Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

THE FORENSIC TOOLBOX AND SPYWARE

July 25, 2008

From the point of view of the cynical computer forensics examiner, all husbands and wives are cheating on each other – and often spying on each other as well. Spyware has become increasing devious, hard to locate and document. I am taking the unusual step of including here a lengthy post that recently appeared on several of the forensics lists, because it underscore several things that we all need to keep in mind:

1) The claims of spyware makers are often bogus, in spite of their website hype.
2) No one tool, even a good one such as Gargoyle (which we use often) is an all purpose solution.
3) It pays to keep an eye open for new or different forensics tools. The story below illustrates how a very cheap product found what a more venerable and far more expensive product could not.

**************************

Please pardon the cross-posting. I have had a situation that has rekindled the issues concerning eBlaster. First, Spectorsoft sent an email advertising the new version 6 of eBlaster with the claims that it cannot be detected by any anti-spyware or anti-virus software tools. Second, I came into possession of a drive image suspected of containing an installation of eBlaster, and I was tasked to help confirm or deny this allegation.

I have Wetstone Technologies’ Gargoyle, so I started with that. Gargoyle found one remote access program and one anti-forensics program, but no eBlaster. Nonetheless, the default hotkey combination for eBlaster(ctrl-shft-alt-T) brought up the password entry field on the screen proving that eBlaster was indeed present. Then I downloaded a trial version of a $29 program named Spyware Doctor. Within 10 minutes Spyware Doctor identified 15 items on the drive related to eBlaster, including Registry keys and dll files.

I phoned Wetstone to inquire why a $29 app found what their $1500 app could not. They explained that eBlaster is polymorphic, it changes configurations (and the resulting hashes also change). Since Gargoyle identifies files based on a hash database, it may or may not identify polymorphic files, even though the Gargoyle documentation specifically states it will identify eBlaster version 5. Wetstone recommended using a heuristically-oriented app (like Spyware Doctor).

My next step was to contact Spectorsoft and inquire about what to do with the new version 6, which they assured me was undetectable via heuristics or anything else. The hotkey combination trick will still verify the presence of the program. It is possible, however, that the hotkey combination will have been changed by the person who installed program, or perhaps the hotkey combination has become corrupt and won’t open the password entry field. Failure of the hotkey combo to bring up the PW entry field does not definitively prove the absence of a Spectorsoft program.

Spectorsoft told me to have on hand a CD with the installation files for all 3 of their products, eBlaster, Spector, and Spector Pro. These installation programs can only be downloaded from their website if a licensed copy of the program is purchased. Since versions are unimportant, these purchased files won’t go out of date anytime soon.

If a machine is suspected of having one of these programs installed, just insert the CD and fire off the setup application. When the setup begins, select the advanced button. If the suspected program is installed, the password field will appear on the screen. Spectorsoft told me this is proof-positive that the suspect app is installed on the computer. You law enforcement guys/gals can then get a subpoena to get Spectorsoft to help you extract the password and log in to get all the pertinent info. Us PI’s can only capture a screenshot and pray a court will grant us the same courtesy, but we might be forced to be satisfied with proving the program is there.

BTW, the eBlaster setup only identifies the presence of eBlaster, the Spector setup only identifies the presence of Spector, etc. Version numbers are irrelevant. So, you might want to run all three setups to verify the presence or absence of Spectorsoft programs.

Louis M. Schlesinger, LPI, CCE, ACE, CFC, CIFI, WCSI CyForensics, www.cyforensics.com

Thanks Louis, for the permission to repost this – and a hat tip to Dan Fuller for passing the posting along.

E-mail: Phone: 703-359-0700

Sharon D. Nelson, Esq.
Co-founder/Consultant

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

THE FORENSIC TOOLBOX AND SPYWARE

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer