dfm covers
 
 

Detecting Computer Monitoring and Commercial Spyware Applications

Written by DFM team

Detecting Computer Monitoring and Commercial Spyware Applications  

by Bill Dean


Personally, I contend that digital forensics is one of the most interesting and challenging technical disciplines available today. While television shows and movies fail to demonstrate the capabilities we really possess, they do bring light to the value we add in determining facts that may be otherwise unavailable in both civil and criminal matters. Many times as computer forensic analysts we are asked to answer questions such as “Did the suspect steal this information?” or “How did the intruders get into our system and what did they take?” From time to time, we are also asked questions such as “Ho w do they know everything I am doing?” or “How did they get this information?” And then there is the statement from the client that makes most of us cringe, “Someone has hacked into my computer and is monitoring everything that I do.


You can prove who did it, right?” After wondering which episode of CSI they just watched, your first inclination may be that highly skilled hackers used the latest zeroday exploit or perhaps a nation state has been working to compromise the computer system for years, or maybe the client is “just a bit paranoid”. It is possible that the system has been infected with sophisticated malware that required large sums of money to research and develop. However, the culprit could simply be someone willing to inv est $99 for a piece of very user-friendly, commercial-grade spyware that anyone with a credit card and the ability to follow intuitive installations screens can use. Since this spyware is commercially sold, signature-based protections provide little to no value in detecting its existence.


Some simple and legal commercial spyware applications available on the market today possess certain levels of polymorphic behaviour. In my opinion anti-virus companies typically prefer not to face litigation from flagging commercial software as a “Virus.” Therefore, detecting commercial-level spyware can be challenging with signature-based protection. This level of protection also allows the spyware vendors to make clams such as “completely invisible”, “unparalleled invisibility technology”, and“remains stealth”. In many instances, consistent methods for detecting both commercial and non-commercial spyware do exist. The simple theory is that the spyware will likely “call home” at some point to be effective. Malicious activity can be detected and confirmed by utilizing simple methods for some spyware or by utilizing more detailed methods, like sandboxing, for others. In some instances, the analyst can even uncover details indicating who installed the spyware by closely analyzing the information available. In other instances, using hot-key combinations or attempting to reinstall the suspect commercial spyware may succeed in revealing the spyware’s existence.


Read more on this subject, and more, in Issue 7 of DFM - out now - login or subscribe today!


 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Dr Tim Watson

Dr Tim Watson is the head of the Department of Computer Technology at De Montfort University

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 36 on sale from February 2018:


Crowd Sourcing Digital Evidence The Risk v The Reward

All digital devices used today can be considered as a potential source for digital evidence. Andrew Ryan investigates the current state in the art of crowd sourced digital evidence. Read More »

Recovery of Forensic Artifacts from Deleted Jump-List in Windows 10

Jump-Lists are widely discussed in forensics community since the release of Windows 7 and are having more capabilities to reveal forensics artifacts in Windows 10. Read More »

Subscribe today


Voice Biometrics

This article looks at the research and development in the field of Voice Biometrics and Speech Analytics, specifically Speaker Identification, Language and Gender Identification, Speech-to-Text Transcription, Keyword Spotting, and others. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue