• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

KeyLogger Detection

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
sapounas
Just Arrived
Just Arrived


Joined: 15 Aug 2009
Posts: 0
Location: South Carolina

Offline

PostPosted: Sun Aug 16, 2009 12:00 am    Post subject: KeyLogger Detection Reply with quote

I have a situation that is stumping me. I had a computer brought to me that the indivdual suspects has a keylogger on it. I asked them what makes them believe there is one there, and they told me that a new business associate had sent them a .xls document a few weeks back, and that after that not only did there computer slow down tremendously, but they also noticed that he seemed to know everything that was going on through their personal emails. They sent out a fake email, and to their suprise within several minutes the associate was on the phone asking questions that would pertain to the fake situation.

System: Dell Inspirion running Vista Home edition
Of course I have ran antispyware software (which catches a minimal amount) and I have also checked processes (which this one seems to hide on top of the startup programs), I hav also been checking the logs for outbound traffic, however I am sure the logger uses port 80 or 443 so this will be hard to determine. Does anyone have any ideas for finding if this keylogger is actually on the system? Is there also a way to look at what IP address the informatio is being relayed to? I also have the suspected .xls file. Can I check this file to see if this is the spreader?
Back to top
View user's profile Send private message
rlong
Just Arrived
Just Arrived


Joined: 06 Mar 2009
Posts: 0
Location: Vancouver, Canada

Offline

PostPosted: Tue Aug 18, 2009 12:35 am    Post subject: Reply with quote

sapounas,

If your assumption that a keylogger has been planted and is sending keystrokes across the web or a LAN is correct, I suggest you check out www.wireshark.org. Wireshark is a free, open source network protocol analyzer. It may take a bit of reading to get comfortable with it depending on your TCP/IP knowledge but it's a great tool for this type of scenario.

You would be looking for packets being sent by unauthorized/unknown applications or unusual packets being sent by known applications. Filter options can be used to get rid of irrelevant packets (once you figure out what those are) since the number of total packets can be a bit overwhelming. Searching the packets for strings that have been written into emails would be a good tactic as well since your little sting seems to suggest that email keystrokes, if not all keystrokes, are being logged.

I would capture packets for an extended period before performing a traffic analysis since you don't know which keystrokes are logged or how/when they are sent. Maybe it sends all keystrokes in real time. Maybe it saves them up and sends them at regular intervals or maybe it sends them only when requested.

Finally, there are keyloggers that save data to be retrieved physically, by the suspect popping in a usb for a few seconds while you're AFK for example, rather than sending it across a network. You didn't state whether physical acquisition of the logged keystrokes may be possible in your scenario but this is something to consider as it could potentially broaden the scope of your investigation beyond packet analysis.

Keep us posted!


Last edited by rlong on Tue Aug 18, 2009 10:06 pm; edited 3 times in total
Back to top
View user's profile Send private message Visit poster's website
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Tue Aug 18, 2009 2:16 am    Post subject: Reply with quote

rlong wrote:
[...] I suggest you check out www.wirehsark.org. Wireshark is a free, open source network protocol analyzer. [...]

You mean www.wireshark.org Smile
Back to top
View user's profile Send private message
rlong
Just Arrived
Just Arrived


Joined: 06 Mar 2009
Posts: 0
Location: Vancouver, Canada

Offline

PostPosted: Tue Aug 18, 2009 9:58 pm    Post subject: Reply with quote

Indeed I do. Thanks Israel!
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register