![]() HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" Here is an example from one of the installations: A random GUID is generated and placed in the HKLM\Softwae\Classes\CLSID key. The eBlaster software itself is all coontrolled by several. The above method is the simplest manner to locate active logs generated from eBlaster, as well as fragments in unallocated, MFT records and $LogFile. A simple GREP search of "#/#/#:#:#:" would find this logfile, regardless of it's name, with minimal false positive hits. ![]() The timestamp format is always "hh:mm:ss:". The datestamp format is always "mm/dd/yyyy". Some of the lines above have been word-wrapped by the blog, but normally each line in this text file will begin with the datestamp then the timestamp. 12:56:00: (SHR,EXPLORER) PacketProcessorEB::CreatePacketXML: Sending settings to server. 12:56:00: (EBR,EXPLORER) IPC Message pump started. 12:56:00: (EBR,EXPLORER) Windows XP Home Edition Service Pack 1 () 12:56:00: (EBR,EXPLORER) Start Monitor - User lance on REG-OIPK81M2WC8 12:56:00: (AGT,EXPLORER) Initializing process for file C:\WINDOWS\explorer.exe Recording App 1 Blocking App 1 The log file has some very predictable text can easily be detected using a grep search: The log file is a simple ASII text file and commonly had a. The file is always in the root of the randomly generated folder under "\windows\system32". One of the easiest ways to "detect" whether eBlaster has been installed, is to attempt to locate a simple text logfile that is created by the program. dll files dropped into the "\windows\system32" folder. Each installation I performed, caused all of these files and folders to get random names. The eighth file is in the subfolder named "canunsec" seen above. The image below is an example of a folder randomly named "subitvox" under the "\windows\system32" folder: dll's or files with misleading file extensions. ![]() There are eight files installed into this folder during the installation, of which one is an executable (admin control panel), while the rest or either. In all of my testing the software always installs some of the required files into a randomly named subfolder located in the "\windows\system32" folder. The eBlaster program uses some random folder/file naming techniques to make it a little more difficult to detect or locate. Installation of eBlaster is fairly simple and merely requires a registration key and an email address to where the activity reports will be sent. and then to send a report of that activity via email: The main function of the program is to record all user activity such as screenshots, emails, instant messages, etc. ![]() The following is some basic oberservations of a forensic analysis of a computer with eBlaster installed.ĮBlaster can be installed remotely (SpectorPro cannot) by preconfiguring it with all the necessary options and then sent or given to someone to be installed. The software is frequently changed so it remains undetectable by common anti-virus software. The main differences between the two is eBlaster is designed for remote installations and reports of activity to be delivered by email, whereas SpectorPro is designed for someone who has physical access to the monitored computer to review the reports.ĮBlater and Spector Pro are very powerful. They also make a product named Spector Pro, which is very similar. EBlaster is computer monitoring software offered by SpectorSoft.
0 Comments
Leave a Reply. |