云取证的学理反思与制度调适  

作　　者：张正昌 Zhang Zhengchang

机构地区：[1]中国政法大学证据科学研究院

出　　处：《财经法学》2025年第2期174-189,共16页Law and Economy

摘　　要：云计算环境具有虚拟化、实时性、多租户、弹性伸缩、去中心分布等特征。较之常规电子数据,居于其中的云数据表现出分割离散性、动态变化性、第三方控制性等新特点,要求云取证符合更严苛的实时化、更复杂的自动化、更强效的协同化要求。既有取证措施规范仍建立在传统环境取证经验之上,秉持以扣押原始存储介质为主、提取电子数据为辅、打印拍照为例外的取证原则,折射出以物证而非数据为本位的规制进路,并试图通过增补先行冻结措施单兵突进解决云取证问题,加之原有远程勘验与在线提取数据在规范逻辑上的失洽,以及对DFIR、蜜罐取证等新现象规制不足,导致实践困境难以化解。既有取证管辖规范偏向纯粹的数据存储地模式,其程序繁琐性难以适应云取证过程中数据实时变动所要求的高时效性。为此可根据云取证现实要求,以数据为本位,确立扣押原始存储介质与提取电子数据并重,打印拍照为例外的取证原则,构建体系化技术规制与程序制约方案,以维护国家利益为基点完善取证管辖机制,增强云取证灵活性。The cloud computing environment is characterized by virtualization,real-time,multi-tenancy,elasticity and scalability,and decentralized distribution.Compared with conventional electronic data,the cloud data residing therein exhibits new features such as discrete division,dynamic change,third-party control,etc.,which requires cloud forensics to meet the requirements of more stringent real-time,more complex automation,and more effective synergistic requirements.The established norms of forensic measures are still built on top of the traditional environmental forensic experience,upholding the forensic principle of seizing the original storage media as the main focus,extracting electronic data as a supplement,and printing and photographing as the exception,which reflects the regulatory approach based on the physical evidence rather than the data,and attempts to solve the problem of cloud forensics through the addition of the first freezing measures in a single move,coupled with the loss of harmony between the original remote survey and online data extraction in the normative logic,and insufficient regulation of new phenomena such as DFIR and honeypot forensics,leading to practical difficulties.Existing forensic jurisdiction norms favor pure data storage mode,and its cumbersome procedures are difficult to adapt to the high timeliness required by real-time data changes in the process of cloud forensics.In this regard,according to the reality of cloud forensics requirements,and basing on data,should establish the seizure of the original storage media and the extraction of electronic data,printing and photographing as an exception to the forensic principles,to build a systematic technical regulation and procedural constraints program,to safeguard the interests of the state as the basis for improving the forensic jurisdiction mechanism,and to enhance the flexibility of cloud forensics.

关 键 词：云计算 云取证 自动化取证 电子数据取证 执法管辖 

分 类 号：TP393.09[自动化与计算机技术—计算机应用技术] D925.2[自动化与计算机技术—计算机科学与技术]