dfm covers
 
 

Detecting Computer Monitoring and Commercial Spyware Applications

Written by DFM team

Detecting Computer Monitoring and Commercial Spyware Applications  

by Bill Dean


Personally, I contend that digital forensics is one of the most interesting and challenging technical disciplines available today. While television shows and movies fail to demonstrate the capabilities we really possess, they do bring light to the value we add in determining facts that may be otherwise unavailable in both civil and criminal matters. Many times as computer forensic analysts we are asked to answer questions such as “Did the suspect steal this information?” or “How did the intruders get into our system and what did they take?” From time to time, we are also asked questions such as “Ho w do they know everything I am doing?” or “How did they get this information?” And then there is the statement from the client that makes most of us cringe, “Someone has hacked into my computer and is monitoring everything that I do.


You can prove who did it, right?” After wondering which episode of CSI they just watched, your first inclination may be that highly skilled hackers used the latest zeroday exploit or perhaps a nation state has been working to compromise the computer system for years, or maybe the client is “just a bit paranoid”. It is possible that the system has been infected with sophisticated malware that required large sums of money to research and develop. However, the culprit could simply be someone willing to inv est $99 for a piece of very user-friendly, commercial-grade spyware that anyone with a credit card and the ability to follow intuitive installations screens can use. Since this spyware is commercially sold, signature-based protections provide little to no value in detecting its existence.


Some simple and legal commercial spyware applications available on the market today possess certain levels of polymorphic behaviour. In my opinion anti-virus companies typically prefer not to face litigation from flagging commercial software as a “Virus.” Therefore, detecting commercial-level spyware can be challenging with signature-based protection. This level of protection also allows the spyware vendors to make clams such as “completely invisible”, “unparalleled invisibility technology”, and“remains stealth”. In many instances, consistent methods for detecting both commercial and non-commercial spyware do exist. The simple theory is that the spyware will likely “call home” at some point to be effective. Malicious activity can be detected and confirmed by utilizing simple methods for some spyware or by utilizing more detailed methods, like sandboxing, for others. In some instances, the analyst can even uncover details indicating who installed the spyware by closely analyzing the information available. In other instances, using hot-key combinations or attempting to reinstall the suspect commercial spyware may succeed in revealing the spyware’s existence.


Read more on this subject, and more, in Issue 7 of DFM - out now - login or subscribe today!


 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Andrew Hoog

Andrew Hoog is the Chief Investigative Officer at viaForensics'

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 39 on sale from February 2019:


Making Sense of Digital Forensic International Standards

To many the complexity of Standards, their numbering and obscure contents fail to make practical sense and confuse the entry points for effective use. A roadmap is provided in this paper for Standard information access and optimal use. Read More »

Evidentiary Challenges: Social media, the Dark Web, and Admissibility

This article takes a look at two categories of remote evidence: social media, and the dark web. We will also examine two interesting cases: The Target store credit card breach; and the civil case of Fero v Excellus Health Plan, Inc. Read More »

Subscribe today


Vehicle Data Forensics on Unsupported Systems

The article will help readers understand how to approach a vehicle from a digital forensics’ perspective, it will cover a range of infotainment units from popular manufacturers, data extraction methods and examples of data types found which may be considered intelligence and or used as digital evidence. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue