Professional Documents
Culture Documents
Abstract
avoid detection, but this results in a significant challenge for forensic examination. This
paper is the result of research in how to identify and examine Spector Pro.
Spector Pro is the monitoring component of SpectorSoft's offerings. They also have an
application called "eBlaster", which monitors and emails the user activity to the person
because it sends emails that are easily found in an examination. The emails appear in
an unencrypted format and are easily viewed and documented. This paper only deals
with the Spector Pro monitoring application, which is more difficult to identify, process
and examine.
Don L. Lewis
Forensic Computer Analyst
Lakewood Police Department
Lakewood Colorado
intercept or take partial control over the user's interaction with the computer, without the
“While the term Spyware suggests software that secretly monitors the user's behavior,
the functions of Spyware extend well beyond simple monitoring. Spyware programs can
collect various types of personal information, but can also interfere with user control of
the computer in other ways, such as installing additional software, redirecting Web
browser activity, accessing websites blindly that will cause more harmful viruses, or
diverting advertising revenue to a third party. Spyware can even change computer
settings, resulting in slow connection speeds, different home pages, and loss of Internet
formal classification of its included software types is captured under the term privacy-
invasive software."[2]
There are essentially two types of applications that fall under the Spyware label,
Internet activity, without the intent of the user. The purpose is to monitor the activities of
a user, and target Internet advertising and email SPAM. "Spyware — by design —
exploits infected computers for commercial gain. Typical tactics furthering this goal
administrative privileges for the computer without the user’s knowledge, and is used to
home are the expected uses of the software. It can be used in criminal activities to
access personal information of victims for identity theft. It can be used by stalkers and
When a probation client uses a computer, as a condition of their probation, they agree
to have their activities monitored. The probation client is required to provide their
computer to their probation officer on a routine basis for review. Spector Pro is the
application that the probation office chose to use as their monitoring software.
This testing utilized Spector Pro 6.0 build 1265. The tested software was a later build of
the program than the case examination. The case results appeared consistent with the
testing that was conducted.
Once installed, the person who installed Spector Pro can configure it to capture the
screen contents at configurable intervals and then store the captures in a hidden
location on the hard drive for later viewing. Screen capturing is one of several different
Spector works by taking a snapshot of whatever is on the computer screen and saves it
away in a hidden location on your computer's hard drive. A few seconds later, Spector
takes another picture. In fact, Spector can automatically take a picture of your computer
You get recordings of all chat conversations, instant messages, e-mails typed and read,
all websites visited, all programs/applications run, all keystrokes typed - EVERYTHING
Spector Pro is, by design, hidden from the user. It is not installed in the "Program Files"
The Spector Pro executable is disguised to look very similar to a number of other files in
Windows\System32 folder. This disguise makes it harder to find. It does not use
"Spector Pro" as the executable name. It uses a random name made up of six to twelve
characters, with either .exe or .dll as its extension. (Figure 1, Explorer View of
System32 .exe files)
Explorer view of executable and dll files in the Windows\System32 folder. The Spector
monitoring file shown here as “resoccal”, allows a user to run the Admin Console. The
tool tip entry showing the created date is not consistent with the date of the program
installation. The data folder, “anserbat” can be seen in the explorer tree. These file and
using .exe or .dll as the extension.[6] In both my testing and case examination, I found
this not to be accurate. There is additional information indicating that the program uses
a longer list of over one hundred words that are concatenated, to make registry values
pointing to files created by the application.[7] This suggests a greater number of words
testing and the case examination, were not consistent with the published list on
Symantec's website. Letters used in the filename did not appear in the word list.
Each installation of the program will result in different names for the files and folders
related to Spector Pro. The application was installed on both Windows XP and
Windows Vista computers. The default selections were made on each installation and
“remove the installer” was always selected. To test the randomness of the naming
convention for both the application and data components of Spector Pro, the program
was uninstalled and reinstalled several times. Each installation had unique random
naming as described above. The data files had unique file extensions for each
installation.
The Security Response information indicates that a system scan with Symantec
Antivirus products will detect Spector and report it as Spyware.[8] In the case
examination, the evidence files were mounted as an emulated disk and a virus scan
was run. The Spector Pro executable was not detected, nor were any of the associated
files. Using this approach to identify the executable is not reliable. Frequent new build
releases of the product using minor changes to the program may be intended to prevent
builds of Spector Pro by antivirus clients. Additionally, use of the MD5 Hash of the
between program builds, and installations. Each installation of Spector Pro, using the
same installation CD, resulted in a different hash value. The administrator installed the
program on a single computer. A hash value was calculated on the executable. The
program was uninstalled and reinstalled, by the administrator, using the same
configuration. A hash value was calculated on the second installation of the executable.
Testing was conducted on Spector Pro 6.0, running the program both as the computer
user and the monitor of the user's activities. To further observe the affects of the
software multiple users were created and run on multiple test computers. The
installation process was monitored with Windows Sysinternals’ Regmon and Filemon, to
identify changes made during program installation. Several additional tools were used
during the testing; Helix, Fool Moon's Windows Forensic Tool Chest, USEC Radix,
EnCase Forensic Edition, Microsoft Virtual PC, and VMWare Workstation. The Spector
Pro monitoring application is not recorded in the system Prefetch. The viewing
application is recorded in the system Prefetch after it has been run, however, the
naming convention used by this application makes it difficult to identify. There may be
little forensic value in locating the viewing application in Prefetch. The monitoring
process is not listed in Windows Task Manager, or process monitoring applications such
memory from .DLL files, and is not a process. They may be listed when command to
“ListDLLs” is run. The random naming convention used by Spector, camouflages the
applications in the listed DLLs. It may be possible to locate one of the monitoring DLLs
using a string search of the embedded comments in the DLLs located in the System32
folder.
The installation of six files and creation of one folder were identified during testing. The
six files consist of an executable, which is approximately 6200 KB in size, and five
.DLLs. All of these files are located in the Windows\System32 folder. Two files, the
executable and one of the .DLLs, can be found using a keyword search with "Spector
Pro" as the keyword. Additional keywords are "Stealth Mode", "Spector Startup", and
"Spector Administrator". The latter two are not consistently found in the files, which may
be attributable to different builds. The resulting keyword hits will be in plain text located
near the middle of the file. The easiest technique for finding the executable, on a live
system, is to sort the explorer view by size and look for the executable that is listed at
approximately 6200KB. The other files will have the same MAC Modified Date. The
executable that is found is the Admin Console (viewer and settings configuration
application), which is used to access the data files, review the user's activities and set
When Spector Pro is installed one of the most important components, which allows the
interrupts. When you start Windows, the Kernel32.dll is loaded into a protected memory
space so that other programs do not take over that memory space.[9] Locating the
Kernel32.dll and sorting on the MAC modified date in the System32 folder will group
the seven files and one folder together for rapid identification. Hex and text views of
the .DLLs show the common values for the file signature (DLL signature hex values
\x4D \x5A \x90 \x00 \x03 \x00 \x00 \x00 and text value MZ ·····. This is consistent with
The MAC Creation and Modified dates do not accurately reflect the installation date of
the program. The dates are consistent across the components of the installation. The
dates appear to be tied to installation dates in the Operating Systems (OS) DLL files.
Each installation was uniquely tied to the Kernel32.dll in the Windows\System32 folder.
The MAC dates for the files created during installation are the same as the dates of the
Kernel32.dll. The data files saved by the Spector Monitoring DLLs, even when they are
added during later/subsequent computer use, are given the MAC dates associated with
the installation. The dates recorded for the activities monitored, are accurate when
Identification of running processes was attempted after the installation of Spector Pro.
SysInternals Root Kit Revealer was run when logged on to the computer as a user.
This utility returned no hits showing the presence of the monitoring software.
Additionally, when SysInternals Process Explorer was run, all processes listed
run. This utility returned no hits showing the presence of the monitoring software.
USEC Radix Anti-RootKit,[10] a utility to identify and remove root kits was run. It did not
identify Spector Pro processes or executables, but it did identify the data files. The
Neuber Security Task Manager was run, and it identified the two DLLs, which were
running during monitoring.[11] When the Spector Pro Admin Console is initiated the
process is listed in the Windows Task Manager, as well as Process Explorer. (Figure 3
Process Explorer.)
Processes shown using process explorer while monitoring was being conducted.
The Spector Pro Admin Console executable can be run when the evidence file has
been mounted as an emulated disk. When executed in this fashion, an error will result,
and none of the data files will be able to be accessed. It is helpful, however, in
identifying the executable, and from the program “about” in the help tab the software
version and build can be identified. Testing showed this technique worked for Windows
XP installations, but not for Windows Vista installations of Spector Pro. On a Windows
Vista live examination, UAC (User Access Control) prevented launching the Admin
The folder that is created during installation is an empty folder that will become home to
the Spector Pro data files. The folder will be empty until the computer is restarted, after
the installation of the program, and the application begins its recording process. The
recording process begins when a user logs on to the computer. No data files are
created for users that have not logged on to the computer after the installation of
Spector Pro. The data files have both Archive and Hidden attribute flags. They are also
proprietary encrypted files. A 16-digit software serial number and a user password must
be entered during installation. This same password is used later to access the program
Spector Pro.
The data file naming convention is a random forty-digit filename using hexadecimal
characters. They also have a random extension that is an invalid (nonexistent) file type
(Such as .pen, .qek, .qju, .nxt and .vto extensions, which have been identified for these
data files. Other test file extensions were observed but were not recorded). Each
installation will have its own unique data file extension value. Different extension values
were observed on a single system, when deleted data files were present. An example
The life of the data files is set to 30 days by default. The monitoring user can
reconfigure this, during installation and/or by using the programs configuration settings
after installation. Recovery of deleted data files may be required. Recovered data files
that have been deleted will contain screen captures, but may not accurately present
other collected data such as keystrokes. In the case examination, a screen capture
showing a password entry did not have corresponding keystroke data. (Figure 5
Configuration Settings)
The Settings Configuration Menu from the Admin Console.
Spector Pro separates the data files by user and by session. The data files do not have
a unique header/file signature. The beginning of the file has random hex/text values.
However, beginning with the thirty-sixth byte of the file is user identification in plain text.
beginning of the file. In this example the computer does not have a network domain
name, as one was not assigned, and is reflected in this entry. The entry consistently
This identification includes network domain name, computer name, and user name.
Included in the data folder is an additional file. Like the data files it has the "Archive"
and "Hidden" attribute flags. This file has an extension .ocx, and records a log of
The ???????.ocx file (where ? represents a random character) in plain text shows the
domain\machine name\user, in format consistent with the data files. Examination of the
Spector Pro case (earlier build than the one tested) revealed that while domain and
machine name were visible in the .ocx file, they did not appear in the data files, but the
user name did appear (beginning at the 36th byte of the file).
The use of the .ocx extension seems consistent for the log file in all tests and in the
case examination. While .ocx is an incorrect file extension, it is a log rather than an
"Object Linking and Embedding (OLE) Control Extension". The correct hex values for
the header in an OCX is \x4d \x5a \x90 \x00 \x03 \x00 \x00 \x00 (MZ...... in ASCII text).
The .ocx as used in Spector is a .txt file beginning with the accurate installation date of
the application. The .ocx file can be used to identify a Spector Pro installation. It can
provide artifacts for further processing, such as the information contained in the log
domain name\machine name\user name for identifying the data files, and possible use
of Spector Pro.
There are a number of user configurable options that can complicate the examination of
Spector Pro. During the Spector Pro installation and later once the application has been
running, the user can change their password, and more importantly, the hot key
combination to initiate the admin console. In a Windows Vista installation the hotkeys
must be used to access the Admin Console, in normal use, and in a live or an emulated
disk examination. If the user changes the OS default settings, to “show hidden system
files”, the data files and log file will be visible in the Windows Explorer view.
The default setting for the screen capture images is a low quality 4 Bit gray scale, this
setting minimizes storage space, and write time for the data files. The Spector Pro
this setting, even on a system running as little as 256MB RAM. The default storage
allocation is .5GB. At this setting the average computer user’s activities will be recorded
for approximately 30 days. The monitoring user can increase the screen capture
quality, storage allocation and the storage duration settings. No testing was conducted
Examination
The examination process will require examiners to first identify the use of Spector Pro.
If there is no reason to suspect the program, it will probably go totally unnoticed. None
of the recorded data appears in a typical examination process, such as a search for
images or string search techniques for the typed keystrokes, since the data is
encrypted. The encrypted data can only be decrypted using the Spector Pro
application.
The USEC Radix utility has a "one click check" scan that identified the hidden Spector
stored data files and the .ocx log file, when run on a live system. The utility can be run
on the system from a thumb drive. The use of this utility may be the most effective
method to identify whether Spector has been running on a computer, without having
developed information indicating its use. The Radix utility only supports Windows 2000
and Windows XP, while the Spector Pro application can be broadly deployed across
To access and view the data files Spector Pro uses a combination of hot keys, Shift +
Crtl + Alt + S. When these keys are pushed after a users login, a window appears
requesting the password to login to the Admin Console. Upon successful entry of the
password the viewer opens and allows the monitoring individual to review the user
activity. This opens the Admin Console and can be initiated from any user having
Limited users cannot access the console, even when they know the hot key
combination and the password. Once the Admin Console is opened the activities of all
users can be reviewed. The Admin Console has filtering available during the review
method of opening the Admin Console is to double click on the executable file in the
Windows\System32 folder. If the user has changed the hot key combination, this may
be the only way to access the console. This technique was prevented in Windows Vista
by UAC, even when attempted using the right click “run as administrator” option.
The simplest and most effective method for examination of Spector Pro stored data is to
export the data folder, using a forensic application. The data files can then be opened
using either the Admin Console, from complete installation of Spector Pro, or Spector
Pro Viewer installation, on an examination machine. The viewer client does not have
the full functionality of the Admin Console. It cannot access the monitoring application
settings and some other minor features that appeared to have little relevance for
examination. Spector Pro removal must be completed through the Admin Console,
using the password to access the uninstall option. The viewer client does not require
While using native environment techniques to examine Spector Pro activities the
determine if the entries are used as search terms, file save names, passwords, etc.
Without context the meaning of these items may be difficult to determine, and possibly
in the “Formatted” view. The “Raw” view will show additional keystrokes, such as “Shift”
and “Enter” keys. In undeleted data files the keystrokes were not accurately displayed
examination of their product. I found additional information in the Spector Pro Online
Help files that indicated the viewer client was available to be installed using the setup
disk (these options were also observed during setup). With the viewer it is possible to
use exported data files and view them on another computer. Unlimited installation of
the viewer component of their product is allowed under their End User Licensing
Agreement (EULA). However, the EULA strictly limits the installation of the complete
2 ibid.
5 ibid.
7 ibid.
8 ibid.