Forensic Analysis of Spector Pro

Abstract

Spector Pro is computer Spyware/monitoring software, which is produced by the

SpectorSoft Company. Spector Pro is marketed as software to monitor activities of

children or employees. It is designed to be invisible to the computer user in order to

avoid detection, but this results in a significant challenge for forensic examination. This

paper is the result of research in how to identify and examine Spector Pro.

Spector Pro is the monitoring component of SpectorSoft's offerings. They also have an

application called "eBlaster", which monitors and emails the user activity to the person

monitoring an individual. eBlaster has some advantages to the Forensic Examiner,

because it sends emails that are easily found in an examination. The emails appear in

an unencrypted format and are easily viewed and documented. This paper only deals

with the Spector Pro monitoring application, which is more difficult to identify, process

and examine.

Don L. Lewis
Forensic Computer Analyst
Lakewood Police Department
Lakewood Colorado

February 29, 2008

Introduction

"Spyware is computer software that is installed surreptitiously on a personal computer to

intercept or take partial control over the user's interaction with the computer, without the

user's informed consent.”[1]

“While the term Spyware suggests software that secretly monitors the user's behavior,

the functions of Spyware extend well beyond simple monitoring. Spyware programs can

collect various types of personal information, but can also interfere with user control of

the computer in other ways, such as installing additional software, redirecting Web

browser activity, accessing websites blindly that will cause more harmful viruses, or

diverting advertising revenue to a third party. Spyware can even change computer

settings, resulting in slow connection speeds, different home pages, and loss of Internet

or other programs. In an attempt to increase the understanding of Spyware, a more

formal classification of its included software types is captured under the term privacy-

invasive software."[2]

There are essentially two types of applications that fall under the Spyware label,

malware and monitoring software. The malware is typically installed by a download or

Internet activity, without the intent of the user. The purpose is to monitor the activities of

a user, and target Internet advertising and email SPAM. "Spyware — by design —

exploits infected computers for commercial gain. Typical tactics furthering this goal

include delivery of unsolicited pop-up advertisements; theft of personal information

(including financial information such as credit card numbers); monitoring of Web-

browsing activity for marketing purposes; or routing of HTTP requests to advertising

sites."[3] Monitoring software is typically installed as a security tool, by someone with

administrative privileges for the computer without the user’s knowledge, and is used to

conduct surveillance of the user’s activities.

Spector Pro software is utilized in a number of ways. Monitoring employee’s online

activities in a corporate setting and monitoring activities of children on computers in the

home are the expected uses of the software. It can be used in criminal activities to

access personal information of victims for identity theft. It can be used by stalkers and

in domestic violence situations to monitor a victim’s personal activities and

communications. Probation officials use it to monitor individuals convicted of computer

crimes and sexual assaults. It is in a probation monitoring situation that I came to

examine a Spector Pro case.

When a probation client uses a computer, as a condition of their probation, they agree

to have their activities monitored. The probation client is required to provide their

computer to their probation officer on a routine basis for review. Spector Pro is the

application that the probation office chose to use as their monitoring software.

Research and Testing

This testing utilized Spector Pro 6.0 build 1265. The tested software was a later build of

the program than the case examination. The case results appeared consistent with the
testing that was conducted.

"How Does it Work?

Once installed, the person who installed Spector Pro can configure it to capture the

screen contents at configurable intervals and then store the captures in a hidden

location on the hard drive for later viewing. Screen capturing is one of several different

recording features that can be configured.

Spector works by taking a snapshot of whatever is on the computer screen and saves it

away in a hidden location on your computer's hard drive. A few seconds later, Spector

takes another picture. In fact, Spector can automatically take a picture of your computer

screen as frequently as once per second or based on user activity."[4]

"What Does Spector Record?

You get recordings of all chat conversations, instant messages, e-mails typed and read,

all websites visited, all programs/applications run, all keystrokes typed - EVERYTHING

they do on the computer and on the Internet."[5]

Spector Pro is, by design, hidden from the user. It is not installed in the "Program Files"

folder as most computer applications. It is installed in the Windows\System32 file path.

The Spector Pro executable is disguised to look very similar to a number of other files in

Windows\System32 folder. This disguise makes it harder to find. It does not use

"Spector Pro" as the executable name. It uses a random name made up of six to twelve

characters, with either .exe or .dll as its extension. (Figure 1, Explorer View of
System32 .exe files)

Explorer view of executable and dll files in the Windows\System32 folder. The Spector

monitoring file shown here as “resoccal”, allows a user to run the Admin Console. The

tool tip entry showing the created date is not consistent with the date of the program

installation. The data folder, “anserbat” can be seen in the explorer tree. These file and

folder names are random and unique to each installation.

Symantec Security Response "Spyware.Spector" states that the installed application

name is a two-word combination from the following list; xml, wsock, wow, and/or wiz,

using .exe or .dll as the extension.[6] In both my testing and case examination, I found

this not to be accurate. There is additional information indicating that the program uses

a longer list of over one hundred words that are concatenated, to make registry values

pointing to files created by the application.[7] This suggests a greater number of words

available for SpectorSoft’s application. The names created by installation, during my

testing and the case examination, were not consistent with the published list on

Symantec's website. Letters used in the filename did not appear in the word list.

Each installation of the program will result in different names for the files and folders

related to Spector Pro. The application was installed on both Windows XP and

Windows Vista computers. The default selections were made on each installation and

“remove the installer” was always selected. To test the randomness of the naming

convention for both the application and data components of Spector Pro, the program

was uninstalled and reinstalled several times. Each installation had unique random

naming as described above. The data files had unique file extensions for each

installation.

The Security Response information indicates that a system scan with Symantec

Antivirus products will detect Spector and report it as Spyware.[8] In the case

examination, the evidence files were mounted as an emulated disk and a virus scan

was run. The Spector Pro executable was not detected, nor were any of the associated

files. Using this approach to identify the executable is not reliable. Frequent new build
releases of the product using minor changes to the program may be intended to prevent

identification by antivirus clients. It may be possible to identify earlier versions and

builds of Spector Pro by antivirus clients. Additionally, use of the MD5 Hash of the

executable for identification is unreliable. As expected the hash is not consistent

between program builds, and installations. Each installation of Spector Pro, using the

same installation CD, resulted in a different hash value. The administrator installed the

program on a single computer. A hash value was calculated on the executable. The

program was uninstalled and reinstalled, by the administrator, using the same

configuration. A hash value was calculated on the second installation of the executable.

The hash values did not match when compared.

Testing was conducted on Spector Pro 6.0, running the program both as the computer

user and the monitor of the user's activities. To further observe the affects of the

software multiple users were created and run on multiple test computers. The

installation process was monitored with Windows Sysinternals’ Regmon and Filemon, to

identify changes made during program installation. Several additional tools were used

during the testing; Helix, Fool Moon's Windows Forensic Tool Chest, USEC Radix,

Neuber Security Task Manager, AccessData's FTK Imager, Guidance Software's

EnCase Forensic Edition, Microsoft Virtual PC, and VMWare Workstation. The Spector

Pro monitoring application is not recorded in the system Prefetch. The viewing

application is recorded in the system Prefetch after it has been run, however, the

naming convention used by this application makes it difficult to identify. There may be

little forensic value in locating the viewing application in Prefetch. The monitoring
process is not listed in Windows Task Manager, or process monitoring applications such

as SysInternals Process Explorer. The monitoring (recording) application is run in

memory from .DLL files, and is not a process. They may be listed when command to

“ListDLLs” is run. The random naming convention used by Spector, camouflages the

applications in the listed DLLs. It may be possible to locate one of the monitoring DLLs

using a string search of the embedded comments in the DLLs located in the System32

folder.

The installation of six files and creation of one folder were identified during testing. The

six files consist of an executable, which is approximately 6200 KB in size, and five

.DLLs. All of these files are located in the Windows\System32 folder. Two files, the

executable and one of the .DLLs, can be found using a keyword search with "Spector

Pro" as the keyword. Additional keywords are "Stealth Mode", "Spector Startup", and

"Spector Administrator". The latter two are not consistently found in the files, which may

be attributable to different builds. The resulting keyword hits will be in plain text located

near the middle of the file. The easiest technique for finding the executable, on a live

system, is to sort the explorer view by size and look for the executable that is listed at

approximately 6200KB. The other files will have the same MAC Modified Date. The

executable that is found is the Admin Console (viewer and settings configuration

application), which is used to access the data files, review the user's activities and set

the monitoring parameters. (Figure 2 Illustration Keyword Hit)

Search hit in the viewer executable.

When Spector Pro is installed one of the most important components, which allows the

monitoring to occur, is its use of the Windows\System32\Kernel32.dll. In the Windows

OS the Kernel32.dll handles memory management, input/output operations and

interrupts. When you start Windows, the Kernel32.dll is loaded into a protected memory

space so that other programs do not take over that memory space.[9] Locating the

Kernel32.dll and sorting on the MAC modified date in the System32 folder will group

the seven files and one folder together for rapid identification. Hex and text views of

the .DLLs show the common values for the file signature (DLL signature hex values

\x4D \x5A \x90 \x00 \x03 \x00 \x00 \x00 and text value MZ ·····. This is consistent with

the normal DLL signatures).

The MAC Creation and Modified dates do not accurately reflect the installation date of

the program. The dates are consistent across the components of the installation. The
dates appear to be tied to installation dates in the Operating Systems (OS) DLL files.

Each installation was uniquely tied to the Kernel32.dll in the Windows\System32 folder.

The MAC dates for the files created during installation are the same as the dates of the

Kernel32.dll. The data files saved by the Spector Monitoring DLLs, even when they are

added during later/subsequent computer use, are given the MAC dates associated with

the installation. The dates recorded for the activities monitored, are accurate when

reported within the Spector Pro Admin Console.

Identification of running processes was attempted after the installation of Spector Pro.

SysInternals Root Kit Revealer was run when logged on to the computer as a user.

This utility returned no hits showing the presence of the monitoring software.

Additionally, when SysInternals Process Explorer was run, all processes listed

appeared to be related to the Windows Operating System. Webroots SpySweeper was

run. This utility returned no hits showing the presence of the monitoring software.

USEC Radix Anti-RootKit,[10] a utility to identify and remove root kits was run. It did not

identify Spector Pro processes or executables, but it did identify the data files. The

Neuber Security Task Manager was run, and it identified the two DLLs, which were

running during monitoring.[11] When the Spector Pro Admin Console is initiated the

process is listed in the Windows Task Manager, as well as Process Explorer. (Figure 3

Process Explorer.)
Processes shown using process explorer while monitoring was being conducted.

The Spector Pro Admin Console executable can be run when the evidence file has

been mounted as an emulated disk. When executed in this fashion, an error will result,

and none of the data files will be able to be accessed. It is helpful, however, in

identifying the executable, and from the program “about” in the help tab the software

version and build can be identified. Testing showed this technique worked for Windows

XP installations, but not for Windows Vista installations of Spector Pro. On a Windows

Vista live examination, UAC (User Access Control) prevented launching the Admin

Console from the executable in the System32 folder.

The folder that is created during installation is an empty folder that will become home to
the Spector Pro data files. The folder will be empty until the computer is restarted, after

the installation of the program, and the application begins its recording process. The

recording process begins when a user logs on to the computer. No data files are

created for users that have not logged on to the computer after the installation of

Spector Pro. The data files have both Archive and Hidden attribute flags. They are also

proprietary encrypted files. A 16-digit software serial number and a user password must

be entered during installation. This same password is used later to access the program

to view the recorded data. (Figure 4 Serial Number Entry)

The program setup requires the serial number key and an email address, to install

Spector Pro.

The data file naming convention is a random forty-digit filename using hexadecimal

characters. They also have a random extension that is an invalid (nonexistent) file type

(Such as .pen, .qek, .qju, .nxt and .vto extensions, which have been identified for these

data files. Other test file extensions were observed but were not recorded). Each

installation will have its own unique data file extension value. Different extension values

were observed on a single system, when deleted data files were present. An example

of the filename scheme is "E9907B58E45B09005EEDE32B58FB40CB40A47E53.vto".

The life of the data files is set to 30 days by default. The monitoring user can

reconfigure this, during installation and/or by using the programs configuration settings

after installation. Recovery of deleted data files may be required. Recovered data files

that have been deleted will contain screen captures, but may not accurately present

other collected data such as keystrokes. In the case examination, a screen capture

showing a password entry did not have corresponding keystroke data. (Figure 5

Configuration Settings)
The Settings Configuration Menu from the Admin Console.

Spector Pro separates the data files by user and by session. The data files do not have

a unique header/file signature. The beginning of the file has random hex/text values.

However, beginning with the thirty-sixth byte of the file is user identification in plain text.

(Figure 6 Illustration File Hex View)

The domain name\computer name\user name entry begins at the 36th byte from the

beginning of the file. In this example the computer does not have a network domain

name, as one was not assigned, and is reflected in this entry. The entry consistently

begins with “L:” in the data file.

This identification includes network domain name, computer name, and user name.

Included in the data folder is an additional file. Like the data files it has the "Archive"

and "Hidden" attribute flags. This file has an extension .ocx, and records a log of

Spector Pro activity.

The ???????.ocx file (where ? represents a random character) in plain text shows the

domain\machine name\user, in format consistent with the data files. Examination of the

Spector Pro case (earlier build than the one tested) revealed that while domain and

machine name were visible in the .ocx file, they did not appear in the data files, but the

user name did appear (beginning at the 36th byte of the file).
The use of the .ocx extension seems consistent for the log file in all tests and in the

case examination. While .ocx is an incorrect file extension, it is a log rather than an

"Object Linking and Embedding (OLE) Control Extension". The correct hex values for

the header in an OCX is \x4d \x5a \x90 \x00 \x03 \x00 \x00 \x00 (MZ...... in ASCII text).

The .ocx as used in Spector is a .txt file beginning with the accurate installation date of

the application. The .ocx file can be used to identify a Spector Pro installation. It can

provide artifacts for further processing, such as the information contained in the log

domain name\machine name\user name for identifying the data files, and possible use

of Spector Pro.

There are a number of user configurable options that can complicate the examination of

Spector Pro. During the Spector Pro installation and later once the application has been

running, the user can change their password, and more importantly, the hot key

combination to initiate the admin console. In a Windows Vista installation the hotkeys

must be used to access the Admin Console, in normal use, and in a live or an emulated

disk examination. If the user changes the OS default settings, to “show hidden system

files”, the data files and log file will be visible in the Windows Explorer view.

The default setting for the screen capture images is a low quality 4 Bit gray scale, this

setting minimizes storage space, and write time for the data files. The Spector Pro

monitoring process has no noticeable impact on system resources or performance at

this setting, even on a system running as little as 256MB RAM. The default storage
allocation is .5GB. At this setting the average computer user’s activities will be recorded

for approximately 30 days. The monitoring user can increase the screen capture

quality, storage allocation and the storage duration settings. No testing was conducted

with other than the default settings. (Figure 7 Screen Capture)

The Admin Console showing a 4 Bit screen capture.

Examination

The examination process will require examiners to first identify the use of Spector Pro.

If there is no reason to suspect the program, it will probably go totally unnoticed. None
of the recorded data appears in a typical examination process, such as a search for

images or string search techniques for the typed keystrokes, since the data is

encrypted. The encrypted data can only be decrypted using the Spector Pro

application.

The USEC Radix utility has a "one click check" scan that identified the hidden Spector

stored data files and the .ocx log file, when run on a live system. The utility can be run

on the system from a thumb drive. The use of this utility may be the most effective

method to identify whether Spector has been running on a computer, without having

developed information indicating its use. The Radix utility only supports Windows 2000

and Windows XP, while the Spector Pro application can be broadly deployed across

multiple operating systems.

To access and view the data files Spector Pro uses a combination of hot keys, Shift +

Crtl + Alt + S. When these keys are pushed after a users login, a window appears

requesting the password to login to the Admin Console. Upon successful entry of the

password the viewer opens and allows the monitoring individual to review the user

activity. This opens the Admin Console and can be initiated from any user having

administrator privileges logged on the computer. (Figure 8 Login)

Double clicking on the executable, or using the hot key combination will open the

program, after the password is entered.

Limited users cannot access the console, even when they know the hot key

combination and the password. Once the Admin Console is opened the activities of all

users can be reviewed. The Admin Console has filtering available during the review

session, it is possible to filter on individual user, as well as other items. An alternative

method of opening the Admin Console is to double click on the executable file in the

Windows\System32 folder. If the user has changed the hot key combination, this may

be the only way to access the console. This technique was prevented in Windows Vista

by UAC, even when attempted using the right click “run as administrator” option.

The simplest and most effective method for examination of Spector Pro stored data is to

export the data folder, using a forensic application. The data files can then be opened

using either the Admin Console, from complete installation of Spector Pro, or Spector

Pro Viewer installation, on an examination machine. The viewer client does not have

the full functionality of the Admin Console. It cannot access the monitoring application
settings and some other minor features that appeared to have little relevance for

examination. Spector Pro removal must be completed through the Admin Console,

using the password to access the uninstall option. The viewer client does not require

the use of the password to access exported data.

While using native environment techniques to examine Spector Pro activities the

examiner needs to be aware of possible incorrect conclusions due to lack of context in

interpretation. For instance when a keystroke logger logs keystrokes it is necessary to

determine if the entries are used as search terms, file save names, passwords, etc.

Without context the meaning of these items may be difficult to determine, and possibly

misleading. (Figure 9 Keystroke Logging)

The keystrokes are recorded. Here they were from .pdf search entries, and are shown

in the “Formatted” view. The “Raw” view will show additional keystrokes, such as “Shift”

and “Enter” keys. In undeleted data files the keystrokes were not accurately displayed

with their corresponding screen captures.

During my research, I spoke to individuals at SpectorSoft, and they were helpful in my

examination of their product. I found additional information in the Spector Pro Online

Help files that indicated the viewer client was available to be installed using the setup

disk (these options were also observed during setup). With the viewer it is possible to

use exported data files and view them on another computer. Unlimited installation of

the viewer component of their product is allowed under their End User Licensing

Agreement (EULA). However, the EULA strictly limits the installation of the complete

application used for monitoring.

References

1 Wikipedia Spyware definition, http://en.wikipedia.org/wiki/Spyware (retrieved

2/17/2008)

2 ibid.

3 Wikipedia Spyware – Adware and Tracking definition,

http://en.wikipedia.org/wiki/Spyware#Spyware.2C_adware_and_tracking (retrieved
2/17/2008)

4 Spector Pro Product Information,

http://www.spectorsoft.com/products/SpectorPro_Windows/index.html (retrieved
2/16/2008)

5 ibid.

6 Spyware.Spector Symantec Security Threat Research,

http://www.symantec.com/security_response/writeup.jsp?docid=2003-080715-0321-99
(retrieved 2/16/2008)

7 ibid.

8 ibid.

9 http://www.neuber.com/taskmanager/process/kernel32.dll.html (retrieved 2/26/2008)

10 USEC Radix Software, http://www.usec.at/rootkit.html (retrieved 2/17/2008)

11 http://www.neuber.com/taskmanager (retrieved 2/26/2008)