dfm covers
 
 

Detecting Computer Monitoring and Commercial Spyware Applications

Written by DFM team

Detecting Computer Monitoring and Commercial Spyware Applications  

by Bill Dean


Personally, I contend that digital forensics is one of the most interesting and challenging technical disciplines available today. While television shows and movies fail to demonstrate the capabilities we really possess, they do bring light to the value we add in determining facts that may be otherwise unavailable in both civil and criminal matters. Many times as computer forensic analysts we are asked to answer questions such as “Did the suspect steal this information?” or “How did the intruders get into our system and what did they take?” From time to time, we are also asked questions such as “Ho w do they know everything I am doing?” or “How did they get this information?” And then there is the statement from the client that makes most of us cringe, “Someone has hacked into my computer and is monitoring everything that I do.


You can prove who did it, right?” After wondering which episode of CSI they just watched, your first inclination may be that highly skilled hackers used the latest zeroday exploit or perhaps a nation state has been working to compromise the computer system for years, or maybe the client is “just a bit paranoid”. It is possible that the system has been infected with sophisticated malware that required large sums of money to research and develop. However, the culprit could simply be someone willing to inv est $99 for a piece of very user-friendly, commercial-grade spyware that anyone with a credit card and the ability to follow intuitive installations screens can use. Since this spyware is commercially sold, signature-based protections provide little to no value in detecting its existence.


Some simple and legal commercial spyware applications available on the market today possess certain levels of polymorphic behaviour. In my opinion anti-virus companies typically prefer not to face litigation from flagging commercial software as a “Virus.” Therefore, detecting commercial-level spyware can be challenging with signature-based protection. This level of protection also allows the spyware vendors to make clams such as “completely invisible”, “unparalleled invisibility technology”, and“remains stealth”. In many instances, consistent methods for detecting both commercial and non-commercial spyware do exist. The simple theory is that the spyware will likely “call home” at some point to be effective. Malicious activity can be detected and confirmed by utilizing simple methods for some spyware or by utilizing more detailed methods, like sandboxing, for others. In some instances, the analyst can even uncover details indicating who installed the spyware by closely analyzing the information available. In other instances, using hot-key combinations or attempting to reinstall the suspect commercial spyware may succeed in revealing the spyware’s existence.


Read more on this subject, and more, in Issue 7 of DFM - out now - login or subscribe today!


 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Scott C. Zimmerman

Scott C. Zimmerman is a CISSP qualified Information Security consultant and presenter

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 34 on sale from February 2018:


Device Forensics in the Internet of Things

As more businesses and consumers adopt IoT devices, privacy violations and cyber-attacks by malicious actors will become commonplace due to the insecure IoT infrastructure. Read More »

Data Destruction In Current Hard Disks & Data Destruction Techniques

Data destruction is a process traditionally applied using physical techniques, aiming at the completely destruction of the hard disk, however, there is an increasing interest in the use of logical techniques for data destruction, that allow reusing the physical device. Read More »

Subscribe today


Faster Searching For Known Illegal Content

Cryptographic (“MD5”) hash searching for known illegal material is one of the most thorough methods of digital forensic investigation. However, the technique is hampered by the ever-increasing size of media being examined, and the size of the hash list being searched. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue