1. Field of the Invention
The present invention pertains to a method, an apparatus and a program for management of access history, a storage unit, and an information processing apparatus, in order to obtain the read access history for a target storage unit.
2. Description of the Related Art
A request for forensic technologies has increased as development of an information processing apparatus in recent years. The forensic declares a series of a scientific search method and technology which performs preservation of evidence and research/analysis of an electromagnetic record, and performs analysis/data gathering, etc. such as the falsification and damage of the electromagnetic record, to an incident response and legal dispute/lawsuits. Here, the incident response declares response to unauthorized use of resources and environments on a computer and a network, etc., service sabotage, destruction of data, disclosure of information not intended etc., and action (incident) etc. to arrive at them etc. According to such the forensic technologies, computer security can be maintained to positive by secure of the digital evidence being attempted.
As one of the technologies of this forensic, an apparatus which can prevent leakage of information or know contents of the leaked data accurately is proposed in the world on the network. However, there are various problems and achievement has been difficult in the storage unit such as disk drives when it tried to introduce a similar method.
Moreover, an apparatus which stores all of write data to the storage unit and retrieves arbitrary historical data is proposed. However, it is difficult to retrieve access history of read processes since there are explosively a lot of generating frequencies of the read processes compared with the write processes.
For example, FIG. 1 shows an access history management apparatus 900 which can collect/retrieve the read/write access history. The access history management apparatus 900 can collect or retrieve the history of the read access and the write access to a target storage unit 951 of an accessible read/write from a user by an access section 911 and an access surveillance section 912. The history of the write access is stored in a storage unit of write access history 901 by a management section of a write access history 913. The history of the read access is stored in a storage unit of read access history 902 by a management section of read access history 914. Here, the access history includes a required operation instruction or an operation response, a command including a request or response time, etc., and a payload including write data or read data. In the prior art shown in FIG. 1, the read access or the write access for the storage unit is monitored, and this is stored as the history of the read access or the write access without modification.
On the other hand, there is continuous data protection technology as the technology which applies to a backup by collecting a change of a history of a storage unit. As an example of this technology, a storage system which enables a data storage service for a user in order to execute an application is disclosed in Japanese patent Laid Open Publication (Kokai) No. 2005-18738. The system disclosed in Japanese patent Laid Open Publication (Kokai) No. 2005-18738 executes snap shot operation and journaling, and executes an additional data processing to recover loss data. The snap shot and the journal entry are separately stored with for production data volume of the user. An older journal entry is retrieved in order to make a new journal entry. This retrieving is achieved by applying one or older journal entries to the corresponding snap shot, and updating this snap shot. The subsequent loss data is recovered by accessing the predetermined snap shot, applying the journal entry to this snap shot, and regenerating the desired state of data.
However, a practicable technology which corresponds to the forensic technology to store information of the read access and the write access at past, and a mapping etc. of the storage unit in a past point is not proposed.
For example, in the technology shown in FIG. 1, it is necessary to store all of each command and the payload as the read access history and the write access history. However, since the read access is more overwhelmingly in the use field of a general storage unit compared with the write access, the read access history is increased unreasonably. Therefore, since the enormous storage capacity for the collection of the read access history is needed, it is difficult to collect the read history or unreal from the cost performance, etc.
In this manner, the enormous storage capacity of the read access history collection is needed in the prior art. Therefore, there has been a fact that storing the read access history is determined it is unreal from the cost performance, and not introduced easily.