Antsight From Land

The Montreal company whose bullet-identification technology was used to hunt the Washington sniper has signed a contract that could be worth as much as $130 million with the U.S. Bureau of Alcohol, Tobacco, Firearms and Explosives.

Forensic Technology Inc. has signed a one-year, $20-million deal to provide a wide range of equipment, training and services for the ATF's National Integrated Ballistic Informational Network. The ATF has an option to extend the contract for another four years.

Kroll Ontrack公司（原Ontrack公司，2002年6月被Kroll Inc收购），今年相继推出新的计算机取证产品：ElectronicDataViewer 和ElectronicDataInvestigators。

Kroll Ontrack公司法律和取证相关的图书馆

澳大利亚计算机世界消息：本周澳大利亚将发布一个针对IT系统的电子数据保存标准草案，应用于所有的企业系统，由Attorney General's Department和Australian Federal Police 共同推进。

该指南目前处于收集反馈意见状态，7月分正式发布。

Reuters报道：美国日前由于投资欺骗、ID盗用和因特网欺诈行为起诉了135人。

The Americans had tried almost everything, but they just couldn't crack an encrypted message they came across while investigating the 9/11 attacks. Finally, they approached a 17-year-old boy in Delhi about whom The New York Times had done a feature.

Over the next 10 days, Ankit Fardia hunkered down in his room in Delhi and came up with the key to crack the message.

The worst fears of American investigators came true — Al-Qaeda was using a sophisticated technology, called steganography, to communicate. It involved sending encrypted messages concealed in a photograph or series of photographs.

全文

CALGARY - Developing malicious software -- viruses, worms and Trojan horses -- will soon be part of the program for 16 students at the University of Calgary.

The aim is to delve into the cybercrime mind to understand a problem that causes billions of dollars in damage annually worldwide, says Dan Seneker, with the university's department of computer science.

canada.com

来自实力强劲（产品和服务）New Technology Limited，他们的工具基本上都是命令行的，但凭着他们对系统的熟悉，以及出道比较早，军方和很多大公司的服务订单都是他们的。

不过在工具方面，更杰出的是Encase，SMART也不错，而NTL似乎有点停滞不前。

Adding bite to anti-hacking provisions of the Homeland Security Act, the
U.S. Sentencing Commission proposed stiffer penalties for some
cybercrimes, with even minor first-time offenders facing up to five years
in prison.

The commission has established guidelines for substantially harsher
punishment if attacks disrupt national infrastructure. For example, if an
attacker disrupts critical infrastructure operation, the severity of
punishment increases by six levels. That could mean an additional 10 to 15
years in prison, says commission spokesman Michael Courlander.

The changes adjust sentencing guidelines to reflect the Homeland Security
Act's definition of protected computers, which includes those of
airports or agencies charged with overseeing infrastructure, such as
public power systems.

Courlander says the amendments, part of a package that includes tougher
penalties for white-collar crimes, such as violations of the
Sarbanes-Oxley Act, have been presented to Congress. Lawmakers may pass
legislation to alter the guidelines, otherwise they'll take effect Nov. 1.

While they don't bind judges, guidelines help ensure equal treatment of
offenders, Courlander says.

http://www.ussc.gov/2003guid/2003amendments.pdf

三年前的故事，经过华盛顿邮报挖掘和整理并进行了连载报道。

part1, part2, part3

数字证据国际杂志最新一期有关GSM移动电话取证的文章。

GSM系统是移动通讯中最流行的系统。犯罪分子经常使用GSM电话，这也使得取证调查人员必须理解可以从GSM系统中获取什么样的证据。文中简要介绍了GSM系统的基础知识，以及可以从移动设备、SIM卡和核心网络中获取的证据。目前已经存在获取证据的工具，但是还需要更合理的取证流程和取证工具。文章还简短介绍了UMTS系统，它是基于GSM的思路构建的。

虽然没有全文，但是列出了所有的章节介绍和相关资料。

台湾立法院采用了增补的358和359号文件，根据这两个文件，黑客行为可判重罪。

358号文件规定任何人不经他人允许使用他人口令或者未经授权访问私有计算机系统，将被判最高可达3年的监禁，罚款10万新台币。359号文件规定，任何人尝试盗用，删除或者修改其他人磁盘上的信息，造成严重后果，最高可判5年监禁，罚款20万新台币。

该文还规定，如果对政府部门的私有计算机系统造成破坏，例如传播计算机病毒造成的破坏， 刑罚可加重一半。

vnunet 报道：英国政府投资25M英镑的监管中心正式运作。NTAC位于军情5处总部，负责协调ISP和法律部门之间的事务。该部门成立于2001年夏季，原先只负责对扣押的计算机中的信息进行解密工作，现在还对因特网的数据和电子邮件进行监控何解释。

ODESSA (Open Digital Evidence Search and Seizure Architecture) project is to provide a completely open and extensible suite of tools for performing digital evidence analysis as well as a means of generating a usable report detailing the analysis and any findings. The odessa tool suite currently represents more than 7 man years of labor, and consists of 3 highly modular cross-platform tools for the acquisition, analysis, and documentation of digital evidence.

In addition to the odessa tool suite, the project hosts other applications and information related to digital forensics. At this time, the list of additional tools includes a set of whitepapers and utilities authored by Keith J. Jones including Galleta, a tool for analyzing Internet Explorer cookies, Pasco, a tool for analyzing the Microsoft Windows index.dat file, and Rifiuti, a tool for investigating the Microsoft Windows recycle bin info2 file.

从这篇文档来看，Word 文档中的信息真不少，竟然还有10次修订信息。该文档使用 Word 8.0 也就是 Word 97 生成，不知道 Word 的近期版本怎么样。对内容的分析也很有意思。

Kansas市本周三建立一个计算机取证实验室，它是全美5个实验室中建成的第三个。已经建成的两个位于Dallas和San Diego，San Francisco和Chicogo的实验室正在计划建设中。

实验室耗资200万美金，主要用户追踪恐怖活动，也用于普遍的计算机犯罪调查。实验室中的人员来自于Kansas和Missouri的相关部门，由FBI负责。

Computer Crime Research Center: 欧洲和美国官员提出警告：因特网犯罪已成为真实的安全威胁。针对计算机网络和公共网络站点服务的黑客攻击在日益增长，更新的病毒和传统的恐怖活动对虚拟犯罪的调查提出了更高的要求。

黑客半小时的攻击往往需要专家34小时的分析调查。任何国家都急需高技能的计算机犯罪专家，所以对警察和相关部门人员的培训刻不容缓。

Honeytokens: The Other Honeypot

Honeytoken不是计算机，而是某种形式的数字实体。Honeytoken可以是信用卡号码，电子表格文件，幻灯片文件，数据库记录，或者一个假造的用户名和口令。 Honeytoken可以是任何形式，但是它们的概念是一样的：一种用于捕获非授权访问数字或信息系统资源。蜜罐计算机没有授权访问价值，Honeytoken也没有授权访问。在创建一个Honeytoken后，任何使用和访问都是非法的。

我想在传统的调查中应该已经有了这种方法吧，但是这个词怎么翻译好呢？

澳大利亚因特网工业协会（IIA）今天公布了一个《网络犯罪实践法规》草案，开始接收公众讨论。

草案由IIA和法律部门共同提出，容包括因特网访问记录的保存到辅助调查时ISP需要提供的信息类型。法规要求ISP收集和保存包括动态地址分配、登录时间、呼叫方详细号码和传输的数据量等信息。这些信息需要保存6个月。ISP还需要保留代理日志，Email发件人、接收人和Email大小，新闻组记录，FTP日志一个星期。

IIA新闻发布稿
《网络犯罪实践法规》草案

由Foundstone公司的两位作者Kevin Mandia和Chris Prosise写的这本书现在出了第二版，第一版国内有翻译，从中学到了不少。目前没法看到这本书，先看这本书相关的网站提供的链接和工具吧，可惜提供的内容太少。希望他们能象Linxu Exposed一样，不断更新。第二版更新的内容包括：

* New real-world scenarios throughout the book
* Latest methods for collecting live data and investigating Windows and UNIX systems
* Updated information on forensic duplication
* New chapter on emergency network security monitoring
* New chapter on corporate evidence handling procedures
* New chapter on data preparation with details on hard drive interfaces and data storage principles
* New chapter on data extraction and analysis
* Latest techniques for analyzing network traffic
* Up-to-date methods for investigating and assessing hacker tools, and more.

SysAdmin杂志9月号文章，介绍Foremost软件在取证中的应用，唯一提供全文的文章。Foremost用来根据文件特征从磁盘或者分区镜像中恢复文件，回头要试用一下。

Techworld：由Tripwire牵头，包括HP, IBM, Sun, RSA等一批厂商准备开发一个文件特征数据库，人们可以根据该数据库验证软件包中的文件完整性。该数据库还将用于潜在的计算机犯罪调查中。

Tripwire的新闻发布稿。

SCMagazine 10月号有一篇关于数据取证的文章，主要是产品测试，可惜涉及得产品太少，有点象广告性质。

Excel格式下载, 系统管理员可以进行对照。

CTOSE (Cyber Tools On-Line Search for Evidence) is a research project funded by the European Commission. The purpose of the project is to gather available knowledge from different expert groups on all processes involved in dealing with electronic evidence and to create a methodolgy on how to deal with electronic evidence that might occur as a result of disputed electronic transactions or other computer related and high-tech crime. This also includes all questions on how to put yourself or your company in a position to be able to deal with computer related incidents. To learn more klick on the looking glass in the logo above or follow the link.

消息来自：Silicon.com

PHLAK（Professional Hacker's Linux Assault Kit）一个新的Linux安全发布包，包括了一些列的安全测试和取证工具。

geek.com: 在伊拉克，英美军方目前进行的一项工作就是收集证据用来起诉战争罪犯。英国 LIAG (Land Information Assurance Group) 为军方提供了一项专门的设备，称为“移动取证实验室”，用来修复和分析萨达姆政府遗弃和留下的存储设备中的数据。

LIAG提供的这个数据恢复设备由 Ibas UK 公司开发，该设备是个装在箱子中的计算机，可以连接到已知的电子存储介质。该设备使用了一些列的共享软件、免费软件、商业软件和特种软件，通过国际标准来保证恢复数据的完整性，可以用做起诉的证据。

FBI: In an effort to more accurately reflect the wide-ranging nature of on-line complaints being reported, the FBI and the National White Collar Crime Center (NW3C) today announced that the Internet Fraud Complaint Center will now be called the Internet Crime Complaint Center, or “IC3.”

The IC3, which began in May, 2000, is a partnership between the FBI and the NW3C to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding areas of cyber crimes. The IC3 gives the victims of cyber crime a convenient and easy-to-use reporting mechanism for alerting authorities of suspected criminal or civil violations. Within the FBI, the IC3 is a component of the Cyber Division. The name change will not alter the course of business in that the IC3 will continue to emphasize serving the broader law enforcement community and all the key components of the 50 FBI-led Cyber Crime Task Forces throughout the country.

NW3C是美国国家资助的非盈利组织，主要职责在于支持、调查和起诉经济和高科技犯罪，和国土安全部有良好的互动。一个值得关注的站点，首先可以看看以往的研究报告。

Net4Nowt:

The European Network and Information Security Agency (ENISA) is being set up to fight cybercrime in Europe.

One of the new agencys roles will be to educate the public about security problems including viruses and hacker attacks.

Another of its roles will be to act as co-ordinator for investigations throughout Europe into viruses and cyber attacks.

ENISA will be based in Brussels and will start next year with an initial budget of 24.3m euros (£17m).

一个基于 FreeBSD 的可启动取证光盘，使用 @STAKE 公司的 TASK 和 AutoPSY 工具。现在的版本是 0.01a，该项目目前处于停滞状态。

来自About.com：国外和计算机取证相关的培训和证书。

FROM CCRC， 发展最快的几种形式为：非法信息访问，盗版软件传播和对金融机构的攻击。