content check value of each record are obtained;
并且, 保存目标数据库中每条记录的主键校验值和记录内容校验值, 以及保存每条记 录的主键校验值和记录内容校验值的对应关系; 具体地,校验操作可以是 HASH校验, 即对待校验的对象进行 HASH计算得到该对象 的校验值即 HASH值; 下文中的校验操作均可以是 HASH校验,相应的校验值即为 HASH 值; And storing a primary key check value and a record content check value of each record in the target database, and storing a correspondence relationship between the primary key check value and the record content check value of each record; Specifically, the verification operation may be a HASH check, that is, the object to be verified is subjected to HASH calculation to obtain a check value of the object, that is, a HASH value; the verification operation in the following may be a HASH check, and the corresponding check value. That is the HASH value;
步骤 103、 获取目标数据库中符合设定条件的记录, 保存所获取的记录。  Step 103: Obtain a record in the target database that meets the set condition, and save the acquired record.
其中, 可以通过关键字搜索、 SQL查询或者条件过滤等方法, 在目标数据库中获取符 合设定条件的记录; 设定条件可以根据具体应用场景的需要而设置, 例如, 可以是目标数 据库的一个表的数据记录、 或者是一个表中的部分数据记录, 或者还可以是目标数据库的 全部数据记录。  The record matching the set condition may be obtained in the target database by using a keyword search, a SQL query, or a conditional filter. The set condition may be set according to the needs of the specific application scenario, for example, may be a table of the target database. The data record, or part of the data record in a table, or it can be the entire data record of the target database.
通过上述处理过程,在例如电子数据取证的应用场景中,在对目标数据库进行复制时, 并不是直接导出目标数据库并将导出的数据库导入到目标数据库中, 而是仅获取目标数据 库的结构、 建立与目标数据库具有相同结构的空白的结果数据库, 能够获取并保存目标数 据库的结构特征, 并对目标数据库中的每条数据记录进行校验封存, 仅对所需内容即符合 设定条件的记录进行复制保存, 能够仅获取实际需要的内容, 相比现有技术显著地减少了 获取的内容, 并且上述自动化处理过程操作筒单有效, 不需要技术人员的介入, 能够提高 操作效率, 尤其是在具有多个目标数据库的情况下, 上述处理过程能够显著地筒化操作过 程, 提高操作效率。  Through the above process, in an application scenario such as electronic data forensics, when copying the target database, the target database is not directly exported and the exported database is imported into the target database, but only the structure and establishment of the target database are acquired. A blank result database with the same structure as the target database, which can acquire and save the structural features of the target database, and perform verification and storage on each data record in the target database, and only perform the required content, that is, the records that meet the set conditions. Copy and save, can only obtain the content that is actually needed, and the acquired content is significantly reduced compared with the prior art, and the above-mentioned automatic processing procedure is effective, and does not require the intervention of a technician, and can improve the operation efficiency, especially in having In the case of multiple target databases, the above process can significantly streamline the operation process and improve operational efficiency.
实施例二  Embodiment 2
图 2示出了本发明实施例提供的数据库取证方法的另一工作流程图, 该方法包括: 步骤 201、 根据目标数据库的数据库结构和目标数据库所包括的各个表的表结构, 建 立并保存与目标数据库具有一致结构的空白的结果数据库;  FIG. 2 is a flowchart showing another working process of the database forensic method according to the embodiment of the present invention. The method includes: Step 201: Establish and save according to a database structure of a target database and a table structure of each table included in the target database. The target database has a blank result database with a consistent structure;
与上述步骤 101类似, 可以通过加载目标数据库访问离线设备中的目标数据库, 或者 通过预设接口访问在线的目标数据库, 来获取目标数据库的结构, 根据获取的目标数据库 结构建立结果数据库;  Similar to the foregoing step 101, the target database in the offline device may be accessed by loading the target database, or the online target database may be accessed through a preset interface to obtain the structure of the target database, and the result database is established according to the acquired target database structure;
建立并保存与目标数据库具有一致结构的结果数据库, 能够获取并保存目标数据库的 结构特征;  Establish and maintain a result database with a consistent structure with the target database, and be able to acquire and save the structural characteristics of the target database;
步骤 202、 对目标数据库进行校验得到目标数据库的校验值, 对目标数据库所包括的 各个表进行检验得到各个表的校验值; 保存目标数据库的校验值以及目标数据库的各个表 的校验值;  Step 202: Perform verification on the target database to obtain a check value of the target database, and check each table included in the target database to obtain a check value of each table; save the check value of the target database and the calibration of each table of the target database. Test value
在电子数据取证的应用场景中,对目标数据库整个库进行校验例如 HASH校验得到目 标数据库的 HASH值, 能够对目标数据库整个库的存储情况进行封存, 也即封存目标数据 库的整体存储特征; 还能够在必要的情况下根据保存的校验值对目标数据库的变更情况进 行核对, 具体的核对操作包括: 在数据库取证后的某个时间对目标数据库进行 HASH校验 得到校验值, 对比该校验值与数据库取证过程中保存的目标数据库的校验值是否一致, 在 一致的情况下表明目标数据库在取证操作后不存在变更, 否则存在变更, 从而作为电子数 据取证的出示、 釆信和盾证的证据; In the application scenario of the electronic data forensics, the entire database of the target database is verified, for example, the HASH check obtains the HASH value of the target database, and the storage condition of the entire database of the target database can be sealed, that is, the overall storage feature of the target database is sealed; It is also possible to check the change of the target database according to the saved check value if necessary. The specific check operation includes: performing a HASH check on the target database at a certain time after the database forensics to obtain a check value, and comparing the Whether the check value is consistent with the check value of the target database saved in the database forensics process, Consistent circumstances indicate that the target database does not change after the forensic operation, otherwise there is a change, so as evidence of the electronic data forensics presentation, letter and shield;
步骤 203、 对空白的结果数据库进行校验得到结果数据库的校验值, 分别对结果数据 库所包括的各个表进行检验得到各个表的校验值 , 保存结果数据库的校验值以及结果数据 库的各个表的校验值;  Step 203: Perform a check on the blank result database to obtain a check value of the result database, and respectively check each table included in the result database to obtain a check value of each table, and save the check value of the result database and each result database. Check value of the table;
在电子数据取证的应用场景中, 对结果数据库以及结果数据库中的各个表分别进行校 验例如 HASH校验, 能够对空白的结果数据库的数据库结构进行封存, 也即对数据库取证 过程中获取到的结果数据库的结构特征、 结果数据库中各个表的结构特征进行封存; 还能 够在必要的情况下根据保存的校验值对结果数据库的变更情况进行核对, 以及对结果数据 库和目标数据库的一致性的对比情况进行核对, 核对操作的原理如上述步骤 202所述, 这 里不再赘述, 从而作为电子数据取证的出示、 釆信和盾证的证据;  In the application scenario of electronic data forensics, the results database and each table in the result database are respectively verified, for example, HASH check, and the database structure of the blank result database can be sealed, that is, obtained during the database forensics process. The structural characteristics of the result database and the structural features of each table in the result database are sealed; it is also possible to check the change of the result database according to the saved check value if necessary, and the consistency of the result database and the target database. The comparison is checked, and the principle of the verification operation is as described in the above step 202, and will not be described here, so as evidence of the electronic data forensics presentation, the letter and the shield;
步骤 204、 对目标数据库中每条记录的主键和每条记录的记录内容分别进行校验, 得 到每条记录的主键校验值和记录内容校验值; 保存目标数据库中每条记录的主键校验值和 记录内容校验值 , 以及保存每条记录的主键校验值和记录内容校验值的对应关系;  Step 204: Perform verification on the primary key of each record in the target database and the recorded content of each record, and obtain a primary key check value and a record content check value of each record; and save the primary key of each record in the target database. The verification value and the recorded content check value, and the correspondence between the primary key check value and the record content check value of each record are saved;
在电子数据取证的应用场景中, 对目标数据库中的每条数据记录进行校验封存, 能够 对目标数据库中的数据记录内容的存储情况进行封存, 能够避免对目标数据库中无关数据 记录的内容进行获取, 以减少获取目标数据库的处理中所需获取的内容, 能够减少获取内 容, 提高获取效率, 还能够避免数据记录泄漏的风险, 提高了数据安全性;  In the application scenario of electronic data forensics, each data record in the target database is verified and sealed, and the storage of the data record content in the target database can be sealed, thereby avoiding the content of irrelevant data records in the target database. Obtaining, to reduce the content required in the process of obtaining the target database, can reduce the content acquisition, improve the acquisition efficiency, and can avoid the risk of data record leakage and improve the data security;
并且, 还能够根据保存的校验值对目标数据库中数据记录的变更情况进行核对, 核对 操作的原理如上述步骤 202所述, 这里不再赘述, 从而作为电子数据取证的出示、 釆信和 盾证的证据;  Moreover, it is also possible to check the change of the data record in the target database according to the saved check value, and the principle of the check operation is as described in the above step 202, and will not be described again here, so as the presentation, the letter and the shield of the electronic data forensics. evidence of;
步骤 205、 获取目标数据库中符合设定条件的记录, 保存所获取的记录;  Step 205: Obtain a record in the target database that meets the set condition, and save the acquired record.
获取并保存符合设定条件的记录的操作如上述步骤 103所示, 这里不再赘述; 在电子数据取证的应用场景中, 获取并保存符合设定条件的记录, 能够获取实际需要 的目标数据库中的记录, 以减少获取目标数据库的处理中所需获取的内容, 能够减少获取 内容, 提高获取效率, 还能够避免不需要的数据泄漏的风险, 保证数据的安全性;  The operation of acquiring and saving the record that meets the set condition is as shown in step 103 above, and is not described here. In the application scenario of electronic data forensics, the record that meets the set condition is acquired and saved, and the target database that is actually needed can be obtained. Records to reduce the amount of content required to obtain the target database, reduce access to content, improve access efficiency, avoid the risk of unwanted data leakage, and ensure data security;
步骤 206、 对获取的记录进行校验得到符合设定条件的记录的校验值, 并保存所获取 的符合设定条件的记录的校验值;  Step 206: Perform verification on the obtained record to obtain a check value of the record that meets the set condition, and save the obtained check value of the record that meets the set condition;
在电子数据取证的应用场景中,对获取的符合设定条件的记录进行校验例如 HASH校 验, 能够对所获取的记录的特征和内容进行封存, 以便于在必要的情况下对目标数据库中 符合设定条件的记录的变更情况进行核对, 对保存的符合设定条件的记录的变更情况进行 核对, 以及对目标数据库中符合设定条件的记录和保存的符合设定条件的记录的一致性的 对比情况进行核对, 核对操作的原理如上述步骤 202所述, 这里不再赘述, 从而作为电子 数据取证的分析依据, 以及作为出示、 釆信和盾证的证据; In the application scenario of the electronic data forensics, the acquired records satisfying the set conditions are verified, for example, HASH check, and the characteristics and contents of the acquired records can be sealed, so as to be in the target database if necessary. Checking the change of the records that meet the set conditions, checking the changes of the saved records that meet the set conditions, and checking the records in the target database that meet the set conditions and the records that match the set conditions. The comparison is checked, and the principle of the verification operation is as described in the above step 202, and will not be described again here, so as an electron. The basis for the analysis of data forensics, as well as evidence for presentation, confession and shield;
步骤 207、 对所获取保存的内容进行分析处理;  Step 207: Perform analysis and processing on the acquired content.
例如, 基于已获取的内容进行搜索、 比对、 关联分析, 将所获取和保存的内容(即建 立的结果数据库、 目标数据库的校验值、 目标数据库的各个表的校验值、 结果数据库的校 验值、 结果数据库的各个表的校验值、 目标数据库的各条数据记录的校验值、 所获取的符 合设定条件的数据记录及其校验值)、 分析结果列入到数据库取证 4艮告中。  For example, based on the acquired content, the search, comparison, and association analysis, the acquired and saved content (ie, the established result database, the check value of the target database, the check value of each table of the target database, and the result database) The check value, the check value of each table of the result database, the check value of each data record of the target database, the obtained data record meeting the set condition and its check value), and the analysis result is included in the database forensics 4 in the report.
通过上述处理过程, 在实施例一的基础上, 还能够分别对目标数据库、 结果数据库、 所获取的符合设定条件的记录进行校验、 保存校验值, 以便于在电子数据取证的应用场景 中, 对目标数据库和结果数据库的原始属性和原始内容进行封存, 能够作为对目标数据库 和所获取保存的内容进行核对的依据,以及作为电子数据取证中釆信、 出示和盾证的证据。  Through the foregoing processing procedure, on the basis of the first embodiment, the target database, the result database, the acquired records that meet the set conditions are respectively verified, and the check value is saved, so as to facilitate the application scenario in the electronic data forensics. The original attribute and the original content of the target database and the result database are archived, which can be used as a basis for checking the target database and the acquired content, and as evidence for credit, presentation and shield in electronic data forensics.
实施例三  Embodiment 3
本发明实施例还提供了一种数据库取证方法, 该方法在实施例一或实施例二的基础 上, 如图 3所示, 还包括如下处理过程:  The embodiment of the present invention further provides a database forensic method. The method is based on the first embodiment or the second embodiment. As shown in FIG. 3, the method further includes the following processing:
步骤 301、 获取并保存目标数据库的用户信息和日志信息;  Step 301: Obtain and save user information and log information of the target database.
其中, 日志信息包括以下之一或组合: 登录日志、 操作日志、 SQL日志、 导入导出日 志、 备份日志、 错误日志、 报警日志, 日志信息还可以包括其它种类的日志信息;  The log information includes one or a combination of the following: a login log, an operation log, an SQL log, an import and export log, a backup log, an error log, and an alarm log, and the log information may further include other types of log information.
获取并保存日志信息能够复制对目标数据库的操作情况, 在例如电子数据取证的应用 场景中, 能够为后续的分析处理提供参考;  Obtaining and saving the log information can copy the operation of the target database, and can provide reference for subsequent analysis and processing in an application scenario such as electronic data forensics;
步骤 302、 对获取的用户信息和日志信息分别进行校验得到用户信息的校验值和日志 信息的校验值, 保存用户信息的校验值和日志信息的校验值;  Step 302: Perform verification on the obtained user information and log information to obtain a check value of the user information and a check value of the log information, and save the check value of the user information and the check value of the log information.
对获取的用户信息和日志信息进行校验例如 HASH校验, 以便于在例如电子数据取证 的应用场景中, 能够对目标数据库的用户信息和日志信息进行封存, 不会改变目标数据库 的用户信息和日志信息的原始属性和原始内容, 保证复制目标数据库的唯一性和完整性; 还能够在必要的情况下根据保存的校验值对用户信息和日志信息的变更情况进行核对, 核 对操作的原理如上述步骤 202所述, 这里不再赘述, 从而作为电子数据取证的出示、 釆信 和盾证的证据。  Checking the obtained user information and log information, for example, HASH check, so that in the application scenario such as electronic data forensics, the user information and log information of the target database can be sealed without changing the user information of the target database and The original attribute and original content of the log information ensure the uniqueness and integrity of the replication target database. It can also check the change of user information and log information according to the saved check value if necessary, and check the principle of operation. As described in the above step 202, it will not be described here, so as evidence of the presentation, the letter and the shield of the electronic data forensics.
图 3的处理过程与图 1所示的处理过程没有先后之分, 可以根据具体应用场景的需要 设置图 1所示处理过程和图 3所示处理过程的执行顺序, 或者, 在图 2所示处理过程的步 骤 207之前设置图 3所示处理过程, 并且, 在步骤 207中还可以根据所获取的日志信息进 行数据库取证的分析处理, 并将分析结果列入到数据库取证 4艮告中。  The processing procedure of FIG. 3 is not in any order with the processing procedure shown in FIG. 1. The processing procedure shown in FIG. 1 and the execution sequence of the processing procedure shown in FIG. 3 may be set according to the needs of a specific application scenario, or, as shown in FIG. The process shown in FIG. 3 is set before the step 207 of the process, and in step 207, the analysis process of the database forensic can also be performed according to the acquired log information, and the analysis result is included in the database forensics.
通过上述处理过程, 在实施例一或实施例二的基础上, 还能够对目标数据库的用户信 息和日志信息进行保存和校验, 以便于后续对用户信息和日志信息进行分析或核对, 以及 作为电子数据取证中釆信、 出示和盾证的证据。 实施例四 Through the foregoing processing procedure, based on the first embodiment or the second embodiment, the user information and the log information of the target database can be saved and verified, so as to analyze or check the user information and the log information, and Evidence of credit, presentation and shield evidence in electronic data forensics. Embodiment 4
本发明还提供一种数据库取证方法, 该方法在实施例一、 实施例二或者实施例三的基 础上, 还包括如下处理过程:  The invention also provides a database forensic method, which further includes the following processes on the basis of the first embodiment, the second embodiment or the third embodiment:
在具有多个目标数据库的情况下, 也即要对多个目标数据库进行复制的情况下, 以预 定的数据库类型、 集中保存针对每个目标数据库需保存的内容; 其中, 需保存的内容如上 述实施例一、 实施例二或实施例三中所列举的保存的内容。  In the case of having multiple target databases, that is, when multiple target databases are to be replicated, the content to be saved for each target database is stored in a centralized manner with a predetermined database type; wherein, the content to be saved is as described above. The saved contents listed in the first embodiment, the second embodiment or the third embodiment.
具体地, 预定的数据库类型可以是根据具体应用场景需要而设定的数据库类型, 例如 oracle数据库, 使用设定的数据库类型保存复制多个目标数据库的内容, 可以以统一的数 据库类型保存所复制获取的内容, 以便在计算取证的应用场景中, 对复制的数据库内容进 行关联分析比对; 而在现有技术中, 对于多个目标数据库复制后, 以与各个目标数据库相 同的数据库类型进行存储复制的结果数据库, 这样在后续的分析操作中, 就必须分别在多 个系统、 多个平台、 多个数据库中独立进行分析操作, 在分析操作中需要进行一系列的数 据转换等操作, 这样的操作复杂度高、 效率低下、 容易出错; 通过本发明实施例四的方法, 能够降低由于不同数据库类型带来的操作繁瑣程度、 提高操作效率;  Specifically, the predetermined database type may be a database type set according to a specific application scenario requirement, for example, an oracle database, and the content of the copied multiple target databases is saved by using the set database type, and the copied and obtained may be saved in a unified database type. Content, in order to calculate the evidence in the application scenario, the association analysis of the replicated database content; in the prior art, after copying multiple target databases, the same database type for each target database for storage replication The result database, in the subsequent analysis operations, it is necessary to perform independent analysis operations in multiple systems, multiple platforms, and multiple databases, and a series of data conversion operations are required in the analysis operation. The method is high in complexity, inefficient, and error-prone; the method of the fourth embodiment of the present invention can reduce the cumbersome operation and improve the operation efficiency caused by different database types;
集中保存对多个目标数据库取证的内容, 相比于现有技术中分散在多个物理实体中保 存结果数据库,并对保存的结果数据库进行关联操作 ,能够便于电子数据取证的分析操作, 能够提高复制操作效率, 在后续的分析操作中, 能够降低操作繁瑣程度、 提高操作效率。  Centrally storing the content of forensics of multiple target databases, compared with the prior art, storing the result database in multiple physical entities, and performing related operations on the saved result database, can facilitate the analysis operation of electronic data forensics, and can improve The efficiency of the copying operation can reduce the cumbersome operation and improve the operating efficiency in subsequent analysis operations.
实施例四所示的处理过程与图 1、 图 2或图 3所示的处理过程没有先后之分, 可以根 据具体应用场景的需要设置图 1所示处理过程和实施例四所示处理过程的执行顺序, 或者 设置图 2所示处理过程和实施例四所示处理过程的执行顺序, 或者设置图 3所示处理过程 和实施例四所示处理过程的执行顺序。  The processing procedure shown in the fourth embodiment is different from the processing procedure shown in FIG. 1, FIG. 2 or FIG. 3, and the processing procedure shown in FIG. 1 and the processing procedure shown in the fourth embodiment may be set according to the needs of the specific application scenario. The execution sequence, or the execution sequence of the processing procedure shown in FIG. 2 and the processing procedure shown in the fourth embodiment, or the processing sequence shown in FIG. 3 and the execution sequence of the processing procedure shown in the fourth embodiment are set.
实施例五  Embodiment 5
基于相同的发明构思, 本发明实施例还提供了一种数据库取证装置, 如图 4所示, 该 装置包括:  Based on the same inventive concept, the embodiment of the present invention further provides a database forensic device. As shown in FIG. 4, the device includes:
第一保存模块 401 , 连接至目标数据库, 用于根据目标数据库的数据库结构和目标数 据库所包括的各个表的表结构, 建立并保存与目标数据库具有一致结构的空白的结果数据 库;  The first saving module 401 is connected to the target database, and is configured to establish and save a blank result database having a consistent structure with the target database according to the database structure of the target database and the table structure of each table included in the target database;
第二保存模块 402 , 连接至目标数据库, 用于对目标数据库中各个表的每条记录进行 校验得到校验值, 保存目标数据库中每条记录的校验值;  The second saving module 402 is connected to the target database, and is used for verifying each record of each table in the target database to obtain a check value, and saving the check value of each record in the target database;
具体地, 第二保存模块 402对目标数据库中的每条记录的主键和每条记录的记录内容 分别进行校验, 得到每条记录的主键校验值和记录内容校验值; 保存目标数据库中每条记 录的主键校验值和记录内容校验值 , 以及保存每条记录的主键校验值和记录内容校验值的 对应关系; 第三保存模块 403 , 连接至目标数据库, 获取目标数据库中符合设定条件的记录, 保 存所获取的记录。 Specifically, the second saving module 402 respectively checks the primary key of each record in the target database and the recorded content of each record, and obtains a primary key check value and a record content check value of each record; The primary key check value and the record content check value of each record, and the correspondence between the primary key check value and the record content check value of each record are saved; The third saving module 403 is connected to the target database, obtains records in the target database that meet the set conditions, and saves the acquired records.
优选地, 如图 5所示, 本发明实施例提供的数据库取证装置还包括: 接口模块 404, 连接至目标数据库、 第一保存模块 401、 第二保存模块 402和第三保存模块 403 , 用于通 过预设的数据库接口访问目标数据库。  Preferably, as shown in FIG. 5, the database forensics apparatus provided by the embodiment of the present invention further includes: an interface module 404, connected to the target database, the first saving module 401, the second saving module 402, and the third saving module 403, Access the target database through a preset database interface.
图 4或图 5所示装置的工作原理如图 1所示, 这里不再赘述。  The working principle of the device shown in Figure 4 or Figure 5 is shown in Figure 1, and will not be described here.
通过图 4或图 5所示的装置, 也能够显著地筒化操作过程, 提高操作效率。  With the apparatus shown in Fig. 4 or Fig. 5, it is also possible to significantly cycle the operation and improve the operation efficiency.
实施例六  Embodiment 6
本发明实施例还提供了一种数据库取证装置, 如图 6a和图 6b所示, 该装置在图 4或 图 5所示装置的基础上, 该装置还包括:  The embodiment of the present invention further provides a database forensic device. As shown in FIG. 6a and FIG. 6b, the device is based on the device shown in FIG. 4 or FIG.
第四保存模块 405 , 连接至第一保存模块 401用于对目标数据库进行校验得到目标数 据库的校验值, 对目标数据库所包括的各个表进行检验得到各个表的校验值; 保存目标数 据库的校验值以及目标数据库的各个表的校验值;  The fourth saving module 405 is connected to the first saving module 401 for verifying the target database to obtain a check value of the target database, and checking each table included in the target database to obtain a check value of each table; Check value and check value of each table of the target database;
第五保存模块 406, 或者连接至第一保存模块 401 , 对第一保存模块 401保存的空白 的结果数据库进行校验得到结果数据库的校验值 , 对结果数据库所包括的各个表进行检验 得到各个表的校验值; 保存目标数据库的校验值、 结果数据库的校验值以及结果数据库的 各个表的校验值;  The fifth saving module 406, or connected to the first saving module 401, performs a check on the blank result database saved by the first saving module 401 to obtain a check value of the result database, and checks each table included in the result database to obtain each The check value of the table; the check value of the target database, the check value of the result database, and the check value of each table of the result database;
第六保存模块 407, 连接至第三保存模块 403 , 用于对第三保存模块 403获取的记录 进行校验得到符合设定条件的记录的校验值, 并保存所获取的符合设定条件的记录的校验 值;  The sixth saving module 407 is connected to the third saving module 403, configured to check the record acquired by the third saving module 403 to obtain a check value of the record that meets the set condition, and save the acquired matching condition. Recorded check value;
分析处理模块 408 , 连接至第一保存模块 401 , 第二保存模块 402, 第三保存模块 403 , 第四保存模块 405 , 第五保存模块 406和第六保存模块 407, 用于基于第一保存模块 401 , 第二保存模块 402, 第三保存模块 403 , 第四保存模块 405 , 第五保存模块 406和第六保存 模块 407已获取和 /或保存的内容进行搜索、 比对、 关联分析, 将所获取和 /或保存的内容、 分析结果列入到数据库取证报告中。  The analysis processing module 408 is connected to the first saving module 401, the second saving module 402, the third saving module 403, the fourth saving module 405, the fifth saving module 406 and the sixth saving module 407, and is configured to be based on the first saving module. 401. The second save module 402, the third save module 403, the fourth save module 405, the fifth save module 406, and the sixth save module 407 search, compare, and analyze the acquired and/or saved content. The acquired and/or saved content and analysis results are included in the database forensics report.
图 6a或图 6b所示装置的工作原理如图 2所示, 这里不再赘述。  The working principle of the device shown in Fig. 6a or Fig. 6b is shown in Fig. 2, and details are not described herein again.
通过图 6a或图 6b所示的装置, 在如图 4或图 5所示基础的上, 还能够分别对目标数 据库、 空白的结果数据库、 所获取的符合设定条件的记录进行校验、 保存校验值, 以便于 在电子数据取证的应用场景中, 对目标数据库和结果数据库的原始属性和原始内容进行封 存, 能够作为对目标数据库和所获取的内容进行核对的依据, 以及作为电子数据取证中釆 信、 出示和盾证的证据。  According to the apparatus shown in FIG. 6a or FIG. 6b, on the basis of FIG. 4 or FIG. 5, it is also possible to separately check and save the target database, the blank result database, and the acquired records that meet the set conditions. The check value is used to seal the original attribute and the original content of the target database and the result database in the application scenario of the electronic data forensics, and can be used as a basis for checking the target database and the acquired content, and as an electronic data forensics. Evidence from the letter, the show and the shield.
实施例七  Example 7
本发明实施例还提供了一种数据库取证装置, 如图 7a、 图 7b、 图 7c或图 7d所示, 该 装置在图 4、 图 5、 图 6a或图 6b所示装置的基础上, 该装置还包括: The embodiment of the invention further provides a database forensic device, as shown in FIG. 7a, FIG. 7b, FIG. 7c or FIG. 7d, The device is based on the device shown in Figure 4, Figure 5, Figure 6a or Figure 6b, the device further comprising:
第七保存模块 409 , 连接至目标数据库和分析处理模块 407 , 或者连接至接口模块 404 和分析处理模块 407 , 用于获取并保存目标数据库的用户信息和日志信息; 并对获取的用 户信息和日志信息分别进行校验得到用户信息的校验值和日志信息的校验值, 保存用户信 息的校验值和日志信息的校验值; 其中, 所述日志信息至少以下之一或组合: 登录日志、 操作日志、 SQL日志、 导入导出日志、 备份日志、 错误日志、 报警日志。 则, 分析处理模 块 407还对第七保存模块 408保存的内容进行分析处理。  The seventh saving module 409 is connected to the target database and the analysis processing module 407, or is connected to the interface module 404 and the analysis processing module 407, for acquiring and saving user information and log information of the target database; and acquiring the user information and the log. The information is separately verified to obtain the check value of the user information and the check value of the log information, and the check value of the user information and the check value of the log information are saved; wherein, the log information is at least one or a combination of the following: , operation log, SQL log, import and export log, backup log, error log, and alarm log. Then, the analysis processing module 407 also analyzes the content saved by the seventh saving module 408.
图 7a、 图 7b、 图 7c或图 7d所示装置的工作原理如图 3所示, 这里不再赘述。  The working principle of the device shown in Fig. 7a, Fig. 7b, Fig. 7c or Fig. 7d is shown in Fig. 3, and details are not described herein again.
通过图 7a、 图 7b、 图 7c或图 7d所示的装置, 也能够对目标数据库的用户信息和日志 信息进行保存和校验封存, 还能够作为对用户信息和日志信息进行核对的依据, 以便于后 续对用户信息和日志信息进行分析或核对, 以及作为电子数据取证中釆信、 出示和盾证的 证据。  The device information and the log information of the target database can also be saved and verified by the device shown in FIG. 7a, FIG. 7b, FIG. 7c or FIG. 7d, and can also be used as a basis for checking the user information and the log information, so that Subsequent analysis or verification of user information and log information, as well as evidence of e-mail, presentation and shield evidence in electronic data forensics.
实施例八  Example eight
本发明实施例还提供了一种数据库取证装置, 如图 8a或图 8b所示, 该装置在图 4或 图 5所示装置的基础上, 该装置还包括:  The embodiment of the present invention further provides a database forensic device, as shown in FIG. 8a or FIG. 8b, the device is based on the device shown in FIG. 4 or FIG.
存储控制模块 410,连接至第一保存模块 401、第二保存模块 402和第三保存模块 403 , 用于在具有多个目标数据库的情况下, 控制第一保存模块 401、 第二保存模块 402和 /第三 保存模块 403以预定的数据库类型、 集中保存针对每个目标数据库需保存的内容。  The storage control module 410 is connected to the first saving module 401, the second saving module 402, and the third saving module 403, for controlling the first saving module 401, the second saving module 402, and the plurality of target databases. The / third save module 403 centrally stores the content to be saved for each target database in a predetermined database type.
图 8a或图 8b所示装置的工作原理与实施例四中的处理过程相同, 这里不再赘述。 通过图 8a或图 8b所示装置, 也能够降低复制多个目标数据库的操作繁瑣程度、 提高 操作效率。  The working principle of the device shown in Fig. 8a or Fig. 8b is the same as that in the fourth embodiment, and will not be described again here. By means of the apparatus shown in Fig. 8a or Fig. 8b, it is also possible to reduce the cumbersome operation of copying a plurality of target databases and improve the operation efficiency.
实施例九  Example nine
本发明实施例还提供了一种数据库取证装置, 如图 9a或图 9b所示, 在图 6a或图 6b 所示装置的基础上该装置还包括:  The embodiment of the present invention further provides a database forensic device, as shown in FIG. 9a or FIG. 9b. On the basis of the device shown in FIG. 6a or FIG. 6b, the device further includes:
存储控制模块 410, 连接至第一保存模块 401、 第二保存模块 402、 第三保存模块 403、 第四保存模块 405和第五保存模块 406, 用于在具有多个目标数据库的情况下, 控制第一 保存模块 401、 第二保存模块 402、 第三保存模块 403、 第四保存模块 405、 第五保存模块 406和第六保存模块 407, 以预定的数据库类型、 集中保存针对每个目标数据库需保存的 内容。  The storage control module 410 is connected to the first saving module 401, the second saving module 402, the third saving module 403, the fourth saving module 405, and the fifth saving module 406, and is configured to control when there are multiple target databases. The first save module 401, the second save module 402, the third save module 403, the fourth save module 405, the fifth save module 406, and the sixth save module 407 are saved in a predetermined database type for each target database. Saved content.
图 9a或图 9b所示装置的工作原理与实施例四中的处理过程相同, 这里不再赘述。 通过图 9a或图 9b所示装置, 也能够降低复制多个目标数据库的操作繁瑣程度、 提高 操作效率。  The working principle of the device shown in Fig. 9a or Fig. 9b is the same as that in the fourth embodiment, and will not be described again here. The apparatus shown in Fig. 9a or Fig. 9b can also reduce the cumbersome operation of copying multiple target databases and improve the operation efficiency.
实施例十 本发明实施例还提供了一种数据库取证装置,如图 10a、图 10b、图 10c或图 10d所示, 在图 7a、 图 7b、 图 7c或图 7d所示装置的基础上该装置还包括: Example ten The embodiment of the present invention further provides a database forensic device, as shown in FIG. 10a, FIG. 10b, FIG. 10c or FIG. 10d. The device further includes the device shown in FIG. 7a, FIG. 7b, FIG. 7c or FIG. 7d. :
存储控制模块 410, 连接至第一保存模块 401、 第二保存模块 402、 第三保存模块 403、 第四保存模块 405、 第五保存模块 406、 第六保存模块 407和第七保存模块 408 , 用于在具 有多个目标数据库的情况下, 控制第一保存模块 401、 第二保存模块 402、 第三保存模块 403、 第四保存模块 405、 第五保存模块 406、 第六保存模块 407和第七保存模块 408以预 定的数据库类型、 集中保存针对每个目标数据库需保存的内容。  The storage control module 410 is connected to the first saving module 401, the second saving module 402, the third saving module 403, the fourth saving module 405, the fifth saving module 406, the sixth saving module 407, and the seventh saving module 408, In the case of having a plurality of target databases, the first saving module 401, the second saving module 402, the third saving module 403, the fourth saving module 405, the fifth saving module 406, the sixth saving module 407, and the seventh are controlled. The save module 408 centrally stores the content to be saved for each target database in a predetermined database type.
10a、 图 10b、 图 10c或图 10d所示装置的工作原理与实施例四中的处理过程相同, 这 里不再赘述。  The operation of the apparatus shown in Fig. 10a, Fig. 10b, Fig. 10c or Fig. 10d is the same as that in the fourth embodiment, and will not be described again here.
通过 10a、 图 10b、 图 10c或图 10d所示装置, 也能够降低复制多个目标数据库的操作 繁瑣程度、 提高操作效率。  By means of the apparatus shown in 10a, 10b, 10c or 10d, it is also possible to reduce the cumbersome operation of copying a plurality of target databases and improve the operation efficiency.
本领域普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可以通 过程序来指令相关的硬件完成, 所述的程序可以存储于一种计算机可读存储介盾中, 该程 序在执行时, 包括方法实施例的步骤之一或其组合。  A person skilled in the art can understand that all or part of the steps carried by the method of the foregoing embodiment can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium, and the program is executed. Including one or a combination of the steps of the method embodiments.
另外, 在本发明各个实施例中的各功能单元可以集成在一个处理模块中, 也可以是各 个单元单独物理存在, 也可以两个或两个以上单元集成在一个模块中。 上述集成的模块既 可以釆用硬件的形式实现, 也可以釆用软件功能模块的形式实现。 所述集成的模块如果以 软件功能模块的形式实现并作为独立的产品销售或使用时, 也可以存储在一个计算机可读 取存储介盾中。  In addition, each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as stand-alone products, may also be stored in a computer readable storage medium.
本领域内的技术人员应明白, 本发明的实施例可提供为方法、 系统、 或计算机程序产 品。 因此, 本发明可釆用完全硬件实施例、 完全软件实施例、 或结合软件和硬件方面的实 施例的形式。 而且, 本发明可釆用在一个或多个其中包含有计算机可用程序代码的计算机 可用存储介盾 (包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形 式。  Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the present invention is in the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) in which computer usable program code is embodied.
本发明是参照根据本发明实施例的方法、 设备(系统)、 和计算机程序产品的流程图 和 /或方框图来描述的。 应理解可由计算机程序指令实现流程图和 /或方框图中的每一流 程和 /或方框、 以及流程图和 /或方框图中的流程和 /或方框的结合。 可提供这些计算机 程序指令到通用计算机、 专用计算机、 嵌入式处理机或其他可编程数据处理设备的处理器 以产生一个机器, 使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用 于实现在流程图一个流程或多个流程和 /或方框图一个方框或多个方框中指定的功能的 装置。  The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each process and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方 式工作的计算机可读存储器中, 使得存储在该计算机可读存储器中的指令产生包括指令装 置的制造品, 该指令装置实现在流程图一个流程或多个流程和 /或方框图一个方框或多个 方框中指定的功能。 The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory include instructions. The manufacturing device, the instruction device implements the functions specified in one or more blocks of a flow or a flow and/or a block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上, 使得在计算机 或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理, 从而在计算机或其他 可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和 /或方框图一个 方框或多个方框中指定的功能的步骤。  These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
显然, 本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和 范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内, 则本发明也意图包含这些改动和变型在内。  It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention

Claims

权 利 要 求 Rights request
1、 一种数据库取证方法, 其特征在于, 包括: 1. A database evidence collection method, characterized by including:
根据目标数据库的数据库结构和目标数据库所包括的各个表的表结构, 建立并保存与 目标数据库具有一致结构但不包含具体数据条目的空白的结果数据库; According to the database structure of the target database and the table structure of each table included in the target database, establish and save a blank result database that has a consistent structure with the target database but does not contain specific data entries;
对目标数据库中各个表的每条记录进行校验得到校验值, 保存目标数据库中每条记录 的校验值; Verify each record in each table in the target database to obtain the verification value, and save the verification value of each record in the target database;
获取目标数据库中符合设定条件的记录, 保存所获取的记录。 Obtain records that meet the set conditions in the target database and save the obtained records.
2、 根据权利要求 1所述的方法, 其特征在于, 所述方法还包括: 2. The method according to claim 1, characterized in that, the method further includes:
对目标数据库进行校验得到目标数据库的校验值, 对目标数据库所包括的各个表进行 检验得到各个表的校验值; 保存目标数据库的校验值以及目标数据库的各个表的校验值; 对空白的结果数据库进行校验得到结果数据库的校验值 , 分别对结果数据库所包括的 各个表进行检验得到各个表的校验值; 保存结果数据库的校验值以及结果数据库的各个表 的校验值。 Verify the target database to obtain the verification value of the target database, verify each table included in the target database to obtain the verification value of each table; save the verification value of the target database and the verification values of each table of the target database; Verify the blank result database to obtain the verification value of the result database. Verify each table included in the result database to obtain the verification value of each table. Save the verification value of the result database and the verification value of each table of the result database. test value.
3、根据权利要求 1所述的方法, 其特征在于, 对目标数据库中各个表的每条记录进行 校验得到校验值, 保存目标数据库中每条记录的校验值具体包括: 3. The method according to claim 1, characterized in that, each record in each table in the target database is verified to obtain a verification value, and saving the verification value of each record in the target database specifically includes:
对目标数据库中每条记录的主键和每条记录的记录内容分别进行校验, 得到每条记录 的主键校验值和记录内容校验值; Verify the primary key of each record and the record content of each record in the target database respectively, and obtain the primary key verification value and record content verification value of each record;
保存目标数据库中每条记录的主键校验值和记录内容校验值 , 以及保存每条记录的主 键校验值和记录内容校验值的对应关系。 Save the primary key check value and record content check value of each record in the target database, and save the corresponding relationship between the primary key check value and record content check value of each record.
4、根据权利要求 1所述的方法, 其特征在于, 获取目标数据库中符合设定条件的记录 后, 所述方法还包括: 4. The method according to claim 1, characterized in that, after obtaining the records in the target database that meet the set conditions, the method further includes:
对获取的记录进行校验得到符合设定条件的记录的校验值, 并保存所获取的符合设定 条件的记录的校验值。 Verify the obtained records to obtain the verification values of the records that meet the set conditions, and save the verification values of the obtained records that meet the set conditions.
5、 根据权利要求 1所述的方法, 其特征在于, 所述方法还包括: 5. The method according to claim 1, characterized in that, the method further includes:
获取并保存目标数据库的用户信息和日志信息; 其中, 所述日志信息至少以下之一或 组合: 登录日志、 操作日志、 SQL日志、 导入导出日志、 备份日志、 错误日志、报警日志; 对获取的用户信息和日志信息分别进行校验得到用户信息的校验值和日志信息的校验 值, 保存用户信息的校验值和日志信息的校验值。 Obtain and save the user information and log information of the target database; wherein, the log information is at least one or a combination of the following: login log, operation log, SQL log, import and export log, backup log, error log, alarm log; for the obtained The user information and the log information are verified respectively to obtain the verification value of the user information and the verification value of the log information, and the verification value of the user information and the verification value of the log information are saved.
6、 根据权利要求 1至 5中任一项所述的方法, 其特征在于, 所述方法还包括: 在具有多个目标数据库的情况下, 以预定的数据库类型、 集中保存针对每个目标数据 库需保存的内容。 6. The method according to any one of claims 1 to 5, characterized in that, the method further includes: in the case of multiple target databases, centrally saving the data for each target database in a predetermined database type. What needs to be saved.
7、 一种数据库取证装置, 其特征在于, 包括: 7. A database evidence collection device, characterized by including:
第一保存模块, 用于根据目标数据库的数据库结构和目标数据库所包括的各个表的表 结构, 建立并保存与目标数据库具有一致结构的空白的结果数据库; The first saving module is used to save data according to the database structure of the target database and the tables of each table included in the target database. Structure, create and save a blank result database with the same structure as the target database;
第二保存模块, 用于对目标数据库中各个表的每条记录进行校验得到校验值 , 保存目 标数据库中每条记录的校验值; The second saving module is used to verify each record of each table in the target database to obtain the verification value, and save the verification value of each record in the target database;
第三保存模块, 获取目标数据库中符合设定条件的记录, 保存所获取的记录。 The third saving module obtains records in the target database that meet the set conditions and saves the obtained records.
8、 根据权利要求 7所述的装置, 其特征在于, 所述装置还包括: 8. The device according to claim 7, characterized in that, the device further includes:
第四保存模块, 用于对目标数据库进行校验得到目标数据库的校验值, 对目标数据库 所包括的各个表进行检验得到各个表的校验值; 保存目标数据库的校验值以及目标数据库 的各个表的校验值; The fourth saving module is used to verify the target database to obtain the verification value of the target database, verify each table included in the target database to obtain the verification value of each table; save the verification value of the target database and the verification value of the target database. Check value of each table;
第五保存模块, 用于对结果数据库进行校验得到结果数据库的校验值, 对空白的结果 数据库所包括的各个表进行检验得到各个表的校验值; 保存结果数据库的校验值以及结果 数据库的各个表的校验值。 The fifth saving module is used to verify the result database to obtain the verification value of the result database, verify each table included in the blank result database to obtain the verification value of each table; save the verification value and results of the result database Check values of each table in the database.
9、 根据权利要求 7所述的装置, 其特征在于, 所述第二保存模块, 具体用于: 对目标数据库中的每条记录的主键和每条记录的记录内容分别进行校验, 得到每条记 录的主键校验值和记录内容校验值; 9. The device according to claim 7, characterized in that the second saving module is specifically used to: verify the primary key of each record and the record content of each record in the target database, and obtain each The primary key verification value and record content verification value of the record;
保存目标数据库中每条记录的主键校验值和记录内容校验值 , 以及保存每条记录的主 键校验值和记录内容校验值的对应关系。 Save the primary key check value and record content check value of each record in the target database, and save the corresponding relationship between the primary key check value and record content check value of each record.
10、 根据权利要求 7所述的装置, 其特征在于, 所述装置还包括: 10. The device according to claim 7, characterized in that, the device further includes:
第六保存模块, 用于对所述第三保存模块获取的记录进行校验得到符合设定条件的记 录的校-验值, 并保存所获取的符合设定条件的记录的校验值; The sixth saving module is used to verify the records obtained by the third saving module to obtain the verification values of the records that meet the set conditions, and save the obtained verification values of the records that meet the set conditions;
第七保存模块, 用于获取并保存目标数据库的用户信息和日志信息; 其中, 所述日志 信息至少以下之一或组合: 登录日志、 操作日志、 SQL日志、 导入导出日志、 备份日志、 错误日志、 报警日志; 对获取的用户信息和日志信息分别进行校验得到用户信息的校验值 和日志信息的校验值, 保存用户信息的校验值和日志信息的校验值; The seventh saving module is used to obtain and save user information and log information of the target database; wherein, the log information is at least one or a combination of the following: login log, operation log, SQL log, import and export log, backup log, error log , Alarm log; Verify the obtained user information and log information respectively to obtain the verification value of the user information and the verification value of the log information, and save the verification value of the user information and the verification value of the log information;
存储控制模块, 用于在具有多个目标数据库的情况下, 控制所述第一保存模块、 所述 第二保存模块和所述第三保存模块以预定的数据库类型、 集中保存针对每个目标数据库需 保存的内容。 A storage control module, configured to control the first saving module, the second saving module and the third saving module to centrally save each target database in a predetermined database type when there are multiple target databases. What needs to be saved.
PCT/CN2013/076719 2013-06-04 2013-06-04 Database evidence collection method and apparatus WO2014194471A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/076719 WO2014194471A1 (en) 2013-06-04 2013-06-04 Database evidence collection method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/076719 WO2014194471A1 (en) 2013-06-04 2013-06-04 Database evidence collection method and apparatus

Publications (1)

Publication Number Publication Date
WO2014194471A1 true WO2014194471A1 (en) 2014-12-11

Family

ID=52007400

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/076719 WO2014194471A1 (en) 2013-06-04 2013-06-04 Database evidence collection method and apparatus

Country Status (1)

Country Link
WO (1) WO2014194471A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5396623A (en) * 1992-10-30 1995-03-07 Bmc Software Inc. Method for editing the contents of a DB2 table using an editproc manager
JP2009075768A (en) * 2007-09-19 2009-04-09 Hitachi Information Systems Ltd Audit trail information acquisition system and audit trail information acquisition method
CN102195781A (en) * 2011-05-30 2011-09-21 武汉理工大学 Electronic evidence obtaining system based on electronic record correlated signature
CN102624698A (en) * 2012-01-17 2012-08-01 武汉理工大学 Evidence management and service system for electronic records

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5396623A (en) * 1992-10-30 1995-03-07 Bmc Software Inc. Method for editing the contents of a DB2 table using an editproc manager
JP2009075768A (en) * 2007-09-19 2009-04-09 Hitachi Information Systems Ltd Audit trail information acquisition system and audit trail information acquisition method
CN102195781A (en) * 2011-05-30 2011-09-21 武汉理工大学 Electronic evidence obtaining system based on electronic record correlated signature
CN102624698A (en) * 2012-01-17 2012-08-01 武汉理工大学 Evidence management and service system for electronic records

Similar Documents

Publication Publication Date Title
WO2019232832A1 (en) Data monitoring method and device, computer device, and storage medium
US10733176B2 (en) Detecting phantom items in distributed replicated database
EP3398091B1 (en) System and method for unified access control on federated database
TWI740901B (en) Method and device for performing data recovery operation
CN108572996B (en) Synchronization method and device of database table structure, electronic equipment and storage medium
US20110093503A1 (en) Computer Hardware Identity Tracking Using Characteristic Parameter-Derived Data
RU2565109C2 (en) Method and apparatus for recovering backup database
WO2010015143A1 (en) Distributed file system and data block consistency managing method thereof
US9135266B1 (en) System and method for enabling electronic discovery searches on backup data in a computer system
US10089371B2 (en) Extensible extract, transform and load (ETL) framework
JP2018200683A (en) Method and design of automated examination system
WO2015149629A1 (en) Dns behavior processing method, device and system
US20210133079A1 (en) Validation of log files using blockchain system
WO2016138859A1 (en) Data synchronization method and cluster node
US11481284B2 (en) Systems and methods for generating self-notarized backups
CN110063042A (en) A kind of response method and its terminal of database failure
WO2020000716A1 (en) Big data analysis system, server, data processing method, program and storage medium
CN108573019B (en) Data migration method and device, electronic equipment and readable storage medium
JP6329552B2 (en) Reference data segmentation from single table to multiple tables
EP3108400B1 (en) Virus signature matching method and apparatus
WO2016177075A1 (en) Method of checking associative relationship of service data, device and readable storage medium utilizing same
WO2022205938A1 (en) Data acquisition method and apparatus, computer device, and storage medium
CN113420081A (en) Data verification method and device, electronic equipment and computer storage medium
WO2014194471A1 (en) Database evidence collection method and apparatus
CN115827691A (en) Batch processing result verification method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13886364

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205N DATED 10/02/2016)

122 Ep: pct application non-entry in european phase

Ref document number: 13886364

Country of ref document: EP

Kind code of ref document: A1