Hello,
i have a laptop where the KGB Spy keylogger has been installed.
The keylogger sends keystrokes via email to a specified email address or the specified FTP address.
The configuration files seem to be encrypted. I was wondering if anyone had to deal with such a keylogger.
Any help regarding how to extract information regarding the destination email of FTP addresses.
Thanks
nash
I'm going to nurture my inner-Harlan here and ask what OS that you're working on.
How about looking at an image of the RAM and finding the process of the keylogger then backtracking from that process and looking at the IP that the program is listening/receiving from.
I know FTK 3.0 can easily do this not sure about other software.
I'm going to nurture my inner-Harlan here and ask what OS that you're working on.
Windows Vista Ultimate
Just a guess, but the machine has probably been turned off already.
Right………. Tecchnicalities…….. oops
Any help regarding how to extract information regarding the destination email of FTP addresses.
Can you make a live image and run Wireshark?
Just a guess, but the machine has probably been turned off already.
yes, the machine was tuned off. so we only have a physical image of the hard drive
Just a guess, but the machine has probably been turned off already.
yes, the machine was tuned off. so we only have a physical image of the hard drive
Try booting the image with LiveView (or use Volume Shadow on the machine locally if you have one) and see if you can get some SMTP or FTP data via Wire Shark. This should at least point you to a suspect e-mail and/or IP address.