Hey guys,
I have a hard drive processed through FTK. I came across a keylogger someone installed on the computer in question. I also came across the log file and screenshots which indicate that it was set up to send data via email. I have the email address. Any way I can see if these emails have been sent, or at least attempted?
Note Computer running Windows XP and the keylogger is BlazingTools Perfect Keylogger.
Thank you in advance.
Depends on how the keylogger was sending the emails.
If it was using outlook then there may be copies of the emails in the PST/OST file, if it was using FTP (website claims this is possible) then it may be a bit tougher.
Are you able to see the email address the logs were being sent to in the configuration settings of the keylogger?
If so searching based on that email address may yield some results.
It'll mostly depend on how the tool handles email sending. If it has its own built-in SMTP client, then your only option would be investigating the logs (if any) saved by the keylogger. If, however, it uses a default SMTP application (e.g. Outlook, Windows Mail, Live Mail etc.) to send emails, you can try looking through their "Sent Items" folders.
However, considering the nature of the keylogger, I find it far more likely that it uses a built-in client and saves no logs at all, which would mean there are no traces of any sent messages left on a local PC.
Chances are it sends email during down time (a guess). Therefore you may find something in volatile-related places (page file, hybersys).
I seem to remember from the website that by default it wants to use your own SMTP as states you can get those details from your ISP if you don't know. Then goes on to say that if this doesn't work you can use FTP.
Nothing mentioned about having it's own SMTP server.
You could potentially learn a lot about it by creating a virtual machine out of the forensic image in a sandboxed environment with internet access and conducting packet capturing and analysis looking for suspicious network connections and or smtp activity.
If you didn't want to do that with your actual evidence image, you could just install that Keylogger into a vm'd box and monitor it. Find out what installs with it, what it does when it does when It fires up, and finally, what it does when it tries to connect out.
Tim Moniot
Las Vegas Metro Police Dept
May I suggest a slightly different idea determine if the installed key logger is configured to email the key logs.
You can do this by virtualising the image, use Liveview and VmWare, the hook it up to INetSim to act as a email server. This will prevent you from connecting to the Internet and allow you to monitor all outbound traffic from the virtual machine. If the key logger is configured to email key logs then at some point you will catch it emailing them out to the 'pretend' Internet (inetsim). I have done this with success in the past.
Hope that helps
Cheers
TJ