Whats the best place to look for a Keystroke logger?
I've tried the software file using FTK registry viewer.
I also dt searched the case using FTK with all of the main spyware keystroke logging software key words. Several hits on those words however most if not all of the hits were related to antivirus/antispyware programs used to catch those loggers.
Any other ideas?
Thank you
Virtualise machine
open command prompt
type "wmic startup get command,location"
check output for suspicious things.
Under windows 7 and vista you should be looking into the User hive's startup keys due to UAC, theres also a few very interesting startup options that slip under the radar, dll includes for example, dont forget to look at currently running processes as well.
You should also consider using wireshark to check the virtualised copies internet traffic for suspicious things, and using something like process explorer to look at the mapped dlls.
Oh, and this is one of the few occasions where a virus scan with a couple of different products is worthwhile.
Why post this in hardware?
Reg, prefetch, mft are good places to start - assuming Win enviro. Visualize is good - HiJack this logs might give you some insight. Also ProcessExplorer.
This is how I do it
1) Review dead forensics for startup stuff the looks out of place (this is experience based) - note the program names/paths
2) Virtualize machine
3) In the running VM, used Sysinternals Process Explorer/ process monitor to search for running processes that look out of - also check for the one's you noted earlier.
4) Use Sysinternal Handle util to query the process ID's of those hinky apps to see what files that they have open.
If the logger is NOT a rootkit (or is a bad one) - meaning that you can see the Process in Task Manager/Process explorer. Then querying the process with handle will point you straight to the on disk storage.
Running Listdlls util (Sysinternals) on a Process can also give clues - look for loaded keyboard .Dlls
Running the suspect machine in a VM is the best way to find keylog files - they could be anywhere with anyname.
————–
Another idea would be to run the VM (or just use the bare metal box if it is not a forensic case).
Type some very unique words into an email or notepad - whatever.
Then shutdown the machine and load up the drive in forensic software and search for that string…..
Cheers
A physical memory dump of the machine would be a good place to start, loaded into your favorite memory analysis tool. Relying on process lists alone might not be enough as processes can be hidden/subverted, and malware can easily take the name of routine Windows processes which might prevent you from spotting it unless you look carefully.
If you are looking for a tool that is good for finding them use Gargoyle by Wetstone technology.