Spector Professional Edition for Windows v3.10 serial key or number
Spector Professional Edition for Windows v3.10 serial key or number
Handbook of Research on Educational Communications and Technology
Now in its fourth edition, the Handbook has become synonymous with excellence in providing cutting edge research on educational communications and technology to the information and communication technology community. This Handbook is written for researchers in educational communication and technology, professors of instructional design and instructional technology as well as professionals working in the fields of ICT, Learning Sciences, Educational Technology, IT, and ID. In addition, it has been and will continue to be an invaluable reference for academic and professional libraries.
Under the sponsorship of the Association for Educational Communications and Technology (AECT), an international cadre of authors has been assembled representing the absolute best in the field. Expanded from 56 to 74 chapters, topics covered range from methodology, instructional strategies, assessment, design models, implementation and technology integration. A full 15 chapters are devoted to examining the future of the field, including robust discussions of new and emerging technologies and the fostering of ICT research in the developing world. This completely expanded and updated Handbook will become an indispensible addition to the field; anyone with an interest in the field of educational communications and technology will find their library enriched for including it.
Keywords
- J. Michael Spector
- M. David Merrill
- Jan Elen
- M. J. Bishop
- 1., Department of Learning Technologies, CUniversity of North TexasDentonUSA
- 2.St. GeorgeUSA
- 3., Centr. Instructiepsychol.&-technologieK.U. LeuvenLeuvenBelgium
- 4.BethlehemUSA
Bibliographic information
About the Author
WAYNE THOMAS BATSON is the Bestselling author of ten adventure novels including the fan favorite DOOR WITHIN TRILOGY, the pirate duo ISLE OF SWORDS and ISLE OF FIRE, and the new 7-book fantasy epic DARK SEA ANNALS. A middle school Reading and English teacher for 23 years, Batson loves to challenge—and be challenged by—his students. So, when he began writing stories to supplement the school district’s curriculum, it was his students who taught their teacher a lesson. Batson’s students were so taken by one of the stories that, over a thirteen year span, they pushed him to make it into a full-length novel. That story became The Door Within. Since then, Batson’s students continue to be his frontline editors. Says Batson, “Two things you can count on from middle school students: Intelli-gence and Honesty. Kids are so much more perceptive than a lot of us ‘Big Folk’ give them credit for. And when something’s not right in the story, they’ll tell you about in very clear terms.” Batson lives in Maryland with his wonderful wife of twenty years and four incredible teenage children. "God has blessed me with a remarkable family," Batson says. "Not perfect. But intelligent, fun, faithful, loyal, and entertaining." With over half a million books in print, Batson believes his books appeal to so many kids and adults because, at a deep level, we all long to do something that matters, and we all dream of another world. --This text refers to the paperback edition.
Forensic Analysis of Spector Pro - Cacci.net
ForensicAnalysisofSpectorPro
Abstract
SpectorPro is computer Spyware/monitoring software, which is produced by the
SpectorSoft Company. SpectorPro is marketed as software to monitor activities of
children or employees. It is designed to be invisible to the computer user in order to
avoid detection, but this results in a significant challenge for forensic examination. This
paper is the result of research in how to identify and examine SpectorPro.
SpectorPro is the monitoring component ofSpectorSoft's offerings. They also have an
application called "eBlaster", which monitors and emails the user activity to the person
monitoring an individual. eBlaster has some advantages to the Forensic Examiner,
because it sends emails that are easily found in an examination. The emails appear in
an unencrypted format and are easily viewed and documented. This paper only deals
with the SpectorPro monitoring application, which is more difficult to identify, process
and examine.
Don L. Lewis
Forensic Computer Analyst
Lakewood Police Department
Lakewood Colorado
February 29, 2008
Introduction
"Spyware is computer software that is installed surreptitiously on a personal computer to
intercept or take partial control over the user's interaction with the computer, without the
user's informed consent.”[1]
“While the term Spyware suggests software that secretly monitors the user's behavior,
the functions of Spyware extend well beyond simple monitoring. Spyware programs can
collect various types of personal information, but can also interfere with user control of
the computer in other ways, such as installing additional software, redirecting Web
browser activity, accessing websites blindly that will cause more harmful viruses, or
diverting advertising revenue to a third party. Spyware can even change computer
settings, resulting in slow connection speeds, different home pages, and loss of Internet
or other programs. In an attempt to increase the understanding of Spyware, a more
formal classification of its included software types is captured under the term privacy-
invasive software."[2]
There are essentially two types of applications that fall under the Spyware label,
malware and monitoring software. The malware is typically installed by a download or
Internet activity, without the intent of the user. The purpose is to monitor the activities of
a user, and target Internet advertising and email SPAM. "Spyware — by design —
exploits infected computers for commercial gain. Typical tactics furthering this goal
include delivery of unsolicited pop-up advertisements; theft of personal information
(including financial information such as credit card numbers); monitoring of Web-
owsing activity for marketing purposes; or routing of HTTP requests to advertising
sites."[3] Monitoring software is typically installed as a security tool, by someone with
administrative privileges for the computer without the user’s knowledge, and is used to
conduct surveillance of the user’s activities.
SpectorPro software is utilized in a number of ways. Monitoring employee’s online
activities in a corporate setting and monitoring activities of children on computers in the
home are the expected uses of the software. It can be used in criminal activities to
access personal information of victims for identity theft. It can be used by stalkers and
in domestic violence situations to monitor a victim’s personal activities and
communications. Probation officials use it to monitor individuals convicted of computer
crimes and sexual assaults. It is in a probation monitoring situation that I came to
examine a SpectorPro case.
When a probation client uses a computer, as a condition of their probation, they agree
to have their activities monitored. The probation client is required to provide their
computer to their probation officer on a routine basis for review. SpectorPro is the
application that the probation office chose to use as their monitoring software.
Research and Testing
This testing utilized SpectorPro 6.0 build 1265. The tested software was a later build of
the program than the case examination. The case results appeared consistent with the
testing that was conducted.
"How Does it Work?
Once installed, the person who installed SpectorPro can configure it to capture the
screen contents at configurable intervals and then store the captures in a hidden
location on the hard drive for later viewing. Screen capturing is one of several different
recording features that can be configured.
Spector works by taking a snapshot of whatever is on the computer screen and saves it
away in a hidden location on your computer's hard drive. A few seconds later, Spector
takes another picture. In fact, Spector can automatically take a picture of your computer
screen as frequently as once per second or based on user activity."[4]
"What Does Spector Record?
You get recordings of all chat conversations, instant messages, e-mails typed and read,
all websites visited, all programs/applications run, all keystrokes typed - EVERYTHING
they do on the computer and on the Internet."[5]
SpectorPro is, by design, hidden from the user. It is not installed in the "Program Files"
folder as most computer applications. It is installed in the Windows\System32 file path.
The SpectorPro executable is disguised to look very similar to a number of other files in
Windows\System32 folder. This disguise makes it harder to find. It does not use
"SpectorPro" as the executable name. It uses a random name made up of six to twelve
characters, with either .exe or .dll as its extension. (Figure 1, Explorer View of
System32 .exe files)
Explorer view of executable and dll files in the Windows\System32 folder. The Spector
monitoring file shown here as “resoccal”, allows a user to run the Admin Console. The
tool tip entry showing the created date is not consistent with the date of the program
installation. The data folder, “anserbat” can be seen in the explorer tree. These file and
folder names are random and unique to each installation.
Symantec Security Response "Spyware.Spector" states that the installed application
name is a two-word combination from the following list; xml, wsock, wow, and/or wiz,
using .exe or .dll as the extension.[6] In both my testing and case examination, I found
this not to be accurate. There is additional information indicating that the program uses
a longer list of over one hundred words that are concatenated, to make registry values
pointing to files created by the application.[7] This suggests a greater number of words
available for SpectorSoft’s application. The names created by installation, during my
testing and the case examination, were not consistent with the published list on
Symantec's website. Letters used in the filename did not appear in the word list.
Each installation of the program will result in different names for the files and folders
related to SpectorPro. The application was installed on both Windows XP and
Windows Vista computers. The default selections were made on each installation and
“remove the installer” was always selected. To test the randomness of the naming
convention for both the application and data components ofSpectorPro, the program
was uninstalled and reinstalled several times. Each installation had unique random
naming as described above. The data files had unique file extensions for each
installation.
The Security Response information indicates that a system scan with Symantec
Antivirus products will detect Spector and report it as Spyware.[8] In the case
examination, the evidence files were mounted as an emulated disk and a virus scan
was run. The SpectorPro executable was not detected, nor were any of the associated
files. Using this approach to identify the executable is not reliable. Frequent new build
eleases of the product using minor changes to the program may be intended to prevent
identification by antivirus clients. It may be possible to identify earlier versions and
builds ofSpectorPro by antivirus clients. Additionally, use of the MD5 Hash of the
executable for identification is unreliable. As expected the hash is not consistent
between program builds, and installations. Each installation ofSpectorPro, using the
same installation CD, resulted in a different hash value. The administrator installed the
program on a single computer. A hash value was calculated on the executable. The
program was uninstalled and reinstalled, by the administrator, using the same
configuration. A hash value was calculated on the second installation of the executable.
The hash values did not match when compared.
Testing was conducted on SpectorPro 6.0, running the program both as the computer
user and the monitor of the user's activities. To further observe the affects of the
software multiple users were created and run on multiple test computers. The
installation process was monitored with Windows Sysinternals’ Regmon and Filemon, to
identify changes made during program installation. Several additional tools were used
during the testing; Helix, Fool Moon's Windows Forensic Tool Chest, USEC Radix,
Neuber Security Task Manager, AccessData's FTK Imager, Guidance Software's
EnCase Forensic Edition, Microsoft Virtual PC, and VMWare Workstation. The Spector
Pro monitoring application is not recorded in the system Prefetch. The viewing
application is recorded in the system Prefetch after it has been run, however, the
naming convention used by this application makes it difficult to identify. There may be
little forensic value in locating the viewing application in Prefetch. The monitoring
process is not listed in Windows Task Manager, or process monitoring applications such
as SysInternals Process Explorer. The monitoring (recording) application is run in
memory from .DLL files, and is not a process. They may be listed when command to
“ListDLLs” is run. The random naming convention used by Spector, camouflages the
applications in the listed DLLs. It may be possible to locate one of the monitoring DLLs
using a string search of the embedded comments in the DLLs located in the System32
folder.
The installation of six files and creation of one folder were identified during testing. The
six files consist of an executable, which is approximately 6200 KB in size, and five
.DLLs. All of these files are located in the Windows\System32 folder. Two files, the
executable and one of the .DLLs, can be found using a keyword search with "Spector
Pro" as the keyword. Additional keywords are "Stealth Mode", "Spector Startup", and
"Spector Administrator". The latter two are not consistently found in the files, which may
be attributable to different builds. The resulting keyword hits will be in plain text located
near the middle of the file. The easiest technique for finding the executable, on a live
system, is to sort the explorer view by size and look for the executable that is listed at
approximately 6200KB. The other files will have the same MAC Modified Date. The
executable that is found is the Admin Console (viewer and settings configuration
application), which is used to access the data files, review the user's activities and set
the monitoring parameters. (Figure 2 Illustration Keyword Hit)
Search hit in the viewer executable.
When SpectorPro is installed one of the most important components, which allows the
monitoring to occur, is its use of the Windows\System32\Kernel32.dll. In the Windows
OS the Kernel32.dll handles memory management, input/output operations and
interrupts. When you start Windows, the Kernel32.dll is loaded into a protected memory
space so that other programs do not take over that memory space.[9] Locating the
Kernel32.dll and sorting on the MAC modified date in the System32 folder will group
the seven files and one folder together for rapid identification. Hex and text views of
the .DLLs show the common values for the file signature (DLL signature hex values
\x4D \x5A \x90 \x00 \x03 \x00 \x00 \x00 and text value MZ ·····. This is consistent with
the normal DLL signatures).
The MAC Creation and Modified dates do not accurately reflect the installation date of
the program. The dates are consistent across the components of the installation. The
dates appear to be tied to installation dates in the Operating Systems (OS) DLL files.
Each installation was uniquely tied to the Kernel32.dll in the Windows\System32 folder.
The MAC dates for the files created during installation are the same as the dates of the
Kernel32.dll. The data files saved by the Spector Monitoring DLLs, even when they are
added during later/subsequent computer use, are given the MAC dates associated with
the installation. The dates recorded for the activities monitored, are accurate when
reported within the SpectorPro Admin Console.
Identification of running processes was attempted after the installation ofSpectorPro.
SysInternals Root Kit Revealer was run when logged on to the computer as a user.
This utility returned no hits showing the presence of the monitoring software.
Additionally, when SysInternals Process Explorer was run, all processes listed
appeared to be related to the Windows Operating System. Webroots SpySweeper was
run. This utility returned no hits showing the presence of the monitoring software.
USEC Radix Anti-RootKit,[10] a utility to identify and remove root kits was run. It did not
identify SpectorPro processes or executables, but it did identify the data files. The
Neuber Security Task Manager was run, and it identified the two DLLs, which were
running during monitoring.[11] When the SpectorPro Admin Console is initiated the
process is listed in the Windows Task Manager, as well as Process Explorer. (Figure 3
Process Explorer.)
Processes shown using process explorer while monitoring was being conducted.
The SpectorPro Admin Console executable can be run when the evidence file has
been mounted as an emulated disk. When executed in this fashion, an error will result,
and none of the data files will be able to be accessed. It is helpful, however, in
identifying the executable, and from the program “about” in the help tab the software
version and build can be identified. Testing showed this technique worked for Windows
XP installations, but not for Windows Vista installations ofSpectorPro. On a Windows
Vista live examination, UAC (User Access Control) prevented launching the Admin
Console from the executable in the System32 folder.
The folder that is created during installation is an empty folder that will become home to
the SpectorPro data files. The folder will be empty until the computer is restarted, after
the installation of the program, and the application begins its recording process. The
recording process begins when a user logs on to the computer. No data files are
created for users that have not logged on to the computer after the installation of
SpectorPro. The data files have both Archive and Hidden attribute flags. They are also
proprietary encrypted files. A 16-digit software serial number and a user password must
be entered during installation. This same password is used later to access the program
to view the recorded data. (Figure 4 Serial Number Entry)
The program setup requires the serial number key and an email address, to install
SpectorPro.
The data file naming convention is a random forty-digit filename using hexadecimal
characters. They also have a random extension that is an invalid (nonexistent) file type
(Such as .pen, .qek, .qju, .nxt and .vto extensions, which have been identified for these
data files. Other test file extensions were observed but were not recorded). Each
installation will have its own unique data file extension value. Different extension values
were observed on a single system, when deleted data files were present. An example
of the filename scheme is "E9907B58E45B09005EEDE32B58FB40CB40A47E53.vto".
The life of the data files is set to 30 days by default. The monitoring user can
reconfigure this, during installation and/or by using the programs configuration settings
after installation. Recovery of deleted data files may be required. Recovered data files
that have been deleted will contain screen captures, but may not accurately present
other collected data such as keystrokes. In the case examination, a screen capture
showing a password entry did not have corresponding keystroke data. (Figure 5
Configuration Settings)
The Settings Configuration Menu from the Admin Console.
SpectorPro separates the data files by user and by session. The data files do not have
a unique header/file signature. The beginning of the file has random hex/text values.
However, beginning with the thirty-sixth byte of the file is user identification in plain text.
(Figure 6 Illustration File Hex View)
The domain name\computer name\user name entry begins at the 36 th byte from the
beginning of the file. In this example the computer does not have a network domain
name, as one was not assigned, and is reflected in this entry. The entry consistently
begins with “L:” in the data file.
This identification includes network domain name, computer name, and user name.
Included in the data folder is an additional file. Like the data files it has the "Archive"
and "Hidden" attribute flags. This file has an extension .ocx, and records a log of
SpectorPro activity.
The ???????.ocx file (where ? represents a random character) in plain text shows the
domain\machine name\user, in format consistent with the data files. Examination of the
SpectorPro case (earlier build than the one tested) revealed that while domain and
machine name were visible in the .ocx file, they did not appear in the data files, but the
user name did appear (beginning at the 36th byte of the file).
The use of the .ocx extension seems consistent for the log file in all tests and in the
case examination. While .ocx is an incorrect file extension, it is a log rather than an
"Object Linking and Embedding (OLE) Control Extension". The correct hex values for
the header in an OCX is \x4d \x5a \x90 \x00 \x03 \x00 \x00 \x00 (MZ...... in ASCII text).
The .ocx as used in Spector is a .txt file beginning with the accurate installation date of
the application. The .ocx file can be used to identify a SpectorPro installation. It can
provide artifacts for further processing, such as the information contained in the log
domain name\machine name\user name for identifying the data files, and possible use
ofSpectorPro.
There are a number of user configurable options that can complicate the examination of
SpectorPro. During the SpectorPro installation and later once the application has been
running, the user can change their password, and more importantly, the hot key
combination to initiate the admin console. In a Windows Vista installation the hotkeys
must be used to access the Admin Console, in normal use, and in a live or an emulated
disk examination. If the user changes the OS default settings, to “show hidden system
files”, the data files and log file will be visible in the Windows Explorer view.
The default setting for the screen capture images is a low quality 4 Bit gray scale, this
setting minimizes storage space, and write time for the data files. The SpectorPro
monitoring process has no noticeable impact on system resources or performance at
this setting, even on a system running as little as 256MB RAM. The default storage
allocation is .5GB. At this setting the average computer user’s activities will be recorded
for approximately 30 days. The monitoring user can increase the screen capture
quality, storage allocation and the storage duration settings. No testing was conducted
with other than the default settings. (Figure 7 Screen Capture)
The Admin Console showing a 4 Bit screen capture.
Examination
The examination process will require examiners to first identify the use ofSpectorPro.
If there is no reason to suspect the program, it will probably go totally unnoticed. None
of the recorded data appears in a typical examination process, such as a search for
images or string search techniques for the typed keystrokes, since the data is
encrypted. The encrypted data can only be decrypted using the SpectorPro
application.
The USEC Radix utility has a "one click check" scan that identified the hidden Spector
stored data files and the .ocx log file, when run on a live system. The utility can be run
on the system from a thumb drive. The use of this utility may be the most effective
method to identify whether Spector has been running on a computer, without having
developed information indicating its use. The Radix utility only supports Windows 2000
and Windows XP, while the SpectorPro application can be broadly deployed across
multiple operating systems.
To access and view the data files SpectorPro uses a combination of hot keys, Shift +
Crtl + Alt + S. When these keys are pushed after a users login, a window appears
requesting the password to login to the Admin Console. Upon successful entry of the
password the viewer opens and allows the monitoring individual to review the user
activity. This opens the Admin Console and can be initiated from any user having
administrator privileges logged on the computer. (Figure 8 Login)
Double clicking on the executable, or using the hot key combination will open the
program, after the password is entered.
Limited users cannot access the console, even when they know the hot key
combination and the password. Once the Admin Console is opened the activities of all
users can be reviewed. The Admin Console has filtering available during the review
session, it is possible to filter on individual user, as well as other items. An alternative
method of opening the Admin Console is to double click on the executable file in the
Windows\System32 folder. If the user has changed the hot key combination, this may
be the only way to access the console. This technique was prevented in Windows Vista
by UAC, even when attempted using the right click “run as administrator” option.
The simplest and most effective method for examination ofSpectorPro stored data is to
export the data folder, using a forensic application. The data files can then be opened
using either the Admin Console, from complete installation ofSpectorPro, or Spector
Pro Viewer installation, on an examination machine. The viewer client does not have
the full functionality of the Admin Console. It cannot access the monitoring application
settings and some other minor features that appeared to have little relevance for
examination. SpectorPro removal must be completed through the Admin Console,
using the password to access the uninstall option. The viewer client does not require
the use of the password to access exported data.
While using native environment techniques to examine SpectorPro activities the
examiner needs to be aware of possible incorrect conclusions due to lack of context in
interpretation. For instance when a keystroke logger logs keystrokes it is necessary to
determine if the entries are used as search terms, file save names, passwords, etc.
Without context the meaning of these items may be difficult to determine, and possibly
misleading. (Figure 9 Keystroke Logging)
The keystrokes are recorded. Here they were from .pdf search entries, and are shown
in the “Formatted” view. The “Raw” view will show additional keystrokes, such as “Shift”
and “Enter” keys. In undeleted data files the keystrokes were not accurately displayed
with their corresponding screen captures.
During my research, I spoke to individuals at SpectorSoft, and they were helpful in my
examination of their product. I found additional information in the SpectorPro Online
Help files that indicated the viewer client was available to be installed using the setup
disk (these options were also observed during setup). With the viewer it is possible to
use exported data files and view them on another computer. Unlimited installation of
the viewer component of their product is allowed under their End User Licensing
Agreement (EULA). However, the EULA strictly limits the installation of the complete
application used for monitoring.
References
1 Wikipedia Spyware definition, http://en.wikipedia.org/wiki/Spyware (retrieved
2/17/2008)
2 ibid.
3 Wikipedia Spyware – Adware and Tracking definition,
http://en.wikipedia.org/wiki/Spyware#Spyware.2C_adware_and_tracking (retrieved
2/17/2008)
4 SpectorProProduct Information,
http://www.spectorsoft.com/products/SpectorPro_Windows/index.html (retrieved
2/16/2008)
5 ibid.
6 Spyware.Spector Symantec Security Threat Research,
http://www.symantec.com/security_response/writeup.jsp?docid=2003-080715-0321-99
(retrieved 2/16/2008)
7 ibid.
8 ibid.
9 http://www.neuber.com/taskmanager/process/kernel32.dll.html (retrieved 2/26/2008)
10 USEC Radix Software, http://www.usec.at/rootkit.html (retrieved 2/17/2008)
11 http://www.neuber.com/taskmanager (retrieved 2/26/2008)
What’s New in the Spector Professional Edition for Windows v3.10 serial key or number?
Screen Shot
System Requirements for Spector Professional Edition for Windows v3.10 serial key or number
- First, download the Spector Professional Edition for Windows v3.10 serial key or number
-
You can download its setup from given links: