• United States



Use your own “Flame” spyware for investigations

Aug 06, 20125 mins
Investigation and ForensicsMalware

Digital forensics software, remote access tools, and other tools to aid corporate investigations

Logging onto your computer, you are greeted with a screen full of statistics in easy-to-read bar and pie graphs. One graph in particular quickly catches your attention. Out of hundreds of users, one computer is being flagged for sending large amounts of data to a server in Iran.

With a double click of your mouse, you are now watching the user attach an external drive to his system and log into a proxy website to transfer encrypted confidential files to a foreign server — something your own corporate firewall would have missed. With a few more clicks of the mouse you log into his live machine and forensically capture the documents for your review.

[More Investigator’s Toolkit: How online black markets work | Protecting your personal data with hidden volumes ]

With the solid evidence of your suspect leaking classified files to an unknown person, you plant a digital tracking device within his own documents to follow them to their final destination. As a final confirmation, the suspect’s work cell phone is tapped and GPS coordinates in combination with SMS text messages prove his guilt.

Sounds like the new state-sponsored spyware “Flame”, but actually it’s a combination of programs that have been on the market for years and can help your corporate investigations.

Although the media have been reporting the recently discovered and formally ousted spy tool, Stuxnet and its intel-collecting brother, Flame, as powerful and miraculous tools, hackers and others in the industry aren’t impressed. Flame and its multiple payloads have been around for at least a decade in various combinations of malware and software-for-sale.

Known as RATs, or remote access tools, these programs are as complex and extraordinary as Flame in their data stealing abilities. Paid and free programs are available that can capture the users’ screenshots and keystrokes, download files, view webcams, listen to laptop microphones, and offer other features that allow you full control on the user’s system unbeknownst to them.

Here are a few that investigators can start using now to quickly gather evidence of wrong-doing within their organizations’ walls.

Spectorsoft offers multiple spyware tools to protect your data and investigate your suspect’s wrong doing. Spectorsoft’s 360 is an enterprise-level monitoring tool that captures all activity on your employees’ computers—screenshots, chats, emails, file uploads, printing, and more—and places it into a database full of specialized exception reporting.

Want to know who is printing too many documents, putting files on an USB drive, or uploading bulk data to a remote server? 360 will show you in an easy-to-read format. One click of the flagged suspect and you can see video of his evildoing as if you were looking over his shoulder.

If you are looking for a tool to use more for a case by case or personal (wife, kids) matter, try Spector CNE or eBlaster for the same features on an individual basis. Spectorsoft even offers the same quality tool for smart phones. Install their mobile program for monitoring of phone calls, GPS, text messages and more. Prices start at $69 depending on program and number of users. Monitoring also can always be done by many open source programs and cheap tools like Cybergate.

For cell phone monitoring, Flexispy expands well past Spectorsoft’s cell phone monitoring, and may cross legal lines depending on your jurisdiction or company policy. Instead of just the basics of GPS locations, SMS capturing and phone log tracking, Flexispy lets you listen to phone calls, use the phone as a covert microphone in your suspect’s room, and more.

Free cell phone monitoring tools can always be found on iTunes and the android app store as well.

Once evidence is observed from your RAT, third-party tools like Guidance Software’s Encase Enterprise, Access Data’s FTK, or Imager, with proper network settings, can covertly and forensically copy your suspects’ complete or partial computer system to retain and analyze evidence back at your own computer. Like Spectorsoft and other malware, these tools place a node on the user’s computer to quickly provide access to begin the imaging process remotely. Although download speeds vary, using on a private network can easily get transfer rates above 500mbs allowing you to complete a full image in a few hours or a handful of files in seconds. [Read more about these tools in Digital forensics software: The usual suspects.]

As an added trick, document tracking can be covertly conducted using invisible html code hidden in pdfs, Microsoft documents and other files. Using a combination of the remote imaging tools mentioned above, select RATs, or your own network configuration, your suspect’s documents can be downloaded, opened to insert a tracking code, and placed back on the user’s computer. Subsequently, any time the document is opened — even after transferring to another computer — the end user’s IP address and system information can be collected much like web counters and cookies do today for people surfing the web. This can be a significant piece of evidence to show your confidential file is on an unauthorized system.

Before you start using these powerful tools, check with your local laws and company policy covering your internet/phone monitoring policy and employees’ expectation of privacy rights. Together these four “payloads” can be used in the same fashion Flame has been spying on Iranian computer systems to get evidence and intelligence for your own investigations at a level that will make the NSA jealous.

Brandon Gregg is a corporate investigations manager.