Technology Overview: Computer Basics
Would you try to assemble a complex device without the instruction book, or work on a car without knowing where all the parts are? Most people wouldn’t consider embarking on a difficult task without having at least some idea of what they are doing. Because this book covers the sometimes daunting task of using your computer as a spying tool, this and the next chapter provide a crash course on computer and network technology.
Before you can begin to use your computer for spying, you must have a basic understanding of how it works. Don’t expect to become a computer guru overnight. Home PCs are very complicated machines and becoming even more so; however, the basics have not changed much since IBM introduced its first PC back in the 1980s. An introductory level of understanding is all that is needed to get you through the concepts taught in this book.
To provide the best description of what computers are and how they work, this chapter is broken into two parts: hardware and software. The hardware section covers the physical computer itself, including all of its connections and parts. Some spying done at the hardware level may require connecting new pieces of hardware to a computer. Some techniques involve studying a computer for evidence, which requires you to be able to physically disassemble and reassemble it. For these reasons, it is important to understand the basics of how things work together.
Software is the collective name for programs that run on a computer. The first and most fundamental piece of software everyone encounters is the operating system (OS). In most cases, the OS is a variant of Microsoft Windows. Next is a class of software known as device drivers. Device drivers can be thought of as a cross between the OS and the user applications; they plug into the OS and allow it to use different pieces of hardware.
The last category of software is referred to as user applications, or programs. Most of the software discussed in this book falls under this category. Internet Explorer, Notepad, and Solitaire are all examples of user applications.
A working knowledge of and familiarity with computer hardware and software can prepare you for using it as a spy device. Only by really understanding what everything does can you truly and safely exploit it. Having a big picture of how software and hardware work and interact will allow you to determine the appropriate location and technique for spying with your computer.
Hardware is the first part of a computer a person encounters. Hardware can be broken into two main sections: interface components and non-interface components. Interface components are the parts used to interact with the computer, including but not limited to keyboards, mice, trackballs, printers, monitors, scanners, speakers, Webcams, and microphones. Non-interface components are the “brains” or guts of the computer. They are usually housed in the case and consist of the motherboard, the central processing unit (CPU), the memory, the hard drive, the sound, the video, and the network cards. There is also a special class of hardware referred to as connectors, the methods by which the interface devices are connected either to each other or to non-interface devices. Examples of connector types are Universal Serial Bus (USB), serial cable, network cable, and firewire.
Non-interface components are the parts of the computer that make up its working body and that are not involved in interacting with users. Most computer parts are non-interface components, and they range from the computer’s CPU and memory, to its case and disk drives. Although you may never have to deal with CPUs and memory, you will probably use disk drives, optical drives, and other types of media. Understanding the non-interface components will give you the big picture of how a computer is put together and how it works.
Most non-interface components are housed in the computer’s case. Cases for computers range in size and shape. Desktop cases were once popular, but are now being replaced by tower-style cases. There are other unusual cases as well, such as the Mini-ATX. Figure 3.1 shows some popular models.
The CPU is the “brain” of a computer, the core component. For example, when someone refers to his or her computer as a “2.4-gigahertz Pentium IV,” he or she is is actually referring to the CPU. People use CPU as both a measure and a description of their computer.
In the PC market there are two primary CPU vendors: Applied Micro Devices (AMD) and Intel. Intel was the original developer of the 80× 86 microprocessors, the distant ancestor of all current CPUs. AMD, which started out developing popular and generally lower cost clone microprocessors, has begun to introduce many innovative designs of its own. For the most part, and for the scope of this book, the processor involved does not matter; the software will run on either kind of processor.
The CPU performs most of the processing that occurs on a computer. A CPU’s speed is measured in gigahertz (GHz), which refers to one billion cycles per second. On a historical note, at one time most CPU speeds were measured in megahertz, meaning one million cycles per second. Now, however, most CPU speeds are 1 GHz or greater. As you might expect, faster CPUs perform better than slower ones.
CPUs may also have onboard memory called “cache,” which helps them to quickly access frequently needed data. The types of cache are named depending on their distance from the CPU. The L1 case is closest to the CPU and is the cache that can be accessed most quickly. The L2 cache is slightly farther away, but can still be accessed relatively quickly.
Main memory is often referred to simply “as memory.” Here, we maintain the distinction of “main memory” to differentiate it from the memory on video cards or other devices. Usually, when people refer to having 512MB of memory, they are referring to main memory. The main memory is the memory a computer uses to load programs and perform other functions related to processing data and communicating with hardware devices. This type of memory is usually composed of random access memory (RAM), meaning that any section can be accessed independently. Another characteristic of RAM is that the data is only stored there for as long as the memory is powered up. For example, when a computer is shut down and the memory loses power, all of the data stored there is lost unless it has been saved to some type of permanent storage such as a hard drive. It is best to make sure that any data you want is saved before you turn off the computer’s power. On the flipside, if someone is discovered unexpectedly while using his or her computer, he or she can hide incriminating data by quickly turning off the machine’s power. Understanding the difference between what is in main memory and what is not is important when spying and is discussed in more depth later in this book.
Hard disks, also known as hard drives, are the closets of the computer world; no matter how big the hard drive is, it is never big enough. These devices are used for the permanent storage of programs and data. Unlike RAM, hard disks maintain the information stored on them, even when the computer is powered off. Anything written to a hard disk can be viewed at a later date. Items that are deleted from hard disks can also be recovered given enough time and technology. Hard disks can usually be taken from one computer and read by another relatively easily. Many interesting spying techniques have arisen around exploiting hard disks and their unique properties. Although most hard drives reside inside the computer case, there are external hard drives that connect via USB or firewire. These portable hard drives are popular and are frequently used to hide data. Figure 3.2 shows a typical internal hard drive and the cables used to connect it to a computer.
It is not uncommon for people to get their hard drive size and amount of main memory mixed up. Both are measured in the same units (kilobytes, megabytes, gigabytes, and so on). When looking at specifications for a computer, the hard drive is almost always an order of magnitude larger than the main memory. Current standards include 256 MB to 1 gigabyte (GB) of memory and 30 to 200 GB of hard drive space.
Video cards are the devices used by the computer to generate the images you see on your monitor. Over the last few years they have become increasingly complex and powerful. Modern video cards now boast their own microprocessors and large amounts of memory. Some modern video cards can even support multiple monitors. Several clever hackers and programmers have developed stand-alone programs that are run completely on modern video cards. While there is a possibility that future video cards will have some spying potential, they are not important for the scope of this book.
Sound cards are used to produce the sound effects that software applications generate. At one time, sound cards produced poor quality sound. Modern cards are capable of producing very high quality surround sound to support multimedia and the latest games. These cards usually have connectors for speakers, a line out for additional speakers, and a microphone. In addition, some of the higher end sound cards have fiber-optic connectors for high-end digital receivers. Sound cards are an interesting, essential part of the computing experience, but there are very few spying techniques that exploit them.
Modems are devices used for computer networking. They allow computers to communicate using standard telephone lines. They convert computer data into analog signals that can be transmitted on the phone lines, received by remote computers, and converted back into digital data. Modems can be internal or external to the computer case. Most modems are internal to the case, although external modems are still available. Although similar sounding, cable modems are a completely different technology and not related to traditional phone modems.
Network cards are also used for computer communication. They use network cables, such as Category 5 (Cat-5), Category 6 (Cat-6), fiber optic, or Ethernet, for communication. They offer a speed increase of 10 to 1,000 over traditional modems. Network cards can be used to connect two computers or a small group of computers, or to connect a computer to a broadband adapter (cable or Digital Subscriber Line [DSL] modem).
A motherboard is the hardware that ties everything together: the CPU, the main memory, the video card, the network card, the sound card, and so on. It also usually has connectors for the hard drives, the compact disc (CD), and the digital versatile disk (DVD) drives as well as most of the external connectors. Many modern motherboards have sound cards, video cards, and network cards integrated into them.
Optical drives are the means by which a computer can read a CD or a DVD. They are a popular means of distributing software because they can hold vast amounts of data. Optical drives are also used to play CDs and DVDs. Special versions of these drives, such as CD-R/RW or DVD+-R/RW, allow users to write (or burn as it’s commonly called) data to blank CD and DVD media to create their own custom CDs and DVDs. Figure 3.3 shows a standard CD-RW drive.
Different optical media have different storage sizes. CDs can hold between 650 and 700 MB of data. Once, this was enough for most programs; entire hard drives could be backed up to them. This storage has been eclipsed by DVDs, which can hold between 4 and 9 GB of data. Even this impressive number looks small when stacked up against the gargantuan storage capacity (160 to 350 GB) of most modern hard drives.
A floppy drive is a legacy device that was once used for backup and to transfer data between machines. Many modern computers still come with floppy drives. In the past, software applications came loaded onto floppy drives, and they were also used for data transfer and to make emergency boot disks. Now, they are used mostly for emergency boot disks. Floppy drives hold only 1.44 MB of data at best. Their capacity is almost useless because modern applications and even data take up much more space. A digital picture taken with a medium- to high-quality camera takes up between 1 and 2 MB, almost too big for a floppy. New technologies such as USB drives and cheap blank digital media have rendered the floppy drive all but obsolete. Figure 3.4 shows a traditional internal floppy drive.
USB drives are the modern replacement for floppy drives. They are small devices, about the size of a key chain, that hold between 64 and 512 MB of data. They are smaller, much faster, and in many ways more durable than floppy drives. When hooked up to a computer through the USB interface, a USB drive can be used just like an additional hard drive. A small 256-MB USB drive is pictured in Figure 3.5).
USB drives are very useful. Their low cost, small size, high-storage capacities, and almost universal compatibility make them excellent spying tools. You can plug one into almost any modern computer, and it will be instantly recognized. If you plan on taking files from a computer, or will be attacking a computer you have only limited access to, we strongly recommend that you purchase one. A USB drive will allow you to quickly and covertly take copies of files from a targeted computer, which can then be viewed by you elsewhere at your leisure.
These small media are possible floppy replacements that are popular in digital cameras, portable media players, personal digital assistants (PDAs), and other devices. There are several different types of memory cards available, with some of the most popular being smart media, compact flash, memory sticks, and secure digital (SD) media. Memory cards can hold between 8 MB and 1 GB of data and are useful for transferring data and storing it in small, easily concealable devices. Figure 3.6 shows some examples of popular memory cards.
Table 3.1 summarizes the various components discussed and their use in spying.
Connectors are the means by which the interface and non-interface components communicate. Next to interface components, these are the parts of a computer that you deal with the most. It is important to have a good working knowledge of connectors because they will play several roles in your spying game.
A PS/2 is a small circular connector that is commonly used to connect keyboards and mice to the computer. On most computers, they are color-coded, with the keyboard connector shaded purple and the mouse shaded green. In the future, this is the location where we will apply hardware keystroke loggers. Figure 3.7 shows typical PS/2 ports. Next to each port is an icon representing the device that should be plugged in there.
The USB is one of the most popular standards for connecting peripherals to computers. This type of connection is plug-and-play, meaning that devices connected to the USB “announce” their presence to the computer so that it can configure them without any interaction from anyone. Before plug-and-play became widely accepted, installing peripheral devices was a much more difficult and manual process. Now, most USB devices are automatically configured. There are two standards of USB, 1.1 and 2.0, with 2.0 being faster and offering some other minor advantages. For all intents and purposes, it won’t matter which version of USB you are dealing with unless you need a high speed and high bandwidth device. USB is now used for connecting everything from printers, to scanners, keyboards, mice, digital cameras, Webcams, and so on. In addition, there are also devices called USB hubs that are small boxes with several USB ports on them. Some modern monitors have USB hubs built into them. Most USB ports can be recognized by the common USB symbol, as shown in Figure 3.8.
Firewire also goes by the names Institute of Electrical and Electronic Engineers (IEEE) 394 and Ilink (used by Sony). It is very similar to USB in that it supports plug-and-play, and devices plugged into a firewire port “announce” themselves to the computer (Figure 3.9). There are two types of common firewire ports: a small non-powered one and a larger one that can be used to power external devices. Most laptops have the smaller one, and firewire-enabled desktops have both. Firewire offers a faster connection and more bandwidth than USB. As a result, firewire ports are commonly used for connecting devices that transfer large amounts of data such as digital video cameras and other video devices, external hard drives, and the Apple iPod.
Modem and network ports are used for connecting modems and network cards to networks either directly via network cable or through phone lines. While they appear similar, and phone cable will fit in either connector, they are actually very different and won’t work with the wrong cable or in the wrong connector. Most computers label the modem and network ports with the diagrams shown in Figure 3.10.
If the port isn’t clearly labeled, look into it and find the small wires. A modem will have two or four wires, and a network port will have eight. Figure 3.11 shows a closeup of network and modem ports.
Serial and parallel ports are rarely used on modern computers. Yet most computers still include them. Prior to USB, most printers used the parallel port to communicate with the machine and the mouse, external modems, and some early Webcams used a serial port. Figure 3.12 shows one parallel and two serial ports.
Interface components are the parts of the computer you will be dealing with the most. It is likely that you are already familiar with most interface components. What you may not know is how they can be subverted for spying purposes. Following are reviews of the most popular ones and a description of their spy potential, if any.
The monitor is the primary output device for a computer, and probably what you interface with the most. Advanced techniques allow people to reconstruct an image from a monitor from the electromagnetic waves it emanates. Since this technology is very expensive and difficult, it is only mentioned for completeness and will not be further discussed in the book.
The keyboard is perhaps the most important interface component of a computer. Almost everything a user enters passes through the keyboard. This will become a point of interest in future chapters. Keyboards can be connected to a machine in one of three ways: a USB connection either directly to the machine or through a USB hub, a PS2 (most common) connection directly to the machine, or the outdated AT interface (very rare). Figure 3.13 shows the three types of connectors. It is important to know which method of connection you should use in your specific case, because it may come into play when selecting hardware-based spying devices for keyboards.
Another important input device is the mouse. Most mice connect to the computer either through a PS2 or USB connector. Unfortunately, even though the mouse is used a lot, its design does not make it easy to subvert and spy with.
Like traditional microphones, a PC microphone is used to capture sound and send it to the computer. They are used for different games, Internet Protocol (IP) telephony, and many chat programs. It is also not uncommon to use one in conjunction with a Webcam. In some cases, microphones may be remotely activated for use as a listening device. Most microphones connect to a special connector on the sound card. Figure 3.14 shows a couple of PC microphones and highlights the connector they use.
Webcams are small cameras that are used to capture video images and then send them to a PC. These devices have increased in popularity due to a drop in price and an increase in the amount of broadband high-speed Internet-wired homes. Webcams are used for videoconferencing, monitoring, and other streaming video uses. Some have built-in microphones that can also be used with a separate microphone. Most Webcams are attached to the computer via a USB or firewire interface. Some of the more advanced commercial Webcams communicate via the network or through wireless technology. These advanced Webcams are usually self-contained computers that stream the video of a network link to a remote computer. There are several potential spying uses for Webcams when they are combined with microphones. Figure 3.15 shows an example of a Webcam.
Scanners are input devices used to convert printed images into digital images. Before digital cameras became popular, many people used scanners for converting their pictures into digital images. Scanners are usually connected to computers using USB cables.
Laptops are machines where all of the components, interface and non-interface, are housed together in one transportable case. They are designed to be more portable than regular computers; they even come with the monitor attached. Laptops are generally more difficult to open up and manipulate than traditional desktop machines. Certain hardware spying devices won’t work on laptops. In addition, they sometimes come with extra built-in security features. Most of the software spying techniques we discuss are effective for laptops.
The other half of the computer puzzle is the software, which programs, or instructs, the hardware on how to perform the “magic” of the computer. It is the computer code or collection of programs that is executed on the hardware. As previously mentioned, software is broken up into three major categories: the operating system, the programs, and the device drivers.
The OS is a program or collection of programs used to control and manage the hardware and to run other programs. The OS keeps each individual program from having to learn different hardware specifics. It forms a standard base for all programs, which end up running on a variety of different hardware combinations. When the computer is turned on, the operating system is loaded. After it is loaded, the users can run whatever programs they prefer.
Microsoft makes the operating systems that run on the majority of home computers; they are usually some variation of Microsoft Windows. Like it or hate it, you will probably be dealing with it the most. Nearly all PCs are sold with Windows preinstalled, so you will have little choice in selection and installation. However, it is important to note that Microsoft Windows comes in several varieties with various differences that may affect your capability to spy.
The Windows 9x series consists of Windows 95, Windows 98, and Windows ME (Windows Millennium). Windows 95 (also known as Windows 4.0) was the groundbreaking version of Microsoft Windows that had well-integrated network and multimedia capabilities and could natively run 32-bit programs. Its interface was a dramatic departure from previous Windows and supposedly much easier for people to use. Windows 98 and Window ME were basically upgrades to the Windows 95 platform that offered bug fixes, USB, and other advanced hardware support. Currently, Microsoft no longer supports any of these operating systems, although there are still many computers running them.
Windows NT was Microsoft’s attempt at the complete development of a server and enterprise OS. When first designed, NT stood for “New Technology.” Windows NT’s first really famous version was NT 4.0, which debuted in July 1996. NT 4.0 was primarily a server OS but still had the Windows 95 interface. NT 4.0 was incredibly successful and is still supported by Microsoft. Its first successor was Windows 2000, which is now one of the most popular business operating systems in use. The successor to Windows 2000 is Windows 2003. Because most of these operating systems were designed for the business or enterprise environment, it is unlikely that you will encounter any of them.
Windows XP is Microsoft’s currently produced and supported desktop OS. It has been in production since December 2001 and is scheduled to be used until 2006. Windows XP is a combination of the 9x and NT families and adds many usability and functionality improvements over previous versions of Windows. There are two different types of Windows XP operating systems: Home and Professional. They are almost identical except that Windows XP Professional has support for multiple processors, remote access, encrypting files systems, group and user policies, and other business-related functionality. Microsoft claims that Windows XP is the most popular desktop OS. For those reasons, in this book we assume that all techniques are being applied against a Windows XP machine. When they do differ, we will point out how they must be changed and whether they can to be applied to Windows NT and 9x machines.
Linux is a free OS distributed under the GNU public license that was created by Linus Torvalds as a hobby when he was a student at the University of Helsinki in Finland. He started in 1991, and released Version 1.0 of the Linux kernel in 1994. This free OS is available from many different free and commercial vendors, each of which modifies it and updates it to suit its clientele. It runs on the same types of hardware as Microsoft Windows and has become the number two OS for desktop users. Although you may encounter this OS occasionally, most of the techniques for exploiting it are beyond the scope of this book.
MacOS Version 10, commonly known as OSX, is another popular desktop OS. It runs on Apple computers including the IMac, the PowerMac, the IBook, and the Powerbook. The theory for exploiting Macs is the same as that for PCs, but most of the hardware and software is completely different. So Macintosh computers are not covered in this book.
These special pieces of software help the OS communicate with the hardware. They are the only pieces of software that are generally specific to the make and model of the hardware used in the computer. Because drivers are vendor-specific and offer little benefit to spying, they are not addressed in this book.
Any other software that is not part of the OS or is not a device driver falls under the “application software” category. Most programs that users run are standard application software, such as Microsoft Word, Internet Explorer (there is some debate on this because it is very tightly integrated into the Windows operating system), and AOL Instant Messenger. Many of the techniques in this book involve installing, removing, and modifying different pieces of application software.
The following concepts are important to know before exploiting a PC. These concepts are universal and generally apply to all of the operating systems listed in the previous section. This does not attempt to be a complete background on OS concepts.
Data is stored on hard disks as blocks of ones and zeros. Computers can access the hard disks and read the data. In order to make sense of the data, the OS organizes it into files. Files are logical collections of data. For example, a Microsoft Word document is a file and so is a grocery list, a database, and a picture. Most of the information you want is stored as a file. Files are arranged in a hierarchical manner. At the top of the hierarchy is the disk drive, which in most Windows machines is the C drive. Disk drives then contain many folders (also known as directories) and files. Each folder is a special file, acting much like a folder in a filing cabinet in that they hold files and other folders. Figure 3.16 illustrates the relationship between disk drives, folders, and files.
In order to understand the data in most files, you will need an application capable of viewing that file. If a hard disk is considered a filing cabinet, then the computer’s files are the contents of the cabinet.
Whenever a program is run, it becomes a process. A process is an image in memory of a program and different information about it that the OS needs to control the process. In addition to processes that users run, there are also processes that run all the time that have been started by or are part of the OS.
Most modern operating systems are designed to accommodate multiple users, and some allow multiple simultaneous users. Users are the people who use a computer system. They generally have a name and a password. Computers keep track of user’s names and passwords and then assign them “property.” This property consists of a user’s files, lists of the different programs they can run, things they are allowed to do, and lists of the different user’s configurations for shared programs. Most systems also a have a “superuser,” the primary user who has control over the system. On Linux the superuser is named “root,” and on Windows the account is named “Administrator.” When spying on a computer it is very important to know which user you are and which you are after, because it will affect what you are allowed to do.
Permissions are how an OS determines what users are allowed to do. Permissions can be applied to files and programs to keep users from reading each other’s files or changing the permission on files. Superusers generally have permission to change other permissions and run all programs. The permissions and OS security that uses them prevent user “Joe” from reading user “Sue’s” files while allowing him to read his own files. However, the “Administrator” is allowed to read both “Joe’s” and “Sue’s” files. When spying on a computer, it is important to be aware of what permissions you have, and what permissions you will need to get the information you want. Having Administrator access enables you to access the most data (this subject is covered later in Chapter 5).
This chapter gave an overview of the basic hardware and software of a typical PC. It started by describing interface and non-interface hardware and the different ways they can be connected. Next, it described various operating systems and some of the concepts involved. Different types of software are covered as well as some fundamental OS concepts. This chapter addressed the following key concepts:
All of the fundamentals covered here are built upon in the following chapters, as we discover the many different ways these basic components of a computer can be subverted for spying. Armed with this knowledge, you can make an educated plan of attack against your target by utilizing your awareness of the environment (the target’s PC) that you will be operating in.