Keyloggers

Why don't you mount the image and use an anti-virus tool ? And after detecting the keylogger, locate where the logs are stored.

Couple of questions…

First, what do the "traces of keylogger activity" look like? How are you differentiating these traces from traces of other activity?

Which OS is the image?

If this is a keylogger and you did, in fact, find traces on the drive, then it is/was likely a software-based keylogger, which means that an application and driver had to have been installed. You can look for traces of this in the Registry (System hive file, under "Services"), for example. You might also find indications of the installation in user profiles/NTUSER.DAT files. If the Windows version is XP, you might also find very relevant information in Restore Points.

At this point, it would be much easier to provide advice if you could narrow down the focus a bit.

Thanks.

A popular keylogger is eBlaster from Spectorsoft (www.spectorsoft.com). I teach a class on the product and it is almost undetectable. It uses random file extensions and sigs so that is very difficult to find. It also deletes any signs of installation and even any internet searches/activity that has to do with it. The best way to see if it is installed is to press 'ctrl+shift+alt+t' on the actual machine or to install a firewall and make it have the most strict settings possible. The program sends out E-mail reports via https port 443, which is usually left open by firewalls. You can also try egress filtering (showing everything your computer sends out), if you have eBlaster on the target machine then it will only show up as explorer.exe attempting to send the info out. Keyloggers are tricky…good luck!

Hi,

I'd echo the AV and Registry advice. Also suggest looking in the Run Key of the registry for run-of-the-mill malware keyloggers.

If you can I'd also try to get the image up and running in a segregated lab environment (VM probably easiest) and do some live behavioral analysis too. Suggest things like procexp, HijackThis, TCPView etc to see what is happening.

Also doing things like eliminating legit OS files through Hash Sets will narrow down your searches a little….

A popular keylogger is eBlaster from Spectorsoft (www.spectorsoft.com).

Good analysis of this program here http//www.forensickb.com/

I second ddewildt's response. You can convert the E01 images to DD with FTK and then load the DD images in Live View with VMWare. Then you can run all the live forensics stuff you need.

To load the system you might have to use some sort of Windows Genuine Advantage/Product Activation Bypass to log into the machine. You can find applications like that through google.

The method I would use is at the Product Activation screen after you try logging in, press Windows Key + U to bring up Microsoft Narrator.

Then from the help menu you should be able to find a hyperlink that opens a web browser. You can run the activation bypass that's on your thumb drive from the address field in the browser.

Works like a charm. Gotta love Microsoft.

If you have the original product key you could do the phone activation and spend 30 minutes and possibly multiple attempts to activate the system as well. I believe you can also use another legitimate product key.

If it's a typical XP system and the users password is under 14 characters you can extract an LM password hash from the SAM for the user account and find the plaintext password pretty quickly with rainbow tables.