Spector Professional Edition for Windows v3.10 serial key or number

 Now in its fourth edition, the Handbook has become synonymous with excellence in providing cutting edge research on educational communications and technology to the information and communication technology community. This Handbook is written for researchers in educational communication and technology, professors of instructional design and instructional technology as well as professionals working in the fields of ICT, Learning Sciences, Educational Technology, IT, and ID. In addition, it has been and will continue to be an invaluable reference for academic and professional libraries.

 Under the sponsorship of the Association for Educational Communications and Technology (AECT), an international cadre of authors has been assembled representing the absolute best in the field. Expanded from 56 to 74 chapters, topics covered range from methodology, instructional strategies, assessment, design models, implementation and technology integration. A full 15 chapters are devoted to examining the future of the field, including robust discussions of new and emerging technologies and the fostering of ICT research in the developing world.  This completely expanded and updated Handbook will become an indispensible addition to the field; anyone with an interest in the field of educational communications and technology will find their library enriched for including it.

• J. Michael Spector
• M. David Merrill
• Jan Elen
• M. J. Bishop

1. 1., Department of Learning Technologies, CUniversity of North TexasDentonUSA
2. 2.St. GeorgeUSA
3. 3., Centr. Instructiepsychol.&-technologieK.U. LeuvenLeuvenBelgium
4. 4.BethlehemUSA

Bibliographic information

About the Author

WAYNE THOMAS BATSON is the Bestselling author of ten adventure novels including the fan favorite DOOR WITHIN TRILOGY, the pirate duo ISLE OF SWORDS and ISLE OF FIRE, and the new 7-book fantasy epic DARK SEA ANNALS. A middle school Reading and English teacher for 23 years, Batson loves to challenge—and be challenged by—his students. So, when he began writing stories to supplement the school district’s curriculum, it was his students who taught their teacher a lesson. Batson’s students were so taken by one of the stories that, over a thirteen year span, they pushed him to make it into a full-length novel. That story became The Door Within. Since then, Batson’s students continue to be his frontline editors. Says Batson, “Two things you can count on from middle school students: Intelli-gence and Honesty. Kids are so much more perceptive than a lot of us ‘Big Folk’ give them credit for. And when something’s not right in the story, they’ll tell you about in very clear terms.” Batson lives in Maryland with his wonderful wife of twenty years and four incredible teenage children. "God has blessed me with a remarkable family," Batson says. "Not perfect. But intelligent, fun, faithful, loyal, and entertaining." With over half a million books in print, Batson believes his books appeal to so many kids and adults because, at a deep level, we all long to do something that matters, and we all dream of another world. --This text refers to the paperback edition.

ForensicAnalysisofSpectorPro

Abstract

SpectorPro is computer Spyware/monitoring software, which is produced by the

SpectorSoft Company. SpectorPro is marketed as software to monitor activities of

children or employees. It is designed to be invisible to the computer user in order to

avoid detection, but this results in a significant challenge for forensic examination. This

paper is the result of research in how to identify and examine SpectorPro.

SpectorPro is the monitoring component ofSpectorSoft's offerings. They also have an

application called "eBlaster", which monitors and emails the user activity to the person

monitoring an individual. eBlaster has some advantages to the Forensic Examiner,

because it sends emails that are easily found in an examination. The emails appear in

an unencrypted format and are easily viewed and documented. This paper only deals

with the SpectorPro monitoring application, which is more difficult to identify, process

and examine.

Don L. Lewis

Forensic Computer Analyst

Lakewood Police Department

Lakewood Colorado

February 29, 2008

Introduction

"Spyware is computer software that is installed surreptitiously on a personal computer to

intercept or take partial control over the user's interaction with the computer, without the

user's informed consent.”[1]

“While the term Spyware suggests software that secretly monitors the user's behavior,

the functions of Spyware extend well beyond simple monitoring. Spyware programs can

collect various types of personal information, but can also interfere with user control of

the computer in other ways, such as installing additional software, redirecting Web

browser activity, accessing websites blindly that will cause more harmful viruses, or

diverting advertising revenue to a third party. Spyware can even change computer

settings, resulting in slow connection speeds, different home pages, and loss of Internet

or other programs. In an attempt to increase the understanding of Spyware, a more

formal classification of its included software types is captured under the term privacy-

invasive software."[2]

There are essentially two types of applications that fall under the Spyware label,

malware and monitoring software. The malware is typically installed by a download or

Internet activity, without the intent of the user. The purpose is to monitor the activities of

a user, and target Internet advertising and email SPAM. "Spyware — by design —

exploits infected computers for commercial gain. Typical tactics furthering this goal

include delivery of unsolicited pop-up advertisements; theft of personal information

(including financial information such as credit card numbers); monitoring of Web-

owsing activity for marketing purposes; or routing of HTTP requests to advertising

sites."[3] Monitoring software is typically installed as a security tool, by someone with

administrative privileges for the computer without the user’s knowledge, and is used to

conduct surveillance of the user’s activities.

SpectorPro software is utilized in a number of ways. Monitoring employee’s online

activities in a corporate setting and monitoring activities of children on computers in the

home are the expected uses of the software. It can be used in criminal activities to

access personal information of victims for identity theft. It can be used by stalkers and

in domestic violence situations to monitor a victim’s personal activities and

communications. Probation officials use it to monitor individuals convicted of computer

crimes and sexual assaults. It is in a probation monitoring situation that I came to

examine a SpectorPro case.

When a probation client uses a computer, as a condition of their probation, they agree

to have their activities monitored. The probation client is required to provide their

computer to their probation officer on a routine basis for review. SpectorPro is the

application that the probation office chose to use as their monitoring software.

Research and Testing

This testing utilized SpectorPro 6.0 build 1265. The tested software was a later build of

the program than the case examination. The case results appeared consistent with the

testing that was conducted.

"How Does it Work?

Once installed, the person who installed SpectorPro can configure it to capture the

screen contents at configurable intervals and then store the captures in a hidden

location on the hard drive for later viewing. Screen capturing is one of several different

recording features that can be configured.

Spector works by taking a snapshot of whatever is on the computer screen and saves it

away in a hidden location on your computer's hard drive. A few seconds later, Spector

takes another picture. In fact, Spector can automatically take a picture of your computer

screen as frequently as once per second or based on user activity."[4]

"What Does Spector Record?

You get recordings of all chat conversations, instant messages, e-mails typed and read,

all websites visited, all programs/applications run, all keystrokes typed - EVERYTHING

they do on the computer and on the Internet."[5]

SpectorPro is, by design, hidden from the user. It is not installed in the "Program Files"

folder as most computer applications. It is installed in the Windows\System32 file path.

The SpectorPro executable is disguised to look very similar to a number of other files in

Windows\System32 folder. This disguise makes it harder to find. It does not use

"SpectorPro" as the executable name. It uses a random name made up of six to twelve

characters, with either .exe or .dll as its extension. (Figure 1, Explorer View of

System32 .exe files)

Explorer view of executable and dll files in the Windows\System32 folder. The Spector

monitoring file shown here as “resoccal”, allows a user to run the Admin Console. The

tool tip entry showing the created date is not consistent with the date of the program

installation. The data folder, “anserbat” can be seen in the explorer tree. These file and

folder names are random and unique to each installation.

Symantec Security Response "Spyware.Spector" states that the installed application

name is a two-word combination from the following list; xml, wsock, wow, and/or wiz,

using .exe or .dll as the extension.[6] In both my testing and case examination, I found

this not to be accurate. There is additional information indicating that the program uses

a longer list of over one hundred words that are concatenated, to make registry values

pointing to files created by the application.[7] This suggests a greater number of words

available for SpectorSoft’s application. The names created by installation, during my

testing and the case examination, were not consistent with the published list on

Symantec's website. Letters used in the filename did not appear in the word list.

Each installation of the program will result in different names for the files and folders

related to SpectorPro. The application was installed on both Windows XP and

Windows Vista computers. The default selections were made on each installation and

“remove the installer” was always selected. To test the randomness of the naming

convention for both the application and data components ofSpectorPro, the program

was uninstalled and reinstalled several times. Each installation had unique random

naming as described above. The data files had unique file extensions for each

installation.

The Security Response information indicates that a system scan with Symantec

Antivirus products will detect Spector and report it as Spyware.[8] In the case

examination, the evidence files were mounted as an emulated disk and a virus scan

was run. The SpectorPro executable was not detected, nor were any of the associated

files. Using this approach to identify the executable is not reliable. Frequent new build

eleases of the product using minor changes to the program may be intended to prevent

identification by antivirus clients. It may be possible to identify earlier versions and

builds ofSpectorPro by antivirus clients. Additionally, use of the MD5 Hash of the

executable for identification is unreliable. As expected the hash is not consistent

between program builds, and installations. Each installation ofSpectorPro, using the

same installation CD, resulted in a different hash value. The administrator installed the

program on a single computer. A hash value was calculated on the executable. The

program was uninstalled and reinstalled, by the administrator, using the same

configuration. A hash value was calculated on the second installation of the executable.

The hash values did not match when compared.

Testing was conducted on SpectorPro 6.0, running the program both as the computer

user and the monitor of the user's activities. To further observe the affects of the

software multiple users were created and run on multiple test computers. The

installation process was monitored with Windows Sysinternals’ Regmon and Filemon, to

identify changes made during program installation. Several additional tools were used

during the testing; Helix, Fool Moon's Windows Forensic Tool Chest, USEC Radix,

Neuber Security Task Manager, AccessData's FTK Imager, Guidance Software's

EnCase Forensic Edition, Microsoft Virtual PC, and VMWare Workstation. The Spector

Pro monitoring application is not recorded in the system Prefetch. The viewing

application is recorded in the system Prefetch after it has been run, however, the

naming convention used by this application makes it difficult to identify. There may be

little forensic value in locating the viewing application in Prefetch. The monitoring

process is not listed in Windows Task Manager, or process monitoring applications such

as SysInternals Process Explorer. The monitoring (recording) application is run in

memory from .DLL files, and is not a process. They may be listed when command to

“ListDLLs” is run. The random naming convention used by Spector, camouflages the

applications in the listed DLLs. It may be possible to locate one of the monitoring DLLs

using a string search of the embedded comments in the DLLs located in the System32

folder.

The installation of six files and creation of one folder were identified during testing. The

six files consist of an executable, which is approximately 6200 KB in size, and five

.DLLs. All of these files are located in the Windows\System32 folder. Two files, the

executable and one of the .DLLs, can be found using a keyword search with "Spector

Pro" as the keyword. Additional keywords are "Stealth Mode", "Spector Startup", and

"Spector Administrator". The latter two are not consistently found in the files, which may

be attributable to different builds. The resulting keyword hits will be in plain text located

near the middle of the file. The easiest technique for finding the executable, on a live

system, is to sort the explorer view by size and look for the executable that is listed at

approximately 6200KB. The other files will have the same MAC Modified Date. The

executable that is found is the Admin Console (viewer and settings configuration

application), which is used to access the data files, review the user's activities and set

the monitoring parameters. (Figure 2 Illustration Keyword Hit)

Search hit in the viewer executable.

When SpectorPro is installed one of the most important components, which allows the

monitoring to occur, is its use of the Windows\System32\Kernel32.dll. In the Windows

OS the Kernel32.dll handles memory management, input/output operations and

interrupts. When you start Windows, the Kernel32.dll is loaded into a protected memory

space so that other programs do not take over that memory space.[9] Locating the

Kernel32.dll and sorting on the MAC modified date in the System32 folder will group

the seven files and one folder together for rapid identification. Hex and text views of

the .DLLs show the common values for the file signature (DLL signature hex values

\x4D \x5A \x90 \x00 \x03 \x00 \x00 \x00 and text value MZ ·····. This is consistent with

the normal DLL signatures).

The MAC Creation and Modified dates do not accurately reflect the installation date of

the program. The dates are consistent across the components of the installation. The

dates appear to be tied to installation dates in the Operating Systems (OS) DLL files.

Each installation was uniquely tied to the Kernel32.dll in the Windows\System32 folder.

The MAC dates for the files created during installation are the same as the dates of the

Kernel32.dll. The data files saved by the Spector Monitoring DLLs, even when they are

added during later/subsequent computer use, are given the MAC dates associated with

the installation. The dates recorded for the activities monitored, are accurate when

reported within the SpectorPro Admin Console.

Identification of running processes was attempted after the installation ofSpectorPro.

SysInternals Root Kit Revealer was run when logged on to the computer as a user.

This utility returned no hits showing the presence of the monitoring software.

Additionally, when SysInternals Process Explorer was run, all processes listed

appeared to be related to the Windows Operating System. Webroots SpySweeper was

run. This utility returned no hits showing the presence of the monitoring software.

USEC Radix Anti-RootKit,[10] a utility to identify and remove root kits was run. It did not

identify SpectorPro processes or executables, but it did identify the data files. The

Neuber Security Task Manager was run, and it identified the two DLLs, which were

running during monitoring.[11] When the SpectorPro Admin Console is initiated the

process is listed in the Windows Task Manager, as well as Process Explorer. (Figure 3

Process Explorer.)

Processes shown using process explorer while monitoring was being conducted.

The SpectorPro Admin Console executable can be run when the evidence file has

been mounted as an emulated disk. When executed in this fashion, an error will result,

and none of the data files will be able to be accessed. It is helpful, however, in

identifying the executable, and from the program “about” in the help tab the software

version and build can be identified. Testing showed this technique worked for Windows

XP installations, but not for Windows Vista installations ofSpectorPro. On a Windows

Vista live examination, UAC (User Access Control) prevented launching the Admin

Console from the executable in the System32 folder.

The folder that is created during installation is an empty folder that will become home to

the SpectorPro data files. The folder will be empty until the computer is restarted, after

the installation of the program, and the application begins its recording process. The

recording process begins when a user logs on to the computer. No data files are

created for users that have not logged on to the computer after the installation of

SpectorPro. The data files have both Archive and Hidden attribute flags. They are also

proprietary encrypted files. A 16-digit software serial number and a user password must

be entered during installation. This same password is used later to access the program

to view the recorded data. (Figure 4 Serial Number Entry)

The program setup requires the serial number key and an email address, to install

SpectorPro.

The data file naming convention is a random forty-digit filename using hexadecimal

characters. They also have a random extension that is an invalid (nonexistent) file type

(Such as .pen, .qek, .qju, .nxt and .vto extensions, which have been identified for these

data files. Other test file extensions were observed but were not recorded). Each

installation will have its own unique data file extension value. Different extension values

were observed on a single system, when deleted data files were present. An example

of the filename scheme is "E9907B58E45B09005EEDE32B58FB40CB40A47E53.vto".

The life of the data files is set to 30 days by default. The monitoring user can

reconfigure this, during installation and/or by using the programs configuration settings

after installation. Recovery of deleted data files may be required. Recovered data files

that have been deleted will contain screen captures, but may not accurately present

other collected data such as keystrokes. In the case examination, a screen capture

showing a password entry did not have corresponding keystroke data. (Figure 5

Configuration Settings)

The Settings Configuration Menu from the Admin Console.

SpectorPro separates the data files by user and by session. The data files do not have

a unique header/file signature. The beginning of the file has random hex/text values.

However, beginning with the thirty-sixth byte of the file is user identification in plain text.

(Figure 6 Illustration File Hex View)

The domain name\computer name\user name entry begins at the 36 th byte from the

beginning of the file. In this example the computer does not have a network domain

name, as one was not assigned, and is reflected in this entry. The entry consistently

begins with “L:” in the data file.

This identification includes network domain name, computer name, and user name.

Included in the data folder is an additional file. Like the data files it has the "Archive"

and "Hidden" attribute flags. This file has an extension .ocx, and records a log of

SpectorPro activity.

The ???????.ocx file (where ? represents a random character) in plain text shows the

domain\machine name\user, in format consistent with the data files. Examination of the

SpectorPro case (earlier build than the one tested) revealed that while domain and

machine name were visible in the .ocx file, they did not appear in the data files, but the

user name did appear (beginning at the 36th byte of the file).

The use of the .ocx extension seems consistent for the log file in all tests and in the

case examination. While .ocx is an incorrect file extension, it is a log rather than an

"Object Linking and Embedding (OLE) Control Extension". The correct hex values for

the header in an OCX is \x4d \x5a \x90 \x00 \x03 \x00 \x00 \x00 (MZ...... in ASCII text).

The .ocx as used in Spector is a .txt file beginning with the accurate installation date of

the application. The .ocx file can be used to identify a SpectorPro installation. It can

provide artifacts for further processing, such as the information contained in the log

domain name\machine name\user name for identifying the data files, and possible use

ofSpectorPro.

There are a number of user configurable options that can complicate the examination of

SpectorPro. During the SpectorPro installation and later once the application has been

running, the user can change their password, and more importantly, the hot key

combination to initiate the admin console. In a Windows Vista installation the hotkeys

must be used to access the Admin Console, in normal use, and in a live or an emulated

disk examination. If the user changes the OS default settings, to “show hidden system

files”, the data files and log file will be visible in the Windows Explorer view.

The default setting for the screen capture images is a low quality 4 Bit gray scale, this

setting minimizes storage space, and write time for the data files. The SpectorPro

monitoring process has no noticeable impact on system resources or performance at

this setting, even on a system running as little as 256MB RAM. The default storage

allocation is .5GB. At this setting the average computer user’s activities will be recorded

for approximately 30 days. The monitoring user can increase the screen capture

quality, storage allocation and the storage duration settings. No testing was conducted

with other than the default settings. (Figure 7 Screen Capture)

The Admin Console showing a 4 Bit screen capture.

Examination

The examination process will require examiners to first identify the use ofSpectorPro.

If there is no reason to suspect the program, it will probably go totally unnoticed. None

of the recorded data appears in a typical examination process, such as a search for

images or string search techniques for the typed keystrokes, since the data is

encrypted. The encrypted data can only be decrypted using the SpectorPro

application.

The USEC Radix utility has a "one click check" scan that identified the hidden Spector

stored data files and the .ocx log file, when run on a live system. The utility can be run

on the system from a thumb drive. The use of this utility may be the most effective

method to identify whether Spector has been running on a computer, without having

developed information indicating its use. The Radix utility only supports Windows 2000

and Windows XP, while the SpectorPro application can be broadly deployed across

multiple operating systems.

To access and view the data files SpectorPro uses a combination of hot keys, Shift +

Crtl + Alt + S. When these keys are pushed after a users login, a window appears

requesting the password to login to the Admin Console. Upon successful entry of the

password the viewer opens and allows the monitoring individual to review the user

activity. This opens the Admin Console and can be initiated from any user having

administrator privileges logged on the computer. (Figure 8 Login)

Double clicking on the executable, or using the hot key combination will open the

program, after the password is entered.

Limited users cannot access the console, even when they know the hot key

combination and the password. Once the Admin Console is opened the activities of all

users can be reviewed. The Admin Console has filtering available during the review

session, it is possible to filter on individual user, as well as other items. An alternative

method of opening the Admin Console is to double click on the executable file in the

Windows\System32 folder. If the user has changed the hot key combination, this may

be the only way to access the console. This technique was prevented in Windows Vista

by UAC, even when attempted using the right click “run as administrator” option.

The simplest and most effective method for examination ofSpectorPro stored data is to

export the data folder, using a forensic application. The data files can then be opened

using either the Admin Console, from complete installation ofSpectorPro, or Spector

Pro Viewer installation, on an examination machine. The viewer client does not have

the full functionality of the Admin Console. It cannot access the monitoring application

settings and some other minor features that appeared to have little relevance for

examination. SpectorPro removal must be completed through the Admin Console,

using the password to access the uninstall option. The viewer client does not require

the use of the password to access exported data.

While using native environment techniques to examine SpectorPro activities the

examiner needs to be aware of possible incorrect conclusions due to lack of context in

interpretation. For instance when a keystroke logger logs keystrokes it is necessary to

determine if the entries are used as search terms, file save names, passwords, etc.

Without context the meaning of these items may be difficult to determine, and possibly

misleading. (Figure 9 Keystroke Logging)

The keystrokes are recorded. Here they were from .pdf search entries, and are shown

in the “Formatted” view. The “Raw” view will show additional keystrokes, such as “Shift”

and “Enter” keys. In undeleted data files the keystrokes were not accurately displayed

with their corresponding screen captures.

During my research, I spoke to individuals at SpectorSoft, and they were helpful in my

examination of their product. I found additional information in the SpectorPro Online

Help files that indicated the viewer client was available to be installed using the setup

disk (these options were also observed during setup). With the viewer it is possible to

use exported data files and view them on another computer. Unlimited installation of

the viewer component of their product is allowed under their End User Licensing

Agreement (EULA). However, the EULA strictly limits the installation of the complete

application used for monitoring.

References

1 Wikipedia Spyware definition, http://en.wikipedia.org/wiki/Spyware (retrieved

2/17/2008)

2 ibid.

3 Wikipedia Spyware – Adware and Tracking definition,

http://en.wikipedia.org/wiki/Spyware#Spyware.2C_adware_and_tracking (retrieved

2/17/2008)

4 SpectorProProduct Information,

http://www.spectorsoft.com/products/SpectorPro_Windows/index.html (retrieved

2/16/2008)

5 ibid.

6 Spyware.Spector Symantec Security Threat Research,

http://www.symantec.com/security_response/writeup.jsp?docid=2003-080715-0321-99

(retrieved 2/16/2008)

7 ibid.

8 ibid.

9 http://www.neuber.com/taskmanager/process/kernel32.dll.html (retrieved 2/26/2008)

10 USEC Radix Software, http://www.usec.at/rootkit.html (retrieved 2/17/2008)

11 http://www.neuber.com/taskmanager (retrieved 2/26/2008)