计算机取证

[技术文章]善用Google搜索引擎

2004-07-19T22:55:00.000+08:00

Google搜索引擎很多人都在用，但不一定精通。有人写了厚厚一本GOOGLE HACK介绍一些高级的用法，看了令人乏味，不如下面这篇文章简洁（不知道是不是同一个作者所写）。

"Demystifying Google Hack", 见http://www.hackingspirits.com/eth-hac/papers/Demystifying%20Google%20Hacks.pdf

对搜索引擎寻找信息很感兴趣的朋友也可以去看看一个大师级的黑客设立的网站Web Searchlores 。

[技术文章]常用猎取Web用户信息的方法

2004-07-19T22:32:00.000+08:00

电子技术法律期刊上最新发表的The Spider’s Stratagem on the Web: Hunting and Collecting Web Users一文介绍了常用的猎取Web用户信息的十种方法，以及用户和政府可采取的法律对策。

十种猎取Web用户信息的方法分别是：
1. Spawning和mouse trapping
2. Page jacking, redirecting，和spoof pages
3. Misleading links
4. Home-jacking
5. Spyware
6. Pop-Up Ads或adware
7. Cookies和Web Bugs
8. Identity theft和phishing
9. Internet dumping
10. Spamming

[工具介绍]硬盘分区检查和修复工具TestDisk

2004-07-19T19:46:00.000+08:00

TestDisk可以检查和修复下列硬盘分区:
- FAT12 FAT16 FAT32
- Linux EXT2/EXT3
- Linux SWAP (version 1 and 2)
- NTFS (Windows NT/W2K/XP)
- BeFS (BeOS)
- UFS (BSD)
- Netware
- ReiserFS

可以在下列操作系统中运行:
DOS/Win9x
Windows NT 4/2000/XP/2003(比较慢)
Linux
FreeBSD

该工具可在http://www.cgsecurity.org/下载。使用时要小心，不然你的硬盘会越修越糟。

英国取证专家的故事

2004-07-18T19:54:00.000+08:00

国内目前的研究还在纸上谈兵的阶段，缺乏取证方面的真实的案例作为研究的对象。

偶然间在网站上找到了下面几个案例，供大家参考。
--“黑男爵”案件
--夜总会谋杀
--诽谤性电子邮件
--复制的试算表（spreadsheets）案件
--丢失的证据
--种族歧视的案件

这些案例写得有点象小说，有很强的可读性。

IE Index.Dat的格式和浏览工具

2004-07-17T21:07:00.000+08:00

Internet Explorer会生成3个Index.Dat文件，以分别存放Temporary internet
files，Cookies，和History。这三个文件有着相同的格式。

Index.Dat的格式在"Forensic Analysis of Internet Explorer Activity
Files"一文中有详细的说明。文章可在网上找到。

现成的浏览工具有INDEX.DAT VIEWER。

在LINUX上对Windows Registry的取证工具

2004-07-17T21:04:00.000+08:00

1. 工具一：CHNTPW
可以用来修改SAM内容和清除Administrator帐户密码。

2. 工具二：Kregedit
这个工具有图形界面，可以在http://samba.org/~jelmer/kregedit/下载。

--以上内容摘译自"Accesing and Analyzing the Windows Registry"。

LINUX上对CDR的取证

2004-07-17T21:02:00.000+08:00

可录的光盘媒介(CDR, CDRW) 可能提供有用的证据数据。下面介绍三个有用的工具:

1. readcd
readcd程序是cdrecord或者cdrtools软件包的一部分, linux上通常都有。
[mshannon@silentpower mshannon]$ readcd dev=0,0,0 -fulltoc
Read speed: 9152 kB/s (CD 52x, DVD 6x).
Write speed: 9152 kB/s (CD 52x, DVD 6x).
TOC len: 169. First Session: 1 Last Session: 3.
01 14 00 A0 00 00 00 00 01 00 00
01 14 00 A1 00 00 00 00 01 00 00
01 14 00 A2 00 00 00 00 00 0A 00
01 14 00 01 00 00 00 00 00 02 00
01 54 00 B0 02 28 00 02 4F 3B 47
01 54 00 C0 A0 00 30 00 61 1A 42
02 14 00 A0 00 00 00 00 02 00 00
02 14 00 A1 00 00 00 00 02 00 00
02 14 00 A2 00 00 00 00 08 1D 37
02 14 00 02 00 00 00 00 02 2A 00
02 54 00 B0 09 3B 37 01 4F 3B 47
03 14 00 A0 00 00 00 00 03 00 00
03 14 00 A1 00 00 00 00 03 00 00
03 14 00 A2 00 00 00 00 0A 09 37
03 14 00 03 00 00 00 00 0A 01 37
Lead out 1: 600
Lead out 2: 38080
Lead out 3: 45580
[mshannon@silentpower mshannon]$

2.Isoinfo
Isoinfo程序也是cdrecord或者cdrtools软件包的一部分, linux上通常都有。
mshannon@silentpower mshannon]$ isoinfo -d -i=/dev/cdrom
CD-ROM is in ISO 9660 format
System id:
Volume id: DISK1
Volume set id:
Publisher id:
Data preparer id:
Application id: NERO___BURNING_ROM
Copyright File id:
Abstract File id:
Bibliographic File id:
Volume set size is: 1
Volume set sequence number is: 1
Logical block size is: 2048
Volume size is: 600
Joliet with UCS level 3 found
NO Rock Ridge present
[mshannon@silentpower mshannon]$

3. CDFS
CDFS是一个Linux文件系统，可以对每个CDR Session做单独的存取。CDFS可以在
http://www.elis.rug.ac.be/~ronsse/cdfs/下载。
[root@silentpower mnt]# mount /dev/cdrom /mnt/cdrom/
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@silentpower mnt]# cd cdrom
[root@silentpower cdrom]# ls
TechnicalConsultingResume_JGP.doc
[root@silentpower cdrom]# cd ..
[root@silentpower mnt]# umount /mnt/cdrom
[root@silentpower mnt]# mount -t cdfs /dev/cdrom /mnt/cdfs
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@silentpower mnt]# cd cdfs
[root@silentpower cdfs]# ls
3.1.Apple_partition_map sessions_1-1.iso sessions_1-3.iso
3.2.Apple_HFS sessions_1-2.iso sessions_1-4.iso
[root@silentpower cdfs]# mkdir /mnt/loop1
[root@silentpower cdfs]# mount -o loop sessions_1-1.iso /mnt/loop1
[root@silentpower cdfs]# cd /mnt/loop1/
[root@silentpower loop1]# ls
DP-Mig-1.xls EGL.xls misc9-11-00.xls
EGL_New.xls july-results.xls WG-audit.xls
[root@silentpower loop1]#

--此文摘译自"Linux Forensics of CDR"。

用VMWare检查受怀疑系统

2004-07-16T13:22:00.000+08:00

VMWare可以启动Raw Disk Image的特性为检查受怀疑系统提供了方便。程序如下：

第一步：生成MBR和受检查的Partition的镜像
[root@forensic0 VMware-test]# dd if=/dev/sda of=mbr.img bs=512 count=63
63+0 records in
63+0 records out
[root@forensic0 VMware-test]# dd if=/dev/sda1 of=partition.img bs=512
2491712+0 records in
2491712+0 records out

第二步：修改vmdk文件
下面是修改后的VMware-test.vmdk
# Disk DescriptorFile
version=1
CID=dc92f58c
parentCID=ffffffff
createType="monolithicFlat"
# Extent description
RW 63 FLAT "mbr.img" 0
RW 2491712 FLAT "partition.img" 0
# The Disk Data Base
#DDB
ddb.toolsVersion = "0"
ddb.adapterType = "ide"
ddb.geometry.sectors = "63"
ddb.geometry.heads = "16"
ddb.geometry.cylinders = "1216"
ddb.virtualHWVersion = "3"
scsi0.present = "TRUE"
memsize = "16"

第三步：修改vmx文件
下面是修改后的VMware-test.vmx
ide0:0.present = "TRUE"
ide0:0.fileName = "VMware-test.vmdk"
ide1:0.present = "TRUE"
ide1:0.fileName = "/dev/cdrom"
ide1:0.deviceType = "cdrom-raw"
floppy0.fileName = "/dev/fd0"
sound.present = "TRUE"
displayName = "VMware-test"
guestOS = "win31"
priority.grabbed = "normal"
priority.ungrabbed = "normal"
uuid.location = "56 4d 03 d8 4f 7f 73 b8-29 78 1d 14 c7 d2 69 8e"
uuid.bios = "56 4d 03 d8 4f 7f 73 b8-29 78 1d 14 c7 d2 69 8e"
tools.remindInstall = "TRUE"
ide0:0.mode = "independent-nonpersistent"

第四步：启动VMWARE

LINUX上查毒工具和在取证中的应用

2004-07-16T13:04:00.000+08:00

在取证中往往需要排除诸如病毒，木马，蠕虫等恶性程序的影响。在LINUX上的查毒软件有FProt Antivirus和Vexira Antivirus。

对于恶性程序，调查员需要考虑下列问题：
怎么到达的? 如果是通过电子邮件寄达的，需要检查相关邮件。如果是WEBMAIL的话，需要检查INTERNET历史记录。如果是INTERNET上下载的，则需要检查INTERNET历史记录。
何时到达的? 比较犯罪的时间与恶性程序到达的时间。

--摘译自"Linux Anti-Virus Tools and Techniques for ForensicInvestigation"。

The Forensic Strategy Data Recovery Newsletter Vol. 1, Issue 2

2004-07-15T17:35:00.000+08:00

"What evidence can possibly be recovered that can help my client's case?"

Like other types of investigations, the answer will not be fully determined until after the data has been recovered and the findings are meticulously researched. The process involved to investigate a computer can be exceptionally time intensive. An average of seven hours is required before a basic assessment can be created. The assessment will help establish if the computer contains valuable information that would justify additional resources. Because it is
initially uncertain what evidence a computer contains, it is essential to qualify a particular computer before investing additional resources.

"When is there a good possibility to recover useful data so that it is cost effective to involve a Computer Forensic Investigator?"

* Qualifying a Computer for Forensic Recovery: In practically every computer there is "deleted" data that can be recovered; however, the data recovered is not always relevant to the
case. Typically, it is a judgment call which computers should be investigated when there is more than one computer involved. It helps to establish an order of priority for the computers to be recovered. Using this method, vital data would be revealed first which would eliminate wasting resources on less credible computers. It is possible to predict and prioritize the best computers for recovery based on a series of questions.

Q: Did any person involved use the computer? Note that this could include receiving email or files from the party involved.

When a file or email is deleted it is not immediately removed from the hard drive. It still exists even though it can not be easily accessed. There is a section of the hard drive that is similar to a "Table of Contents" and when a file is deleted it is just removed from this "Table of Contents". The originally deleted file or email is left as dead space on the hard drive. Since the file exists on the hard drive, special tools that bypass the "Table of Contents" can search for files and potentially recover them. A file can be divided in to several pieces and exist in various locations on a hard drive. Because of this, it is possible that only part of a file might be recovered. A
vital component to a case might exist in one of those small pieces.

If the item that was deleted was an email, a different set of rules apply. An email, by its nature, exists in more than one place. There is always a From:(the sender) a To:(the recipient) and at least one server (the machines that processed the email). If there was CC:(carbon copy) or BCC:(blind carbon copy) addresses then more copies exist. An email has a greater potential to be recovered because an email is stored in a file similar to a database. Consequently, when an
email is deleted it is removed from the "Table of Contents" of the database and not the hard drive itself. It is possible for the email to persist in a file or server for quite a long time after the email is "deleted" by a user. This includes Outlook Express, Outlook 2002, AOL, Exchange Server and several other types of email programs.

If email is read via a web browser (i.e. Hotmail) a copy of the email will usually exist in the Internet cache or temporary files on the hard drive of the computer it was viewed from. There is an even greater probability that this might be recovered.

Q: How long has it been since files were deleted?

Because of the way files are left behind as dead space on the hard drive, as space is needed by different programs or web pages, the file pieces are gradually overwritten. The longer time that has transpired since the files were deleted the less probability that something can
be recovered. Although in some past instances data has been recovered dating back several years.

Q: How much has the computer been used since files were deleted?

Because files are overwritten gradually, the more the computer is used the more likely new files have overwritten older files erasing your valuable information. A computer writes files every time that a program is used (including internet accesses). The Windows Operating System will overwrite certain files every time the system is powered on. These standard files are not very large but they account for a significant percentage of the destruction that occurs to recoverable
files. This is an excellent reason to stop using a computer as soon as it is learned that it is involved in a case until a Computer Forensic Specialist can examine it. If this computer is necessary for operations of the business the specialist can safely and effectively "clone" the hard drive to preserve the information.

If there is someone who can answer these questions there is a good chance of determining the usefulness of the computer in a case. This is not intended to be a final list of questions but is a common set to help determine the possibility that something useful might exist. In
some cases the client might not be able to answer any of these questions and it is also often that the answers given are incorrect.

Even when there is no one to answer those questions, there is still a good possibility of recovering valuable evidence from the right computer, even when the files never existed on the computer.

Example #1:
To the surprise of the CEO of one company, five of its members of a branch office left overnight to start their own company. No notice was given and it wasn't until someone arrived at the office after no one answered the phone for hours that it was discovered they had departed
to start a new company. Initially, there was no major concern except that the employees were gone. The CEO stated that nothing was taken but they wanted to review the hard drives for company security purposes. During a data recovery several printer spooler files were
recovered. Since it is sometime a pattern of employees to bring floppy disks and print documents that never existed on the server, a spooler file can be very revealing. In this case, the spooler indicated that it had printed to several high-end HP Color Laser Printers. During the
recovery it was noted that the office had no HP Color Laser Printers. This was brought to the attention of the CEO and he claimed that it was not possible for the employees to purchase an asset that large as they have to have approval for purchases over $500. After investigating, it was determined that the employees had used company funds to purchase equipment by each individual pooling their purchase below $500 into one large purchase together.

Often a case will involve someone that believes they are a "computer guru." They consciously attempt to delete incriminating evidence believing they knew what they were doing. Their egos make them believe that they know how to delete a file and that it is permanently
unrecoverable and that they are safe. Many times they are mistaken.

Example #2:
In a divorce case, the husband was accused of having an affair. He was also chatting and emailing his girlfriend over the Internet. He also spent several hours a week on illicit adult web sites. The wife described her husband as a very computer savvy person. She stated several times that he knew everything about a computer and that he always deleted everything. Because of this statement there was a great discussion about wasting time with a court order for the computer.
After the computer was investigated, many incriminating items were recovered. There were chat logs, emails found in the Internet cache files, and dozens of revealing photos of the girlfriend. When questioned during depositions he was shocked at the printed material
and declared that he had used a special program in his attempt to overwrite all the deleted files.

The Forensic Strategy Data Recovery Newsletter Vol. 1, Issue 1

2004-07-15T17:32:00.000+08:00

Forensics, as it relates to computers and data, is the collection and preservation of data to investigate or establish facts for any type of legal purpose. For each case, computer forensics can contain many different types of material and can be gathered from dozens of sources. Information can be limited to what exists on a hard drive and may even include data from the Internet, tapes, CDs, disks or printouts made by a specific computer.

Computer forensics is an emerging specialty that has no defined criteria. This makes it difficult to find a person with the knowledge, experience and skills needed to be an expert in this area. Colleges are beginning to recognize this as a growing field and are adding degrees and certification programs to their curriculum.

With the speed at which the computer industry changes, it is often a struggle for the legal profession to keep up with all of the new laws established to convict criminals who use technology as a weapon. It is equally challenging to locate a knowledgeable computer specialist that has the interest, expertise and skills in fields other than computer science. Consequently, a computer forensic specialist who has skills in other disciplines such as accounting and/or law, will deliver better results meaning more useful and credible evidence for you.

Methodologies are a set of processes that can be applied to any situation. While the tools or items used to lay the groundwork for the discovery phase may vary, the methodology remains the same. Some of these methods are still being developed in the area of computer
forensics. Changes are frequent because of new laws that require the way processes are completed. Other changes are due to an ever-evolving technology and the ability to completely remove two or three processes with new software or hardware.

Qualified computer forensic specialists will spend considerable time staying in front of the new technology curve. It takes an extreme amount of work to keep up with the changes in the computing industry, as well as, issues involving the law. This is the type of expertise
you should seek for assistance with cases requiring computer forensics.

Most lawyers have little knowledge about computers and will need guidance as a case develops. They will continually need to discuss the case with a computer forensic specialist and review new material even when it seems unnecessary. When dealing with computers and data, the
process of understanding what is achievable and what isn't requires an advanced understanding of technology generally not found outside the professional computer security community. Not only must the computer forensic specialist assist the attorney with what can be done but they
must also stand as a credible witness under the pressure and scrutiny of cross examination.

During the discovery phase of a case, being a forensic computer specialist can be compared to being a Private Investigator, only the subject matter is mainly dealing with computers and electronic data. Discovery often involves several passes at the data. As new facts are
revealed about the case, the old data will need to be reviewed to see what has been discovered and how it is applicable to the case. In some cases, knowing what happened is more important than the actual data itself.

Example #1:
In a divorce case, a court order was given to the husband with instructions not to delete or destroy any data. The computer was to be picked up by a forensic investigator and reviewed for evidence per the court order. The husband promptly went home and deleted everything on
the computer he thought would be incriminating. After examining the computer, it was proven that he purposely deleted data after the court order. Since he violated the court order, this case could have easily escalated into more than just a divorce case for the husband. When the
opposing attorney confronted the husband with this fact, the husband quickly decided to settle out of court and agreed to his soon to be ex-wife's demands.

Example #2:
The majority of work is often discovering how to look at the information and display it so that it makes sense to laymen. This also includes educating the attorney about the technical details so they can decide how to approach the case. It is of no value if the information is so complex that it can not be explained clearly.

In a recent case, a CD was stolen from a company. During the discovery period of the case, the defendant was ordered to make an EXACT copy of the original CD and deliver it to the plaintiff the same day.

It was noted that one of the files had been changed on the CD. On the CD there were several files that amounted to 500 megabytes. This brand of CD was only able to hold 650 megabytes. The specific file in question was a 200 megabyte file.

The defendants claim was that the CD was a CDRW (ReWritable CD) and that the file changed while viewing the CD. In this instance the changed file could not overwrite the existing file, but would be appended to the CD. As there was only 150 megabytes left, there was not enough space to append a 200 megabyte file. The defendant would have needed another 50 megabytes in order to make a change to the file on the same CD. Therefore, this was not an exact copy of the same CD that was taken.

Only a computer specialist with experience with a ReWritable CD would have realized this was not possible. The opposing attorney initially accepted the explanation; however, the computer specialist on the team revealed that evidence had been tampered with.

More examples and experiences will be discussed in future issues. If you are interested and would like to continue to receive our newsletter, please see our website to sign up for a FREE subscription at: http://www.forensicstrategy.com/contacts.asp

反击“木马遥控”的辩护方式

2004-07-15T14:23:00.000+08:00

大多数电脑中都有一些在不明情况下被放置的程序，例如病毒，木马，ADWARE，SPYWARE等等，因此计算机犯罪嫌疑人往往可以声称他的电脑是在其它人操控下进行犯罪活动。这种"木马遥控"的辩护手段在国外的好些案例中取得了成功。

怎样有效地澄清有害程序和犯罪活动之间的关系因此也成了取证工作者的巨大挑战。目前我所看到的这方面的研究还较少，不过IJDE上倒是有一篇"The Trojan Made Me Do It: A First Stepin Statistical Based Computer Forensics EventReconstruction"，值得看一下。

网络犯罪使安全公司受益

2004-07-13T21:45:00.000+08:00

这是sanmateocountytimes上的一篇文章。

A lot of perfectly respectable small businesses are raking in money from Internet fraud. From identity theft to bogus stock sales to counterfeit prescription drugs, crime is rife on the Web. But what has become the Wild West for savvy cybercriminals has also developed into a major business opportunity for cybersleuths.

The number of security companies that patrol the shady corners of the virtual world is small but growing. One of the most well known is Kroll Ontrack, a technology services provider that Kroll Associates, an international security company based in New York, set up in 1985.

Others include ICG Inc. in Princeton, N.J.; Decision Strategies in Falls Church, Va.; and Cyveillance in Arlington, Va., all started in 1997.

"As more and more crime is committed on the Internet, there will be growth of these services," said Rich Mogull, research director for information security and risk at Gartner Inc., a technology-market research firm in Stamford, Conn.

ICG, for example, has grown to 35 employees and revenue of a projected $7 million this year from eight employees and $1.5 million in revenue just four years ago, said Michael Allison, its founder and chief executive.

ICG, which is a licensed private investigator in New Jersey, tracks down online troublemakers for major corporations around the world, targeting spammers and disgruntled former employees as well as scam artists, using both technology and more traditional cat-and-mouse
tactics.

"It's exciting getting into the hunt," said Allison, a 45-year-old British expatriate. "You never know what you're going to find. And when you identify and finally catch someone, it's a real rush."

According to Mi2g, a computer security firm, online identity theft cost businesses and consumers more than $5 billion last year worldwide, while spamming drained $3.5 billion dollars from corporate coffers. And those numbers are climbing, experts say.

"The Internet was never designed to be secure," said Alan E. Brill, senior managing director at Kroll Ontrack. "There are no guarantees."

Kroll has seven crime laboratories around the world and is opening two more in the United States because of the growing demand for this type of work.

"It's common to think that we're all former hackers," Allison said about the industry, and his company in particular. "But it's not true. The people who work here wear ties. Shaving is compulsory. We have former Marines, FBI agents and graduate students. We're a real
white-shoe sort of operation."

ICG's clients, many of whom he will not identify because of privacy agreements, include pharmaceutical companies, lawyers, financial institutions, Internet service providers, digital entertainment groups and telecommunication giants.

One of the few cases that ICG can talk about is a spamming problem that happened a few years ago at Ericsson, the Swedish telecommunications company.

Hundreds of thousands of e-mail messages promoting a telephone-sex service inundated its servers hourly, crippling the system, according to the company.

"They kept trying to filter it out," said Jeffrey Bedser, chief operating officer of ICG. "But the spam kept on morphing and getting around the filter."

While no solution is exactly the same for online detective cases, a general search for a spammer typically involves thousands of Web pages, Usenet groups and message boards. Sometimes, all the searching comes up empty.

"There is no hard-and-fast guarantee to identify everyone," Allison said. "There were cases that I'd hoped we get a result and just didn't."

It is especially difficult these days, he says, because of cloaking software, like Anonymizer, that is used to hide the movements of a Web user, as well as the "hijacking" of third-party computers that are then used to carry out illicit activity without the owners of the computers knowing what is happening.

In the Ericsson case, Bedser and his team plugged the spam message into search engines and located other places on the Web where it appeared. Some e-mail addresses turned up, which led to a defunct e-fax Web site. And that Web site had in its registry the name of the
spammer, who turned out to be a middle-aged man living in the Georgetown section of Washington.

Several weeks later, the man was sued. He ultimately agreed to a $100,000 civil settlement, though he didn't go away, Bedser said. "The guy sent me an e-mail that said, 'I know who you are and where you are,'" he recalled. "He also signed me up for all kinds of spam and I
ended up getting flooded with e-mail for sex and drugs for the next year."

Over the years, Allison estimates that ICG has tracked down more than 300 spammers, 75 of which its clients brought to civil court and 12 of which resulted in criminal referrals.

Allison says ICG's detective work is, for the most part, unglamorous, involving mostly sitting in front of computers and "looking for ones and zeros." Still, there are some private-eye moments. Computer forensic work, for instance, takes investigators to corporate offices
all over America, sometimes in the dead of night. Searching through suspect hard drives -- always with a company lawyer or executive present -- they hunt for "vampire data," or old e-mails and documents that the computer users thought they had deleted long ago.

In some cases, investigators have to be a little bit sneaky themselves. Once, an ICG staffer befriended a suspect in a "pump-and-dump" scheme -- in which swindlers heavily promote a
little-known stock to get the price up, then sell their holdings at artificially high prices -- by chatting with him electronically on a chess Web site.

Investigators often adopt pseudonyms when they interact on a message board. "We like to masquerade as women," Allison said. "Typically, we'll use names like Pat, Terry or Casey so it's ambiguous."

It is when investigators start coaxing identities and backgrounds out of people under false pretences that privacy experts start to worry. "There's a lot of work that involves what is kindly called social engineering and what could just as easily be called fraud," said Stewart A. Baker, head of the technology department at the law firm Steptoe & Johnson. "You have to have evidence that holds up to scrutiny in court."

There are areas that ICG and other leading Internet-security companies won't touch, such as celebrities, politics, sex and matrimonial issues. "It's dirt digging," said Allison.

Before Allison opened ICG he worked as a public information officer for the British government and also spent time running background checks for Wall Street firms like Donaldson, Lufkin & Jenrette and Merrill Lynch. In 1991, he started International Business Research,
which grew into ICG six years later.

The Internet boom almost guarantees an unending supply of cybercriminals. "They're like mushrooms," Allison said.

Right now, the most crowded fields of criminal activity are the digital theft of music and movies, illegal prescription-drug sales and "phishers," identity thieves who pose as financial institutions and send out fake e-mails to people asking for their account information. The Anti-Phishing Working Group, an industry association, estimates that between 5 percent and 20 percent of recipients respond to these phony e-mails.

In 2003, 215,000 cases of identity theft were reported to the Federal Trade Commission, an increase of 33 percent from the year before.

This bad news for consumers is a growth opportunity for ICG. "The bad guys will always be out there," Allison said. "But we're getting better and better. And we're catching up quickly."

黑客攻击数目的统计和各国现行法律的比较

2004-07-11T21:17:00.000+08:00

看到了世行发表的关于各国黑客攻击数目的统计和各国现行法律(包括隐私保护法律，电子交易和商务法律，交易系统安全法律，网络犯罪法律，反洗黑钱法律)的比较。

下面是一些中国方面的资料。
黑客攻击数目: 2002: 1761, 2003:13,295(+655%), 来源CNCERT/CC
隐私保护法律: 没有专门法律, 但宪法之下很多法律涉及到。
电子交易和商务法律: 有, 跟随香港的法律。
交易系统安全法律: 无。
网络犯罪法律: 刑法285和287条, 政令147号"Regulations of The Peoples Republic of
China on Protecting the Safety of Computer Information"。
反洗黑钱法律: 刑法191条和312条, 反洗钱规定, 人民币汇报措施, 外汇汇报措施等。

对执行人员欺诈的取证

2004-07-10T19:12:00.000+08:00

看到了《Defend I.T.: Security by Example》一书（ISBN: 0321197674）
的介绍。书中有三章是关于计算机取证的，其中执行人员欺诈一章免费供读者阅览。这一章所描述的取证程序并没有特别之处，但不妨一读。

BS7799与证据收集

2004-07-08T17:16:00.000+08:00

BS7799中对证据收集做了如下规范：
12.1.7.1 证据的规则
对个人或组织提起诉讼时，必须要有足够的证据。只要诉讼为内部约束事务，必要的证据就要通过内部程序进行说明。
如果采取的行动涉及法律，不论是民法还是刑法，则所提供的证据应该符合相关法律或本案受理法庭的条例对证据的规定。一般情况下，这些规则包括以下内容：
a) 证据的可采性：证据是否可以在法庭上使用。
b) 证据的份量：证据的质量和完整性。
c) 在系统存储和处理待收集证据期间一贯正确地实施控制措施的充分证据（即过程控制证据）。
12.1.7.2 证据的可采性
要实现证据的可采性，组织应该保证其信息系统符合有关出示可采证据的公布标准或通用法规。
12.1.7.3 证据的质量和完整性
要确保证据的质量和完整性，需要能提供有力的证据线索。一般情况下，可以根据以下条件找到有力的证据线索。
a) 书面文件：原件要妥为保管，要记录发现人、发现地点、发现时间和发现时在场证人。任何调查都应该确保不篡改原件。
b) 关于计算机介质的信息：对任何活动介质、硬盘上信息或内存中信息应该进行复制，以保证其可用性。应该对复制过程中的所有活动保留日志记录，而且应该有人作证。应该妥善保管一份介质和日志的副本。
刚了解到发生事件时，可能还无法明确知道它是否可能引起法律诉讼。因此，在意识到事件的严重性之前存在必要证据无意被破坏的危险。建议在任何可能的法律诉讼初期让律师或警察参与进来，对所需证据提供建议。

对无线网络用户的侦查与反侦查

2004-07-08T11:14:00.000+08:00

许多无线网络没有采取有效的安全措施(例如关闭网络身份识别的广播功能，采用可靠的加密协议，限制MAC地址,取消DHCP等等)，因此让非法用户和窃听者有机可乘。

对于非法用户，可用Kismet，Netstumbler，AirSnort等无线网络嗅探器(wireless network sniffer)进行侦听以收集证据。

对使用嗅探器窃听网络信息者的反侦查则比较困难，因为嗅探器可以设置为只接收而不发送信息，所以很难被察觉。但是也有学者指出可以利用天线辐射等物理原理设计反嗅探器。不知道这类工具是不是已经存在。

最近也看到了对RFprotect系统的介绍。这个系统据说可以在LAYER1和2上进行入侵检测，因此可以侦查到非法无线用户，非法AP等等。有兴趣的朋友自己到网站上去看看。

追踪邮件来源

2004-07-07T19:51:00.000+08:00

在XFOCUS上读到了refdom的追踪垃圾邮件来源一文。此文描述了通过对邮件头进行分析从而找出送件人信息的方法。虽然此文是针对垃圾邮件，但所提出的方法也适用于对电子邮件的取证。
稍嫌不足的是该文对邮件头的探讨还不够深入，例如Message-ID部分。研究各种邮件系统生成这个ID的方法，可以有助于鉴别邮件的真伪，或者提供有价值的信息。例如Outlook Express生成的Message-ID可以提供计算机的内部IP地址和机器名(或域名)。