Need help - with a divorce forensics case.

N

nelsonm

Member
Reaction score
1
Location
Michigan, USA.
I have a client that wants me to find keyloggers and other spyware that their ex-spouse may have put on his computer.

The client admitted they had run their virus protection program to scan and clean the drive of whatever they found in a panic, but still wants me to try and find the keylogger and determine where the data was being sent.

I told the client that it may no longer be possible to find the keylogger or any other information on the system since they had it disinfected - but that i'd try. After all, the client paid a lot of non-refundable cash up front just for me to try.

The first thing I'll try is data recovery using R-Studio data recovery software to try and find any and all deleted files on the system.

1 - I would like any advice on how to proceed from those that have done this type of work before.

2 - Although I will do researching of my own, I would like to know what type and names of spy software are out there suitable for spying in divorce cases.

Thanks,
 
Last edited:
nelsonm said:
I have a client that wants me to find keyloggers and other spyware that their ex-spouse may have put on his computer.

The client admitted they had run their virus protection program to scan and clean the drive of whatever they found in a panic, but still wants me to try and find the keylogger and determine where the data was being sent.

I told the client that it may no longer be possible to find the keylogger or any other information on the system since they had it disinfected - but that i'd try. After all, the client paid a lot of non-refundable cash up front just for me to try.

The first thing I'll try is data recovery using R-Studio data recovery software to try and find any and all deleted files on the system.

1 - I would like any advice on how to proceed from those that have done this type of work before.

2 - Although I will do researching of my own, I would like to know what type and names of spy software are out there suitable for spying in divorce cases.

Thanks,
Click to expand...

A keylogger that they "MAY" have put on there? I hope they aren't just paranoid. I guess I would do as already suggested, and clone the drive, or at least make an image of it and play with that. Turn off the computer if you haven't already, and I don't mean nicely, yank the plug to not overwrite anything else. (Hopefully you did that already.) I would look at deleted files, certainly a start. I would also search for unique strings, perhaps something like their username or password, something that would stand out from the random garbage that would be in documents and the keylogger file from the keyboard. You'd find my username a lot easier on a hard drive then something less obscure.

I'm not a forensic guy so I can only give you my thoughts. Interesting topic though.
 
@purple minion,
I guess I would do as already suggested, and clone the drive, or at least make an image of it and play with that
Click to expand...
I know what imaging is but what's the difference between cloneing and imaging?

abe
 
abe said:
@purple minion,

I know what imaging is but what's the difference between cloneing and imaging?

abe
Click to expand...

The terms are typically used to describe the same thing. However, the core difference is usually that an image is a copy of all relevant data, whereas a clone is a sector-by-sector copy of the entire partition or drive.

Cloning and imaging are similar in that they can both make exact copies of your hard drive's contents. When you clone a drive, you turn a second drive into a copy of the first. With imaging, you create a very large backup file from which you can recreate the drive's contents at a later date, either onto the original drive or another one.
Click to expand...

http://www.pcworld.idg.com.au/article/305130/should_image_hard_drive_clone_it
 
abe said:
@purple minion,

I know what imaging is but what's the difference between cloneing and imaging?

abe
Click to expand...

Well I myself view cloning as taking an exact copy of everything from one hard drive to another. I see imaging as taking a copy of that hard drive and placing it into a file. My reason for suggesting imaging is that you can save that image to another hard drive in a filesystem and work on it there if you don't want to sacrifice a whole drive to that task. Or perhaps you don't have one big enough. Much like an ISO is an image of a CD, and you can mount it to read or modify it, copy it from one directory/drive/ftp, etc. You could also create a checksum of the original drive and image to show it is unaltered. You might even try and create an ECC file such as a par2 file, in case you perhaps get a bad sector at the wrong time you can recover.

Again just my thoughts, perhaps these are all invalid? Perhaps they aren't needed and I'm making it more complicated? I suppose it depends on how important this is to her (and directly related to how much you are making on this! ;)

EDIT: If you picked to do an image you would obviously want to include ALL free space and not just the data in use, otherwise you'd skip right over those deleted files.
 
ok I see what you mean, I would just image the drive sector for sector, and work on the image using any recovery software, most imaging apps allow you to attach the hd as an external drrive and you can then do your recovery. no need to sacrifice an hd
 
Here's one I have worked with before - I suggest you install the free trial, and take a good look at how the program hides itself. You can then use this knowledge to help you know what to look for.
 
abe said:
ok I see what you mean, I would just image the drive sector for sector, and work on the image using any recovery software, most imaging apps allow you to attach the hd as an external drrive and you can then do your recovery. no need to sacrifice an hd
Click to expand...

Well say the woman's drive is 160gb. Say you don't have any spare drives that big at the moment, however you have a nice juicy 1TB drive that has loads of space. You could create an image on your 1TB drive, not move any of your files off that 1TB drive and still work on the forensic case. That is all I meant by "sacrificing" a drive. Also, you might need to keep this image/clone around for a while, you might be called into court. I have no idea how that works, but I would assume they'd say that you found the keylogger (or didn't if he catch's wind of it.)
 
try to find any *.exe deleted recently with getdataback
to see whattypeof logger it was, then try to see the log naming scheme
to dig up the old logs
 
Also lets not forget something I have read in this forum a few times.

Unless you have a private investigator license it may be illegal to look for files used for spying. And if that is the case and you are found out what what would become of you?

This is just what I remember reading here somehwere.
 
I don't know your level of expertise in forensic recovery, but I am assuming you're not an expert, hence your post. If I am wrong, I apologize.

What you have is potential evidence and should be treated as such. If you're not familiar with your local laws, you or your customer should consult an attorney as there may be stringent guidelines (such as chain of custody and discovery requirements) for the work you are about to perform.

If it were me, I would have to turn the customer away. My lack of forensic knowledge would probably disqualify any testimony and perhaps even have the evidence dismissed.

(My $0.02, not legal advice)
 
Thanks for all your input. I will consult with my attorney first. However it wouldn't hurt to clone the drive first. Micro Center have some cheap oem drives i can use.

The trick is knowing what to search for. I have looked up some websites selling various spy software and thought of calling them to ask what to search for.

I also realize that i would have to first install a program to log all installed files from the installation of these spy software programs.

Keep your suggestions coming and i'll post my progress.
 
Last edited:
Ok folks... Update....

On the Advice of my attorney, I should not perform computer forensics on the hard drive for a whole host of legal reasons and issues not the least of which:

- proof of ownership
- a warrant my be needed
- privacy issues
- being subpenaed
- being countersued
- indirect cause of injury or death

Leave it to the clients attorney and a certified computer forensics lab.

So, I have returned the drive to the client with a refund without having performed any forensics.

End of Story! :eek:
 
Last edited:
nelsonm said:
Ok folks... Update....

On the Advice of my attorney, I should not perform computer forensics on the hard drive for a whole host of legal reasons and issues not the least of which:

- proof of ownership
- a warrant my be needed
- privacy issues
- being subpenaed
- being countersued
- indirect cause of injury or death

Leave it to the clients attorney and a certified computer forensics lab.

So, I have returned the drive to the client with a refund without having performed any forensics.

End of Story! :eek:
Click to expand...

Indirect cause of death? So the husband gets ****** off and kills her, and it's on your shoulders? Or the wife kills the mistriss?
 
1 in 4 machines i scan have keyloggers, keyloggers are just about everywhere on the internet lots of hacker like CC numbers, bank passwords ect.

Identity theft is the main reason for all these keyloggers it good business for crooks, chances are they got the keylogger from a bad site ie free porn, rogue search engine and flash ads on some bad sites.
 
If a customer hires you to disinfect their computer, that's one thing. However, i the eyes of the law, Being hired by one person to discover information about someone that does not own the computer is another issue all together.

Also, can you imagine if it got out that your company provided information that directly or indirectly got someone injured or killed! Not good for business. :(
 
You must log in or register to reply here.

Similar threads

Appletax
[SOLVED] Loading live Ubuntu triggered BitLocker Recovery Key
2
Replies
22
Views
984
frase
frase
Appletax
I need of a cheap product to keep laptop hinge from breaking
Replies
7
Views
512
nlinecomputers
nlinecomputers
Appletax
Issue with syncing iCloud data after resetting iPhone
Replies
5
Views
214
Markverhyden
Markverhyden
Velvis
Testing Backups
Replies
9
Views
427
HCHTech
HCHTech
sapphirescales
Looking For a Driver That Doesn't Seem to Exist
Replies
15
Views
559
sapphirescales
sapphirescales
Back
Top