Does anyone use or recommend any particular software for remote monitoring of computers?
What I'm looking for is a utility to be able to monitor and record what someone does on a computer for evidential purposes, probably without their knowledge or suspiscion that anything is being monitored.
Spector CNE for corporate networks.
Caution Make sure you are not violating any laws applicable to the jurisdiction where the subject is located. Have written consent from the requester of this task. Also read the disclaimer by Spectorsoft.
Hi Jon, Nick F here.
Yeah I concur with Spector CNE, good tool and not too expensive for what it is. Alot depends on what you are trying to achieve, in what environment and the privacy laws associated with it.
Coming from a Corporate Fraud background I've come across this a few times so if you want to give me a call you know where I am. If you feel like a project you can build your own stealth tool using a number of different rootkits - take a look at http//www.rootkit.com/project.php?id=12.
All depends what you are trying to do though.
I, too, have alot of experience with Spector CNE. I concur that it is a excellent tool but does have its quircks. However, for evidentiary purposes, I would instead use the tool as a alarm to then acquire the drive using whatever Forensic methods that you have. I have not read many cases where Spector was used to provide proof of wrong doing, and I am not to sure how the courts will see it. I have used it to alert me when an acquisition is required. Really cool Document tracking and email alerting features.
But, you can always be the first to use it in court. 😉
Prodiscover Investigator from techpathways is always a good choice to collect event data and evidence remotely and in a forensically sound manner. So use Spector CNE to collect event data and use Prodiscover to acquire it.
I'm with you guys on the subject of collecting event data and then going for an acquisition
Acquisition is not going to be a problem for us, we work in LE and can just go and sieze the box if we need it!! Should we need to acquire it across a network we also have EnCase FIM.
Acquisition, however, isn't going to get us what we need.
The problem we have is Instant Messaging services that leave no real trace of the content of conversation, and the conversation could be the only evidence of any wrongdoing, so what we need is the ability to monitor and record the conversations taking place on targetted machines.
Aside from the technical aspects of doing it anyway, there are legal implications for what we are doing, but I'm just researching the techy bits.
Thanks for all your replies.
I recommned the honeynet sebek project. it was written for these kind of purposes, tracking the user without him suspecting anything. this tool is capable of grabbing key logs, secure session and downloads, …etc. it uses rookit technology to hide itself.