“Many times as computer forensic analysts we are asked to answer questions such as, ‘Did the suspect steal this information?’ or ‘How did the intruders get into our system and what did they take?’ From time to time, we are also asked questions such as ‘How do they know everything I am doing?’ or ‘How did they get this information?’ And then there is the statement from the client that makes most of us cringe, ‘Someone has hacked into my computer and is monitoring everything that I do.”
So writes Sword & Shield Director of Computer Forensics Bill Dean in a featured article for Digital Forensics Magazine’s May 2011 edition entitled “Detecting Computer Monitoring and Commercial Spyware Applications.”
Digital Forensics Magazine is a quarterly features and news magazine from the world of computer and cyber crime and digital forensics. The content published in the magazine is all technically reviewed and carries a certain weight of quality that other trade magazines or webzines don’t offer. Digital Forensics Magazine regularly features articles and news regarding cyber terrorism, management issues, investigation technologies and procedures, training, eDiscovery and tools and techniques.
Dean, a certified computer examiner (CCE), certified penetration tester (CPTS), certified incident handler (GCIH), and certified forensics analyst (GCFA), writes in this online article preview:
You can prove who did it, right?” After wondering which episode of CSI they just watched, your first inclination may be that highly skilled hackers used the latest zeroday exploit or perhaps a nation state has been working to compromise the computer system for years, or maybe the client is “just a bit paranoid”. It is possible that the system has been infected with sophisticated malware that required large sums of money to research and develop. However, the culprit could simply be someone willing to inv est $99 for a piece of very user-friendly, commercial-grade spyware that anyone with a credit card and the ability to follow intuitive installations screens can use. Since this spyware is commercially sold, signature-based protections provide little to no value in detecting its existence.
Some simple and legal commercial spyware applications available on the market today possess certain levels of polymorphic behaviour. In my opinion anti-virus companies typically prefer not to face litigation from flagging commercial software as a “Virus.” Therefore, detecting commercial-level spyware can be challenging with signature-based protection. This level of protection also allows the spyware vendors to make clams such as “completely invisible”, “unparalleled invisibility technology”, and“remains stealth”. In many instances, consistent methods for detecting both commercial and non-commercial spyware do exist. The simple theory is that the spyware will likely “call home” at some point to be effective. Malicious activity can be detected and confirmed by utilizing simple methods for some spyware or by utilizing more detailed methods, like sandboxing, for others. In some instances, the analyst can even uncover details indicating who installed the spyware by closely analyzing the information available. In other instances, using hot-key combinations or attempting to reinstall the suspect commercial spyware may succeed in revealing the spyware’s existence.
The full version of Dean’s article will appear next month. Subscribe to Digital Forensics Magazine to read the story in its entirety.