dfm covers
 
 

Detecting Computer Monitoring and Commercial Spyware Applications

Detecting Computer Monitoring and Commercial Spyware Applications  

by Bill Dean


Personally, I contend that digital forensics is one of the most interesting and challenging technical disciplines available today. While television shows and movies fail to demonstrate the capabilities we really possess, they do bring light to the value we add in determining facts that may be otherwise unavailable in both civil and criminal matters. Many times as computer forensic analysts we are asked to answer questions such as “Did the suspect steal this information?” or “How did the intruders get into our system and what did they take?” From time to time, we are also asked questions such as “Ho w do they know everything I am doing?” or “How did they get this information?” And then there is the statement from the client that makes most of us cringe, “Someone has hacked into my computer and is monitoring everything that I do.


You can prove who did it, right?” After wondering which episode of CSI they just watched, your first inclination may be that highly skilled hackers used the latest zeroday exploit or perhaps a nation state has been working to compromise the computer system for years, or maybe the client is “just a bit paranoid”. It is possible that the system has been infected with sophisticated malware that required large sums of money to research and develop. However, the culprit could simply be someone willing to inv est $99 for a piece of very user-friendly, commercial-grade spyware that anyone with a credit card and the ability to follow intuitive installations screens can use. Since this spyware is commercially sold, signature-based protections provide little to no value in detecting its existence.


Some simple and legal commercial spyware applications available on the market today possess certain levels of polymorphic behaviour. In my opinion anti-virus companies typically prefer not to face litigation from flagging commercial software as a “Virus.” Therefore, detecting commercial-level spyware can be challenging with signature-based protection. This level of protection also allows the spyware vendors to make clams such as “completely invisible”, “unparalleled invisibility technology”, and“remains stealth”. In many instances, consistent methods for detecting both commercial and non-commercial spyware do exist. The simple theory is that the spyware will likely “call home” at some point to be effective. Malicious activity can be detected and confirmed by utilizing simple methods for some spyware or by utilizing more detailed methods, like sandboxing, for others. In some instances, the analyst can even uncover details indicating who installed the spyware by closely analyzing the information available. In other instances, using hot-key combinations or attempting to reinstall the suspect commercial spyware may succeed in revealing the spyware’s existence.


Read more on this subject, and more, in Issue 7 of DFM - out now - login or subscribe today!


 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Scott C. Zimmerman

Scott C. Zimmerman is a CISSP qualified Information Security consultant and presenter

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 32 on sale from August 2017:


Triage Solution for Sex Offender Managers

This article considers a proof of concept triage solution for sex offender managers for a local police force which if successful could simplify and modify the way that sex offenders are managed. Read More »

Advancements in Windows Hibernation File Forensics

Brian Gerdon looks at how the windows hibernation files can be a valuable source of information for digital forensic investigators. Read More »

Subscribe today


Why Are Cybercriminals Attracted To Commit Crimes

Individuals who engage in cybercrime have a psychological mindset that is attuned to it. This paper discusses the motives behind cybercrime and what makes cybercrime attractive to cybercriminals. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue