KeyLogger Detection

Networking/Security Forums -> Computer Forensics and Incident Response

Author: sapounasLocation: South Carolina PostPosted: Sun Aug 16, 2009 12:00 am    Post subject: KeyLogger Detection
I have a situation that is stumping me. I had a computer brought to me that the indivdual suspects has a keylogger on it. I asked them what makes them believe there is one there, and they told me that a new business associate had sent them a .xls document a few weeks back, and that after that not only did there computer slow down tremendously, but they also noticed that he seemed to know everything that was going on through their personal emails. They sent out a fake email, and to their suprise within several minutes the associate was on the phone asking questions that would pertain to the fake situation.

System: Dell Inspirion running Vista Home edition
Of course I have ran antispyware software (which catches a minimal amount) and I have also checked processes (which this one seems to hide on top of the startup programs), I hav also been checking the logs for outbound traffic, however I am sure the logger uses port 80 or 443 so this will be hard to determine. Does anyone have any ideas for finding if this keylogger is actually on the system? Is there also a way to look at what IP address the informatio is being relayed to? I also have the suspected .xls file. Can I check this file to see if this is the spreader?

Author: rlongLocation: Vancouver, Canada PostPosted: Tue Aug 18, 2009 12:35 am    Post subject:

If your assumption that a keylogger has been planted and is sending keystrokes across the web or a LAN is correct, I suggest you check out Wireshark is a free, open source network protocol analyzer. It may take a bit of reading to get comfortable with it depending on your TCP/IP knowledge but it's a great tool for this type of scenario.

You would be looking for packets being sent by unauthorized/unknown applications or unusual packets being sent by known applications. Filter options can be used to get rid of irrelevant packets (once you figure out what those are) since the number of total packets can be a bit overwhelming. Searching the packets for strings that have been written into emails would be a good tactic as well since your little sting seems to suggest that email keystrokes, if not all keystrokes, are being logged.

I would capture packets for an extended period before performing a traffic analysis since you don't know which keystrokes are logged or how/when they are sent. Maybe it sends all keystrokes in real time. Maybe it saves them up and sends them at regular intervals or maybe it sends them only when requested.

Finally, there are keyloggers that save data to be retrieved physically, by the suspect popping in a usb for a few seconds while you're AFK for example, rather than sending it across a network. You didn't state whether physical acquisition of the logged keystrokes may be possible in your scenario but this is something to consider as it could potentially broaden the scope of your investigation beyond packet analysis.

Keep us posted!

Last edited by rlong on Tue Aug 18, 2009 10:06 pm; edited 3 times in total

Author: capiLocation: Portugal PostPosted: Tue Aug 18, 2009 2:16 am    Post subject:
rlong wrote:
[...] I suggest you check out Wireshark is a free, open source network protocol analyzer. [...]

You mean Smile

Author: rlongLocation: Vancouver, Canada PostPosted: Tue Aug 18, 2009 9:58 pm    Post subject:
Indeed I do. Thanks Israel!

Networking/Security Forums -> Computer Forensics and Incident Response

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group