Windows 10 Keylogge...
 
Notifications
Clear all

Windows 10 Keylogger

5 Posts
4 Users
0 Likes
875 Views
wilx
 wilx
(@wilx)
Posts: 16
Active Member
Topic starter
 

Hi guys,

I have been burdened with the task of determining if windows, in fact, has an application running within that logs all the information a user types. I did some research and found out that the autologger service may be collecting certain telemetry information to aid microsoft.

My question is, are we able to locate and interpret the collected information in a way that can aid forensic examiners?

 
Posted : 27/01/2017 11:14 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Well, that all depends on the collected information.

If you want to see if a keylogger is installed, you can try open up a console window, hold down a key for a minute or two. Check timestamps of files created to try to determine if anything is logged. Repeat and exclude.

Most keyloggers also use hooks and make lots of API noise and can be catched that way. I'm not sure if Processmon from sysinternals can help, but you can give it it a try.

https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

 
Posted : 29/01/2017 6:18 am
(@athulin)
Posts: 1156
Noble Member
 

My question is, are we able to locate and interpret the collected information in a way that can aid forensic examiners?

Well, the autologger you seem to refer to is intended to trace booting problems. Not sure what use that would be forensically.

The mechanism is (I believe) the internal Windows event tracing mechanism, which uses an in-memory buffer structure as well as may use an external file for storage. The file should be named something.etl and can be placed anywere. However, there's no requirement to use a file. You could just log to buffers, and then send full buffers over the network.

There is a system call QueryAllTraces() that may be useful. It returns all EVENT_TRACE_PROPERTIES blocks that have been registered (and that you are allwoed to see). That includes points to file names and other info. You can find the GUIDs for such traces by the EnumerateTraceGuidsEx() call. There is sample code available from MSDN if you feel like testing.

This is a fairly arcane area of Windows software development, so … best chances to learn everything about this, I think, to ask Microsoft for suitable courses that cover it. I would suspect it's covered in DDK courses, but … it's not an area I've set foot in much myself.

The Event Tracing (EWT) reference manual is available at MSDN. And the contents of .etl files seem to be standardized and readable with MS tools.

But … on the other hand … anyone wanting to snoop would be somewhat silly to allow an event tracing session to be easily traceable. I'm sure there are many other technical possibilities.

An examination of the mechanisms used in existing keyloggers might be useful as starting information.

 
Posted : 29/01/2017 2:16 pm
wilx
 wilx
(@wilx)
Posts: 16
Active Member
Topic starter
 

Hi Guys,

Thanks for your response and apologies for the delay in responding.

I appreciate the effort to assist, however, the alleged "keylogger" is the one mentioned in several articles that mention Windows 10's technical preview was shipped with the capabilities to log keystrokes. It was said that this was for telemetry purposes and the plan was to discontinue it however the same articles suggest that this feature was still shipped with the OEM.

http//www.pcworld.com/article/2974057/windows/how-to-turn-off-windows-10s-keylogger-yes-it-still-has-one.html

I have been maintaining that the title "keylogger" is misleading, however, I still get questions from my superiors saying that they need evidence that it does not exist or cannot be accessed.

Thanks again,

 
Posted : 16/02/2017 6:29 am
Novunix
(@novunix)
Posts: 35
Eminent Member
 

It's not that kind of "keylogger".

It is really how the computer is used, not what the computer is used for.

https://www.onmsft.com/news/relax-windows-10-doesnt-have-a-malicious-keylogger

 
Posted : 17/02/2017 1:01 am
Share: