I found a PS/2 hardware keystroke logger attached to a client's machine. Simple device with a 16Mb NVRAM chip on it (no wireless or network attachment).
Any recommendations on how to image it?
If the image turns out to be unencrypted, then great, I probably have what I need, but if it's an encrypted image is there software available that could perhaps brute force the password and work out exactly what data has been logged and is 'at risk'?
Does it happen to indicate the manufacturer of the unit?
These units generally record information in a txt file that then needs to be downloaded with an assoicated program or by intiating a keyboard command or password command when installed.
Because of the hardware interface these use you would not typically mount the device as an assignable drive letter for acquisition.
Depending on the type, some of the ps2 keyloggers are supplied with a special usb adapter to appear as a standard usb drive; if this were present or could be obtained, this could then be connected by your standard forensic usb drive capture method for imaging. Otherwise, it's probably desoldering the flash/eeprom and taking a binary copy using an eeprom reader.
I've not opened and analysed one of these devices; I know several say "128-bit encryption" or the like, but whether they use a fixed key, a randomly selected key stored on the flash drive, a key based on user-entered password etc, I don't know, and the difficulty of obtaining the decrypted data will likely depend on that, which will vary by manufacturer. In that case, unless the manufacturer will provide any suitable application/information you would probably need to write a small app, but if the format and key methods are known this could be done reasonably simply.
I would suggest obtaining one or two identical devices if possible and experiment, setting them up with different passwords and/or burning the same image into their flash and typing a few extra known keys to see whow the data changes to identify the required information. I have used this approach successfully previously to decrypt data held within bespoke rogue devices (not keylogger-related).
Phil.
Any recommendations on how to image it?
The way most of the PS/2 adapters work is that the sit inline with the keyboard, and look for a activation sequence - a password to access the device.
To access the contents, you open a notepad and they in the notepad you type the password - then (and this is always a bit freaky the first time you see it) it will type out a menu, such as
1 - view memory
2 - erase memory
3 - change password
etc…
At point if you select 1, it will dump all the contents into the notepad.
So you need to find the password - you could always check the websites,
http//
From the hardware side, most of these units are sealed, and you would probably destroy it by trying to open the case.
The good news is that if it is one of the larger memory models, it may Time & Date Stamping and Time of Use Charts.
Let us know what you find.
bj