Shulou(Shulou.com)05/31 Report--

What this article shares with you is about how to collect evidence and access password in the MySQL database. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

MySQL database

MySQL is an open source relational database management system. From the current database market share, Oracle, MySQL, SQL Server three major database products * *, showing a tripod situation. With the rapid development of the Internet industry, MySQL has become the database of Internet companies because of its advantages such as open source, free and easy to use. In many criminal cases, we often see the figure of MySQL database.

Today, the editor is going to share with you a method of data extraction from MySQL database.

Case background

A case needs to collect evidence from the MySQL data inventory in the seized local server, and the investigators urgently need to obtain the data records of the MySQL database in the mirror, but they are unable to find the login password of the MySQL database.

◆ requirements: get the records of the MySQL database in the mirror

◆ conundrum: how to obtain evidence from a MySQL database with an access password?

◆ sample: a copy of server image file

Case analysis

Database data cannot be obtained because there is no database login password. In order to ensure the integrity of the database data, and to easily and quickly query the data needed by users through SQL statements, we need to simulate the same database environment as the suspect. For the above case, we can obtain the database data by attaching the mysql database and changing the password. The specific operation ideas and steps are as follows:

◆ extracts database files from the case server

◆ appends the extracted database files to the new computer

Reset the password of MySQL after the ◆ attachment is completed

◆ logs in to MySQL to view the exported database records.

From the above case, we know that the server image related to the case has been obtained, so we only need to attach the mysql database and reset the login password to extract the database data. The specific operation of these two steps will be described in detail below.

Specific operation steps

Attach MySQL database

1) install the same version of the database used by the suspect on the target computer. The mysql installation process is not described in detail in this document. There are many mysql installation tutorials on the Internet.

2) after MySQL is installed, disconnect the MySQL service. The 'C:ProgramDataMySQLMySQL Server 5.7Data' folder is the data directory of the MySQL database. Copy and copy the database data files that need to be attached to this folder

3) restart MySQL. If it can be started normally, it will be attached successfully.

PS: considerations for attaching databases

1) how to quickly determine the storage path of MySQL in the image?

All mysql databases have the key file ibdata1, which can be quickly located to the storage path of mysql data files by retrieving this file.

2) how to determine the specific version number of the MySQL database used by the suspect?

The MySQL version number installed on the target computer needs to be the same as the MySQL database version in the mirror. The method to determine the mysql database version is to use winhex to open any .frm file extracted into the mysql database, as shown in the figure:

3) how to restart MySQL to report an error?

After copying the data file, if you report an error when restarting the database, delete or cut the copied log file to another location in the task manager after the end of the mysqld.exe process, and start the MySQL service again. At this time, the MySQL service can be started normally and attached successfully. As shown in the figure:

two。 Reset the MySQL database login password

After attaching the MySQL database, you need a login password to access the database data. Since there is no login password, you need to reset the login password of the MySQL database to access and extract the database record data. The specific steps are as follows:

1) modify the my.ini configuration file in C:ProgramDataMySQLMySQL Server 5.7 of the MySQL database, and then copy the modified my.ini to C:Program FilesMySQLMySQL Server 5.7. As shown in the figure, modify the basedir in the configuration file to the path where the MySQL database application is located, and datadir to the path where the MySQL database data file is stored:

2) switch to the C:Program FilesMySQLMySQL Server 5.7in path in the cmd command line, and close the mysql service to execute the command mysqld-- skip-grant-tables, which is used to skip user authentication. Note that after executing this command, the cmd command line cannot continue to operate. You need to re-open a cmd command line and switch to the bin path.

3) in the newly opened cmd command line, type mysql directly, and you can log in to the database without any login parameters.

4) enter show database; to see all database instructions for successful login

5) where the mysql library is the place where the user name is saved. Enter use mysql; to select the mysql database

6) change root password; MySQL version above 5.7.1 enter update user set authentication_string=password ("123456") where user= "root"

7) exit MySQL: mysql > quit; after refreshing the database mysql > flush privileges;. The MySQL password has been reset successfully.

PS: considerations for resetting MySQL passwords

1) change the root password for 'reset MySQL step 6'. If the MySQL version is less than 5.7, enter update user set password=password ("123456") where user= "root"

2) restart the MySQL service after resetting the password. If the MySQL service cannot be started, the error is caused by an error in the log file. The same solution is used before: delete or cut the log file to another path after the end of the mysqld.exe process in task management.

3. Start the MySQL service

1) reset the login password of MySQL and start the MySQL service. At this time, you can use Navicat for MySQL Manager to enter the account number and the modified password to connect to the MySQL database, access the data and extract relevant records.

2) Open the data table and view the data.

Matters needing attention

When using the above methods to collect evidence from MySQL database, we should also pay attention to the following points:

1. Ensure the integrity of the database obtained from the server, otherwise the attachment will fail

2. Make sure that the computer that sets up the environment to attach the database has enough space, otherwise the attachment will fail due to insufficient space.

3. Make sure that the MySQL database version in the build environment is exactly the same as the MySQL database version in the server

4. The above operations involve a lot of professional skills, if necessary, you can find professional companies to help complete.

The above is how to obtain the forensics access password in the MySQL database. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.