Chapter 5: Taking Control – Cyber Spying Tracking Your Family's (Sometimes) Secret Online Lives

Chapter 5

Taking Control

“All right, look, this is real simple. Whatever miles we put on it, we’ll take off.”


“We’ll drive home backwards.” — Ferris Bueller


Before going to war, a general (or at least a good one) sets goals, carefully trains his forces, studies his enemies, assesses his capabilities, and executes his plans. Just as a general should take these steps in preparation for a lengthy campaign, you too should follow a well-thought-out strategy as you begin to spy on others. This chapter discusses some of the first steps toward becoming a cyber-spy. By the end of this chapter, you should have a good understanding of how the SLEUTH methodology (see Chapter 2) can help you develop a professional spying strategy that will improve your chances of success. You will learn how to assess your home computer and network layout, and how to develop a plan that allows you to take full advantage of the SLEUTH methodology in order to meet your goals.

The previous two chapters discussed the fundamentals of cyber-spying; now we introduce a few “tricks” that everyone should know when using a computer for cyber-spying. Following this is a section describing the usage and installation of software that is useful for spying.

Finally, this chapter concludes with “Mastering Your Domain,” which is about taking charge of your home computer. To spy effectively, it is important to have knowledge of your surroundings and as much control as possible. Mastering your domain takes that spy fundamental and helps you apply it to your home computer and network. In this chapter, we introduce you to several types of software and hardware that can be used for spying (most of this spy software was actually designed for other purposes). The techniques and tools described here will have you well on your way to becoming a powerful cyber-spy.

Cover Your Tracks

Covering your tracks is a critical skill in all types of spying. It is especially important when dealing with computers, because they can meticulously log just about every action you take without your knowledge. As you exert control over different computer systems, you will generally run across two types of users: those who use default settings and environments, and those who painstakingly customize their environments to their liking. The latter will probably notice any small change you make to a system, and both will notice major changes. Because you may not know what type of user you are dealing with or what they might notice, it is wise to make as few permanent changes as possible. Record the changes you make, and when you have concluded spying, work backwards and undo them whenever possible. This step will give you the lowest profile and minimize your chances of being caught. In the words of Verbal “Keyser Soze” Kint, “The greatest trick the devil ever pulled was convincing people he didn’t exist.” Removing evidence of what you have done prevents them from being able to effectively follow your maneuvers. This book offers different tips and tricks that can be used for covering your tracks.

Basic Skills

This section covers some basic skills that are critical to cyber-spying. These skills may seem obvious to many advanced computer users, so if you feel comfortable around a computer feel free to skip this section. During the evolution of Microsoft Windows, many features have been added to mask the inner working of the operating system from users. These features help most users make the computer a simpler and friendlier device, but it can also slow down cyber-spies. The computer skills covered in this section are all fundamentals that you will need for investigating and spying on other people’s computers.

Running Explorer

Explorer is Microsoft’s graphical file browser. It is used to gain a visual representation of all of the files and directories (folders) stored on a computer. Because we will be looking for a lot of files and using the file system to mask our tracks, Explorer will be a key component in many future exercises. Depending on the operating system installed on your computer, there may or may not be a menu item to launch Explorer. Regardless of its presence, Explorer can be launched from the Run box in the Start menu. This will work regardless of operating system, from Windows 95 to Windows XP.

There are four steps for launching explorer from the Run box:

1. Click the Start button on the task bar on the bottom left-hand corner of the screen.

2. Select Run (Figure 5.1).

Figure 5.1 Selecting the Run Button on the Start Menu

3. Type explorer.exe in the Run dialogue box.

4. Click the OK button (Figure 5.2).

Figure 5.2 Running explorer.exe

A window similar to the one shown in Figure 5.3 appears.

Figure 5.3 Explorer Running

Anything but the oldest systems will show the My Documents folder. Use this to examine all of the files in your computer. Some of the items you should see are a Desktop folder, which contains your windows desktop; a My Documents folder; and most importantly, a My Computer folder. There will be other items such as a My Network folder, but we are not concerned with those. For now, let’s examine the My Computer folder more closely.

Upon clicking on it, several other icons appear such as a C: drive, a floppy (or A:) drive (if you have one), and an optical drive that can be any letter from D: onward. The type of drive will be denoted by its icon or explained more verbosely in the right-hand pane of Explorer. Figure 5.4 shows a typical setup.

Figure 5.4 Inside My Computer

The icon of prime interest is the C: drive, which represents the primary hard drive where all of your software and data is stored.


You should be aware that some computers have more than one hard drive installed. Do not get confused if you see this; simply treat each hard drive icon as a separate drive, executing the steps we discuss on each. Figure 5.5 shows explorer.exe open on a computer with two hard drives. Notice that they are not consecutively named; one is C: and one is Z:.

Figure 5.5 Computer with Two Hard Drives

Click on the C drive icon labeled Local Disk (C:). You will see a screen similar to that in Figure 5.6. If you see a different screen (see Figure 5.7), someone else has already purposely changed the viewing permissions on the system files. This may indicate that your adversary is attempting to hide something from you, that they are attempting to snoop on you, or that they are computer savvy (like you will be after reading this book). Regardless of why this setting was changed, the fact remains that it was, so proceed through the rest of the techniques in the book with caution.

Figure 5.6 Show Files Warning

Figure 5.7 C: Drive without Warning

This is a standard warning that shows whenever you view many system folders. Because of the way files and the access to them are laid out, there is little reason for most users to view things such as the C: drive. However, as cyber-spies you are not most users; therefore, it is time for you to click the show files button on the far left-hand side of the screen. This step enables you to see what files are stored there. Now your screen should look something like Figure 5.7.

Next, we enable a setting to allow you to see hidden and system files, which will give you a complete view of your file system. This is an important setting to enable, because it is trivial to target a file hidden in Windows. In addition, when changing this setting, we recommend that you also uncheck hide extensions for known file types, which will allow you to identify what type of data a file contains. Many different tricks can be done with extensions to disguise files as different types. This helps alleviate and prevents some of those tricks. These settings can be found by clicking on Tools | Options in Explorer’s menu. Then select the View tab. The three items of interest are Show hidden files and folders, Hide extensions for known file types, and Hide protected operating system files (Recommended). The last one gives you a warning; read it and click yes. Apply the suggested settings and your dialogue box should look like Figure 5.8.

Figure 5.8 Settings for Making Many Files Visible

After clicking OK, your Explorer window should resemble Figure 5.9. Notice how many new items are visible. It’s amazing what you can find when you know how to look. It is very important that these Explorer settings be applied every time you look at a computer. Failure to do so could result in your overlooking important information.

Figure 5.9 Previously Hidden Items Now Visible


Before changing these settings, make sure you document how they were initially set so that you can undo your steps.

Opening a Command Prompt

The command prompt is another little-used program that comes bundled with all versions of Windows. It is useful because it allows you to run several programs that require command prompts, and it allows you to use several different software packages that must be started from a command prompt. Some users may find it a bit confusing, but mastering the command prompt is a necessity for spying.

A command prompt can be started from the Run item on the Start menu. In the same way Explorer was launched, click Run and then enter cmd.exe (Windows 2000, XP), command.exe (Windows 95, 98, ME, or 2000), or (Windows 2000, XP) to start the program.

Cmd.exe has the same functionality as, and it also has several additional features, such as command history (i.e., you can scroll though previous commands with the arrow keys). Once the command prompt is launched, you will get a window similar to the one shown in Figure 5.10. When you are in this window you can enter commands at the C:\> prompt followed by Enter to execute them.

Figure 5.10 Window

Unpacking an Archive to a Folder

Several of the tools we offer on our Web site come as zipped archives. In Windows XP, these files can be viewed with Explorer as if they are normal directories. If you don’t have Windows XP, or even if you do, we suggest a third-party tool for viewing archives, such as IZArc, which is a free and powerful archive tool. Other options are 7-Zip (, WinZip (, and WinRAR ( All of these tools generally have support for many archive types.

Once your third-party archive tool is installed, double-clicking on an archive will open the tool. From there you can click on Extract, as shown in Figure 5.11.

Figure 5.11 Extracting an Archive Using IZArc

Now select a directory in which to store your extracted files. Feel free to create a new directory at this time. Giving it an inconspicuous name such as “program settings” is a good idea. You can now use Explorer to view the files.

Classic View of Control Panel

Windows ME and XP both group the Control Panel’s capabilities into “logical” groups, which is known as the Category View of the Control Panel. We will be referring to and accessing the Control Panel frequently, so for the purposes of this chapter we use the phrase Classic View where all of the items are in a single group, thus allowing you to see everything on that Control Panel. To put Control Panel in Classic View mode, click Start | Control Panel. A window should appear, as shown in Figure 5.12.

Figure 5.12 Control Panel Context View

If it looks different it may already be in Classic View. Assuming it is in Context View, click on the item on the left-hand side of the screen labeled Switch to Classic View. It will now resemble the control panel shown in Figure 5.13.

Figure 5.13 Control Panel in Classic View

In Windows ME, Classic View is accessed by clicking on the View All Options link on the left-hand side of the screen.

Because you may be installing software on a target machine, it would be wise to do it as covertly as possible. One simple step you can use is Microsoft’s built-in ability to “hide” files. Once you’ve installed your software and know which file or folder you want to hide, find and select it in Explorer and then right-click on the file and select Properties. In the resulting dialogue box (Figure 5.14) select Hidden, which should be at the bottom of the dialogue box.

Figure 5.14 File Properties Dialogue

Depending on your settings, the file or folder will now become less opaque (Explorer with our recommended settings) or disappear (Explorer’s default settings). This is an easy way to mask your files from normal users. A second method of file hiding has to be done from the command line, but offers even more powerful options. To hide files from the command prompt, use the attrib.exe command. Attrib.exe is a system utility used to set file attributes. In addition to a hidden attribute, you can also give files a system attribute. The syntax for using attrib.exe is C:\>attrib.exe +h +s. <file to hide > The resulting file will now have hidden and system attributes set. You can reset these values using the C:\>attrib.exe –h –s < hidden file > command.

With the system attribute set, you have several extra advantages besides just hiding the file from Explorer. Being able to view system files is a totally different option on Explorer; a user would have to change two default options in order to be able to view your files. In addition, if the system attribute is set, the hidden property cannot be removed from the file by using Explorer; the system attribute has to be removed first with attrib.exe.

The nice thing about built-in hidden and system attributes for files is that programs can execute normally even when they are in a hidden folder or system folder.

Uninstalling Software

Uninstalling software can be very tricky; however, it is a necessity, as some items in this section require the newest version of a library, which means that you have to uninstall any previous ones. In addition, after you are done spying and you’ve collected the information you need, you should uninstall your spy tools.

Uninstallation is done from an add/remove software dialogue box that is found in the Control Panel. To do this, select Start | Control Panel | Add or Remove Programs. If an add/remove software option does not exist, switch the Control Panel to Classic View, as described in the previous section. Once you select and click on the add/remove software icon, you will see a dialogue box similar to the one shown in Figure 5.15.

Figure 5.15 Add/Remove Software Dialogue

Each item in the dialogue box represents an installed program. They are all alphabetized. When you select a program, you are usually given usage information and the option to uninstall it. Uninstallation consists of simply clicking a button.

Some programs don’t come with an uninstall option in the Control Panel, and they can be deleted the same way that a word document is deleted. Find the executable on your computer using the Explorer bar; it is most likely in a folder in the C:\Program Files folder. Delete the entire folder and the program is gone. Ensure that all of the files associated with the program are deleted. All programs created by this company will be put in that folder.

Running regedit

Microsoft Windows has many different settings that are modified in the different menus and in the control panel. However, these settings only scratch the surface of the many options that can be configured. Since Windows 95, the operating system has stored most of its settings and other information in a group of files collectively called the registry. The registry consists of system.dat and user.dat files that make up most of the thousands of configuration options that control the look and behavior of the operating system. The registry data is in binary format, and cannot be viewed or modified with standard tools. However, Microsoft does provide a tool for viewing and editing the registry named regedit.

Unlike most standard Windows accessories, there are no Start menu icons for launching regedit; you must know that the program exists. It is launched in much the same way as Explorer or the command prompt. First, select Run from the Start menu and enter regedit. The resulting window will look like Figure 5.16.

Figure 5.16 Regedit Main Window

In the left-hand pane of the window are the five main sections, or hives, containing data for several areas of the registry. When the hives are expanded, different keys are shown. When a key is selected, the right-hand pane shows its value. Registry values can be string (easy to read and understand text) or binary (hexadecimal digits). For this book, we edit both types of data. Although the interface may look complex and confusing, using regedit is a straightforward process.


Incorrectly setting or deleting registry values can make your computer unbootable.

Tips and Tricks …

Covering Your Tracks by Removing Yourself from the Uninstall Menu

Many software packages leave a reference in the Uninstall menu so that they can be removed. It would obviously be to your benefit to remove any software that you want hidden from this menu. Fortunately, there is a way to remove the programs using the regedit tools.

1. Start regedit.

2. Go to HKEY_LOCAL_MACHINE\SOFTWARE | Microsoft | Windows | Current Version | Uninstall.

3. Find the key that corresponds to the program you wish to remove.

4. Right-click on that key and click Delete.

5. When prompted, select yes to indicate that you want to delete the key and its subkeys.

6. On the File menu, select Exit to close regedit.

7. View the Currently Installed Programs list to ensure that your program is deleted.

Viewing Processes and Services

Processes and services are literally the programs that run on a computer. Anything that is running is a process. A service is a special instance of a process that can run even when a user is not logged on. Services are programs that the operating system uses to run everyday operations. You can know what is running on your computer by using the listing and viewing processes and services. They will help you verify the installation of your spy software and ensure that nothing is being used to detect and thwart you.

On most Win9x machines (Windows 95, 98, and ME), you can view running programs by pressing the ctrl-alt-delete keys simultaneously. You should be then see a dialogue box that lists all of the running programs. However, this list is not comprehensive, because all running processes are not necessarily running programs. What you see is not an all-inclusive view of the system. To get a complete listing of processes, we recommend using Process Explorer (free software that can be obtained from our Web site or from

Running programs can be viewed using the Windows Task Manager on Windows NT, 2k, and XP computers. The Windows Task Manager contains several tabs for programs, processes, and other statistics. Figure 5.17 shows an example of the Windows Task Manager set to view all processes. Like the Win 9 .x series, Windows NT, 2K, and XP can also use Process Explorer for viewing processes.

Figure 5.17 Task Manager Set to View All Processes

On these platforms, the Service Control Manager (SCM) must be used to view all services and their status. This can be done by clicking Start | Control Panel | Administrative Tools. In the Administrative Tools folder, double-click on Services, which will open the SCM. This list shows all of the installed services and their status including their name, a description (if available), their status (started or blank), whether or not they are started manually or automatically, and the user ID under which they are started.

It is necessary to know the aforementioned few tricks for the material presented in this chapter and the rest of this book. As the book progresses, we will make note of other less obvious helpful tricks and techniques.

Software You Will Use

The Web site for this book,, contains links to software that is discussed in this book. In addition, as we find or write new software that we feel is useful for online spying, we will post it on the Web site. Most of this software is released under the GNU Public License (GPL), which means that the software is completely free to use and modify, as long as the people modifying it release the source code showing all of their modifications.

The software we showcase is pretty good (and even better with our modifications), but it may not be the best available. Many different companies offer variations of these same tools for a price. However, we feel that our price (free) is unbeatable, and since you can obtain our software directly from the Web site and download it directly to the computer, there is no paper trail. By downloading our free software there are no credit-card receipts, checks to suspicious software companies, e-mails sent to you, or boxes of spy software showing up at your door. The entire process of getting and using our software is relatively innocuous and straightforward.

That being said, we still encourage you to investigate other software options that may better fit your needs. Our tools are not high-grade government spy software. They won’t evade every virus scanner or personal firewall. They are a good start and are designed to evade the average computer user. However, more sophisticated problems may require more sophisticated solutions. A search on can help point you to the many free and commercial alternatives.

In a few instances, there are not any software solutions available under the GPL that meet our needs. This is the case with personal firewalls and virus scanners, both of which are extremely complex and the result of much research.

In addition, some other small utilities we describe may be freeware or shareware but not necessarily open source. Whenever we can, we try to show a free alternative to any commercial software.

It is important to note that most of the software we ask you to install comes as unsigned code. On operating systems older than Windows XP, this should make no difference. On Windows XP Service Pack 2 and later you will be greeted by dialogue similar to that shown in Figure 5.18.

Figure 5.18 Running Unsigned Software Warning

This is a warning that says the program has not been cryptographically signed by its authors. Select Run to install the program.


This section describes the tools you will use throughout this book that are not directly used for spying, but are still needed for viewing images, reading files, making archives, and other tasks.


IZArc is a freely available compression/decompression utility that handles zip and rar files, two of the most popular compression schemes for Microsoft Windows as well as many other less popular compression schemes. Unlike the trial versions of other compression software, IZArc never expires. IZArc also offers the best compromise of price (free), functionality, and polish.

If you are installing software on your PC for viewing and handling archives, IZArc is a great choice. If you are installing it on a target’s computer, you should first determine if that computer has any software already installed to handle archives. The best way to check is to double-click on an archive and see if a program opens it up. If you see a “Select Program” dialogue, you probably don’t have the capability of viewing archives on that computer. You can then install IZArc if you wish (it may be better to handle the archives offline on a separate computer), but you should take steps to make a particularly stealthy install.

Download From

IZArc can be downloaded from or alternatively from its home site at or alternatively from its home site at It comes as a self-extracting executable.


For the purposes of this book, we assume that you are installing IZArc version 3.4. Begin by double-clicking on the IZArc installation file. You should immediately see a screen asking you to uninstall any previous versions of IZArc and a dialogue asking you to select the preferred language for installation. Now you should see the IZArc Welcome screen.

Click Next and accept the following two screens of license information. The default installation location should also be accepted. When you reach the screen asking about creating a Start menu, select the box Don’t create a Start Menu folder for a stealthier install (Figure 5.19).

Figure 5.19 IZArc Start Menu Folder Dialogue

At the next dialogue, the options for a “Quick Launch” and “Desktop” icon are at your discretion. If you are installing on your personal machine it doesn’t matter. If you are installing on a target machine, we suggest unchecking both options. Next, there are a few more screens to click through.

After the installation is complete, IZArc asks you to select a language and presents you with a screen similar to that in Figure 5.20. This is where you select exactly what type of archives IZArc will open. We recommend pressing the Deselect All button and then checking only the archive types you will need. Assigning IZArc to too many archive types might disrupt previously installed archive software and reveal your presence on the target box.

Figure 5.20 IZArc Archive Type Association Screen


IZArc is almost self-explanatory in that it is implicitly activated whenever a compressed archive file is double-clicked. It has several icons for file extraction and other common functions.


Knowing a target machine’s Internet Protocol (IP) address enables you to track it on a network so that you can remotely access it. However, because many home networks have dynamic IP addresses (the address can change every time the computer connects), you need a method to locate your target machine as its IP address changes. Kaboodle offers a visual means of mapping out your network and shows representations of different machines on it. By using Kaboodle, you can automatically find out the location of every machine and its IP address. As a bonus, Kaboodle can automatically detect machines running Virtual Network Computing (VNC) and connect you to them.

Download From

Kaboodle can be downloaded from or its home site at This file comes as a self-installing executable file.


Installation of Kaboodle is a relatively straightforward process. You begin by double-clicking on the executable you downloaded. You should immediately be greeted by Kaboodle’s Welcome screen. After clicking Next you will receive a License Information screen. Agree to the license and click Next again. The next screen will ask you where you want Kaboodle installed. Accept the defaults and continue. Kaboodle will finish installing.


Kaboodle will place an item in your program menu and an icon on your desktop. Clicking on either will start the program. It will immediately scan your network and list all of the computers and network devices it can find, which will be displayed on a screen similar to the one shown in Figure 5.21.

Figure 5.21 Kaboodle’s Main Screen

There should now be icons for every computer and device on your network. Double-clicking or right clicking on an icon will give you a dialogue similar to Figure 5.22. This shows the machine’s IP address, Media Access Control (MAC) (low level) address, and other information about the computer. With this tool, you can easily discover and track different computers on your home network.

Figure 5.22 Kaboodle Giving More Information About a Computer

Finding Interesting Stuff

Looking for files of interest on a computer can be like searching in the dark for a needle in a haystack. For example, a typical installation of Windows XP Service Pack 2 with a few typical applications has more than 1,000 folders containing more than 20,000 files. This is a significant amount of data for any one person to look through. To simplify the tasks of searching for meaningful data, we present some basic search tools. This is the software you will use to search for material of interest on your target computer. These are tools that help you comb through the thousands of files that can be found on a typical machine and develop a useful list of “interesting” ones to examine more closely.

MS Search

One of the most powerful tools for searching for information is already installed on your computer. Microsoft has a Search utility built into its operating system that allows you to conduct a variety of searches on the file system. You can search for files based on name, time accessed, and content. When pointed at the C:\ drive (the entire file system), you can conduct a very broad search for anything that may interest you. Search is found on your Start menu by clicking Start | Search. Figure 5.23 shows the search dialogue box. (MS Search is covered in more depth in Chapter 6.)

Figure 5.23 Microsoft’s Search Dialogue Box

Google Desktop Search

The Google Desktop Search software allows you to search your computer using a Web browser. It will also find e-mails, AOL Instant Messaging Chats, files, and Web caches. The advantage that the Google Desktop Search program has over Microsoft’s search program is its ability to classify advanced file types. Being able to display cached Web images and chat logs increases the ease of search and evaluation. In addition, using Google Desktop Search to look for information is a format that most computer users are familiar with.

Download From

The Google Desktop Search tool can be downloaded and installed from

Installation Instructions

Google has made installation of the Desktop Search software as easy as possible. Using your Web browser, go to Click on the Agree and Download button; this will begin the installation procedure. A pop-up window will ask if you want to run or download GoogleDesktopSearchSetup.exe. Click Run; this will begin the installation procedure. The installation program will shut down any open Web browsers in order to continue installation. Once this has finished, a browser window similar to the one shown in Figure 5.24 will open, indicating successful installation and offering several configuration options.

Figure 5.24 Google Desktop Search’s Configuration Page

Of the given options, Enable search over AOL and AIM chats and Enable search over secure Web pages should be set. The option for providing feedback to Google can be set if you wish; however, it has no bearing on the effectiveness of the Google Desktop Search tool’s ability to search for information. Once you have set your preferences, select the Set Preferences and Continue buttons. The next window that appears indicates that Google is indexing your computer, as shown in Figure 5.25.

Figure 5.25 Google Desktop Search’s Indexing in Progress Page

Clicking on Start Searching takes you to Google’s main interface for searching your desktop, as shown in Figure 5.26.

Figure 5.26 Google Desktop Search’s Main Search Dialogue


You can select the desktop icon, or the Google Desktop Search item from the Program Files menu. A window similar to that in Figure 5.26 will appear. From this Web site you can choose to search the Web or follow other Google links. However, as long as desktop is selected, you will be searching from your hard disk. When performing a search, the Google search tool classifies its finds as files, e-mail, images, and chat logs. Any of these are clickable and viewable by whatever application they are registered with.

Collecting on the Computer

Like the tools mentioned in “Finding Interesting Stuff,” the software discussed in this section is designed to help you collect information passing through the targeted computer. These tools are used to collect files, e-mails, or events that took place on that computer, but that has left no long-term evidence behind.

PC Inspector

The first type of software we use to collect information that was once (but is no longer) on the computer is a tool named PC Inspector. It takes standard searching techniques one step further by scouring the hard drive to recover files that have been deleted (and long forgotten).

Download From

You can obtain the most recent version of this freeware tool through the Web site, or with the other archived software on our Web site.

Installation Instructions

The installation process for this application is straightforward. You are not required to make any decisions or selections other than indicating which language the instructions should be displayed in and accepting the license.

Protected Storage Explorer

Next, we expand our search for hidden information to the memory of the computer and the applications that execute on it. In particular, we directly target Microsoft’s Protected Storage area with a tool rightfully named Protected Storage Explorer.

Download From

You can acquire this tool either through from or from

Installation Instructions

Like the previous tool, installation of the Protected Storage Explorer is straightforward. Double-click on the installation executable that you acquire from the Web site and follow through the menu questions. In addition, we suggest that you ensure that the “Just me” box is checked so that icons are not created on the desktops of other users of the computer (Figure 5.27).

Figure 5.27 Protected Storage Explorer Installation Folder Selection

Best Free Keylogger

The searching tools already mentioned in this chapter can look for information that used to be on a computer; now we want to gather new and transient information as it is created. To accomplish this, we rely heavily on an application called Best Free Keylogger (BFK), which is capable of capturing keystrokes and surveillance images of the desktop.

Download From

The BFK is available at and at

Installation Instructions

The most important aspect of the installation process for this tool is the selection of the Installation folder. This is where the images and collection will be stored, so make sure that it has plenty of available disk space (see Figure 5.28).

Figure 5.28 Best Free Keylogger

Like many of the others, this is a GNU-licensed application.

Collecting over the Wire or the Air

A lot of the data on computers is evanescent; it is sent to the computer, or passes through it, but never stays there for long. It may be information that originates on the computer, but is not collected by other tools, or it may be data such as an instant message that is sent to the target computer, viewed briefly, and then discarded forever.

The next category of tools we discuss are commonly referred to as sniffers. Sniffers enable you to monitor network traffic and collect some of this ephemeral data that can be very interesting and very elusive. A sniffer allows you to capture all of the information that is entering and leaving a computer via the network. A correctly installed and operating sniffer will yield a wealth of information to any cyber-spy. Many valuable protocols such as Internet Relay Chat (IRC [the standard version]), AOL Instant Messenger (AIM), Yahoo, Microsoft Network (MSN), e-mail, and Hypertext Transfer Protocol (HTTP) are transferred across the network in plaintext, meaning they are not encrypted and anyone who captures the packets can view the data in them.

There are basically two different locations that you can sniff from: the target’s machine or another machine that can see the traffic. The target’s machine is an easy choice if you can get to it. A sniffer on that machine will see all network traffic coming in and out of the machine. When coupled with a remote access tool, a sniffer-implanted target machine is a well-bugged and powerful eavesdropping device. We also show you how to set up your account to sniff for all traffic, even when you aren’t logged in. If for some reason you can’t obtain access to the target’s machine, a different approach must be taken. In that situation, network monitoring has to be done from a remote machine.

There are several options that can be used when trying to capture traffic remotely. In order for remote sniffing to work, the computer you install it on must be able to see all of the traffic to and from your target machine. There are several scenarios where this is possible. An easy and ideal scenario is if all computers are connected with a hub. To test for this scenario, first determine your IP address then turn on your sniffer of choice (to be discussed shortly) and look at the traffic. If any of the traffic has IP addresses that belong to your network but not your computer, your computer is probably connected via a hub.

If you are on a network connected by a switch, you have a couple of other options. The first option is to set your listening computer as a network chokepoint and force all network traffic to pass through it. This would involve putting two network adapters in your machine, configuring it to forward traffic, and placing it in a network chokepoint, as shown in Figure 5.29.

Figure 5.29 Computer Used as a Pass-through for Sniffing

Alternatively, you could acquire a small hub and connect it into a chokepoint. Using the hub creates a much simpler setup. All that is needed is the hub and two additional network wires, one to connect to your listening station, and one to complete the original connection. Figure 5.30 shows how to set up this topology.

Figure 5.30 Using a Hub to Build a Network Tap

The only difficulty with using a hub is that in this day and age it may be hard to find a true network hub. For performance and cost reasons, most stores now generally only sell low-cost switches.

You may remember that there are two obvious chokepoints: between a router and the cable/DSL modem and between the cable modem and the wall. The connection between the modem and the wall is done either with coaxial cable or phone cable as opposed to network cable. Most people do not have network adapters that can use these types of cable. As a result, the best chokepoint is between the router and the cable/DSL modem. a computer intercepting all of the traffic on the home network would be able to see everything.

One area that is guaranteed to be a broadcast region is a wireless network. If your target’s computer is connected to a network via Wireless Fidelity (Wi-Fi), sniffing will be a relatively easy process. Because of its very design, wireless must be broadcast, and a wireless signal can be picked up directly out of the air. There are two ways to sniff wireless traffic. You can sniff with your computer without adding it to the wireless network, which has the advantage of being stealthier. Because your computer has never become part of the network, no one knows if it’s there and therefore no one can monitor its traffic. However, if wireless encryption is turned on (i.e., Wireless Encryption Protocol [WEP] or Wireless Application Protocol [WAP]), it is easiest to become part of the network to see the plaintext view of all the packets. Even then it is still extremely difficult to detect if your computer is actually collecting and sniffing traffic.

The following are software tools that can be used for sniffing.


This device driver must be installed on any Windows machine that will be used for network monitoring. It enables different packages to collect or sniff packets on the network. Some popular sniffers come with WinPcap as part of their installation, but most don’t, so we cover its installation here.

Download From

The latest version of WinPcap that will work with the tools we use in this book can be downloaded from or from its home page at While it comes in many formats, the best and easiest to use is the WinPcap auto-installer. This is an executable that, when run, installs WinPcap and all of its associated files.


Installation is straightforward and follows a few simple steps. Unlike most of the other software packages we will be discussing, WinPcap does not have any real configuration options. As a result, installation is done in five easy steps:

1. Using techniques from this chapter’s “Basic Skills” section, look for and remove previously installed versions of WinPcap.

2. Double-click on the auto-installer.

3. Click Next on the Welcome screen to go to the license information.

4. Accept the license information and then click Next. You should receive a final screen showing WinPcap was installed.

5. Click Finish


Ethereal is a very powerful tool that we will be using throughout the remainder of this book. Ethereal can be used to capture packets and analyze protocols. We will show you how to use Ethereal to examine captured packets, which will allow you to determine what data was passed in the conversation. Ethereal can be used to filter the captured packets and to display selected data. This allows us to capture a large amount of traffic and quickly sift through it for the important information.

Download From

The latest version of Ethereal can be found or at Ethereal’s main site, Ethereal can be obtained either as a self-extracting executable or an archive. For the purpose of this book, we will discuss using the self-extracting executable because it will provide the easiest method of installation.


Installation of Ethereal is relatively straightforward. However, WinPcap must be installed before installing Ethereal. Installation of Ethereal requires six steps:

1. Double-click the downloaded Ethereal executable. This will create a pop-up window displaying the Welcome screen.

2. Click Next; you will be greeted by a license screen.

3. Read and agree to the license.

4. At the Choose Components screen shown in Figure 5.31, select the Ethereal Components you want to install. The defaults are usually acceptable.

Figure 5.31 Ethereal “Choose Components” Screen

5. Now you should be at the Choose Install Location screen. Once again the default values work.

6. You will be greeted by a final pop-up window; click Finish to finalize installation.


Ethereal is a relatively easy tool to use. Initially, we only cover its basic capabilities. Once you’ve become comfortable with its basics, we will discuss its more powerful features. This section explains the basics, which focus on using Ethereal as a packet sniffer.

The first step is to start Ethereal, which can be done either by double-clicking the icon or from Start Menu | All Programs | Ethereal | Ethereal. This brings up the Ethereal’s interface, as shown in Figure 5.32.

Figure 5.32 Ethereal Interface

Although the main Ethereal graphical user interface (GUI) may seem a bit daunting, don’t become dismayed; using Ethereal is actually very easy.

The next step is to go to Capture | Start, which will display the capture dialogue, as shown in Figure 5.33. This dialogue allows you to select various options that will determine what Ethereal captures. If the computer has multiple network interfaces, you can choose to capture on one or all of them. Ethereal can also be set to write collected traffic to a file, which can then be examined at a later date using the Ethereal GUI. An important option to check is Capture packets in promiscuous mode, which allows every packet on the network to be collected, not just those intended for the local machine that has Ethereal installed.

Figure 5.33 Ethereal Capture Dialogue

Once you have selected your options, click OK to begin packet capture. Ethereal will then display a status dialogue indicating how many packets and of what type have been captured. Packet Capture continues until the Stop button is selected. After Packet Capture is stopped, Ethereal displays the captured packets in a manner similar to that shown in Figure 5.34.

Figure 5.34 Ethereal with Captured Packets

The Ethereal GUI shows all of the captured packets. As shown in Figure 5.34, the GUI is split into three sections: the top section displays all of the captured packets, the middle section displays a single packet’s protocol information, and the last section allows the user to examine a raw packet. To select which packet to examine, you simply highlight it in the top section. As you will notice, this causes the highlighted packet to be displayed in the middle and bottom sections as well. Selecting different sections of the packet field descriptions in the middle display causes Ethereal to expand those areas and show additional information about the packet. This also allows you to select which sections of the raw packet you wish to analyze in the bottom display.

One of the most useful features of Ethereal is its capability for filtering out selected packets. You can select a packet, and Ethereal provides the ability to display only the conversation that the packet was a part of. In order to do this, right-click on the highlighted packet and select Follow TCP Stream, as shown in Figure 5.35.

Figure 5.35 Selecting the “Follow TCP Stream” Option

Ethereal then displays the conversation that the packet was a part of, as shown in Figure 5.36. This allows you to easily identify and follow specific conversation streams on a heavily congested machine.

Figure 5.36 Ethereal Showing a Decoded TCP Stream

After examining the conversation, select Close and go back to the captured packets.


Once you’ve finished following a Transmission Control Protocol (TCP) stream and you are back at the main GUI, you may notice that Ethereal is showing packets belonging only to the conversation you just studied. In order to obtain a complete view of all captured traffic, it is important to click on the Reset button on the lower right-hand side of the GUI.

Ethereal is a very powerful sniffer and protocol analyzer. It is recommended that you use Ethereal to capture and examine some of your own packets as practice, to help you learn how to use it effectively.


Packetyzer is another sniffer package that we recommend. At its core, it is very similar to Ethereal and, in fact, uses the Ethereal Capture engine in order to work. However, the makers of Packetyzer determined that Ethereal did not meet all of their needs. The resulting product, Packetyzer, performs all of the core functions of Ethereal and then some. Notable improvements include a more Microsoft Windows-like interface, its ability to graphically visualize traffic, and the capability to capture and analyze Wi-Fi (wireless) traffic and locate Wi-Fi access points. Some people also find its interface more intuitive than Ethereal’s.

Download From

Links to Packetyzer can be found at or at Each site should have a link for downloading the current version of the Packetyzer setup executable.


Packetyzer installation is relatively easy, and to keep things simple we will be using the default layout and options. Installing Packetyzer requires eight steps:

1. To start installation, double-click on the Packetyzer set-up executable. This will bring up the initial Setup screen.

2. Select Next at the initial screen to bring up the license agreement.

3. After reading the license agreement, select the I accept the agreement button, then select Next. As noted earlier, the GPL license allows you to freely download and use the tool, but restricts repackaging and selling it. Following acknowledgment of the GPL agreement, you will be displayed additional licensing and copyright information.

4. You should now be at the screen for setting up the installation location. Accept the default path and click Next.

5. Packetyzer’s setup will now ask where to place the Start Menu Folder. Once again, use the default and select Next.

6. The next screen (Figure 5.37) prompts for two additional options. The first is to install a desktop icon. Select this option at your own discretion. Although it will make it easier to find and run Packetyzer, it makes it easier for other users to discover it as well. Completely overt installation of a sniffer may clue some users in to your sneaky intentions. The second option is to install the WinPcap driver. If you have not already installed WinPcap, select this option. If you walked through the installation at the start of this section, you should already have the latest version of WinPcap installed. After selecting your options click Next.

Figure 5.37 Packetyzer Options

7. Now that the options are configured, Packetyzer is ready to be installed. Select Install to begin the process.

8. After a minute or two, the final screen will appear. Click Finish.


We will be using Packetyzer as a sniffer and an analyzer. After starting Packetyzer by clicking on the icon or through the menu bar, you will be presented with a Capture Options pop-up window (Figure 5.38). This window allows you to set the interface that Packetyzer will collect on, as well as size limits and promiscuous mode. Usually the default interface will work for packet capture. We don’t recommend limiting the capture size on each packet; promiscuous mode is a good idea. Automatic scrolling of a live capture is a good feature; it shows you packets on the screen as it captures them. Unfortunately, this option also takes a lot of central processing unit (CPU) time and can slow your PC down to a crawl. The final option limits the size of your total capture to about 10,000 kilobytes, or about 10 megabytes. That is an acceptable default value for some things. If you are on a network where several people are browsing the Web or engaged in other high-bandwidth activities, 100,000 or even 1 million kilobytes might be a better value. After selecting all of your options, click OK to continue.

Figure 5.38 Packetyzer Options

The main Packetyzer window (as shown in Figure 5.39) is now displayed. You can select the Help tab to receive further help at any time. Much like Ethereal, the main Window is divided into sections; however, it also has tabs taking you to other screens of interest.

Figure 5.39 Packetyzer Main Window

To begin capturing packets you can either go to Session | Start Capture or press F5. To stop capturing packets go to Session | Stop Capture or press F6. In the example shown in Figure 5.40, a browser was started that went to as its home page. The captured packets are displayed in three separate sections of the GUI: the top right section shows all of the packets that were captured, the bottom right section shows the raw dump of the highlighted packet in the top window, and the left side shows the protocol of the packet broken out. This is the same basic design as Ethereal.

Figure 5.40 Example Packet Capture

By selecting a packet in the top right portion and right clicking on it, Packetyzer will display advanced options. Packetyzer will automatically follow the TCP stream of a session. Figure 5.41 shows all of the traffic that was sent between the machine and Google’s Web server.

Figure 5.41 Captured Traffic for a Web Session

Looking back at Figure 5.39, you may notice that there is a tab labeled Wireless. This tab gives access to Packetyzer’s wireless features. If your computer or laptop is equipped with a Wi-Fi card, you can use this section to obtain information about wireless access points available to your machine. Packetyzer has some more advanced features than Ethereal. Feel free to experiment with Packetyzer and explore its capabilities. You may find it is more intuitive to use than Ethereal.


Snort is an open source Intrusion Detection System (IDS) that has many distinct uses. As an open source project, it benefits from having many people contributing to its evolution. As a result, it has become a very powerful and effective IDS. One critical component of its intrusion detection capability is its ability to capture and store packets. It can also be run as a service, allowing it to collect packets from all users, which is especially useful on a multi-user Windows XP machine. As a service, Snort can run covertly in the background, making it difficult to detect.

Download From

Snort can be found at or at Like most other GPL projects, it comes in a range of formats from source code to archive files to self-extracting executables. A self-extracting executable is the best and easiest choice for our purposes. As with other tools previously installed, WinPcap must already be installed.


After downloading the self-extracting executable, double-click on it to begin the installation process. The installation of Snort requires five steps:

1. The first step is to read and agree to the license. By this point the GNU GPL should be familiar to you. Click I Agree to continue.

2. The next screen is Installation Options where Snort can choose to log its data to a database (Figure 5.42). We will not need to use this advanced option. Click Next to continue.

Figure 5.42 Snort Logging Options

3. The next step is to choose your installation components. As usual, the default components will suffice. Click Next to continue.

4. Next choose the installation location. Take note of this location. Unlike most of the other programs that we have installed, Snort does not create an icon or an entry in the Start menu. It must be started from the directory that it was installed into.

5. Click Install to begin the installation process. Snort will display a status bar to keep you updated about its progress and a final pop-up window when it has completed.


Snort will be used as the local sniffer, because it can generate traffic log files and examine those logs. Snort must be installed and configured to run as quietly as possible; therefore, it should be installed as a service. This takes several steps that are relatively easy.

1. The first step is to create a directory where the log files will be placed. For our example, this directory will be located where the Snort executable file resides, but it can be put anywhere, and in fact should be put somewhere less obvious. The easiest way to create the log folder is to use Explorer. Go to the Snort directory, right-click New | Folder, and change the folder name to Log. You can also give it a less obvious name.

2. Once the Log directory is created, you must set up Snort as a service. To do this, use the command line from where the Snort executable resides. At the command prompt enter


cd c:\snort\bin\Snort.exe \service \install –L C:\snort\ bin\Log –b.

    where the -L option indicates where to place the log files. Since there are spaces in the path, the entire path must be placed within parentheses. The –b tells Snort in what format to save the log file.

3. Now that Snort has been installed as a service, it must be set to start automatically on reboot. The easiest way to do this is to click Start | Control Panel | Administrative Tools | Services. Now all of the services on the machine will be displayed. Find the entry associated with Snort and right-click and select Properties. A Properties window will be displayed that will look similar to Figure 5.43. Under the Startup Type, select Automatic and press the Start button to activate Snort.

Figure 5.43 Snort Properties Dialogue

Snort is now installed and activated. To ensure that it is functioning correctly, start up a Web browser and go to a Web site. Check the Log folder; there should be a file. These are the files that will be examined later to determine the activity on the machine.


You can drag your Snort log files into Ethereal or Packetyzer and use these more advanced tools for packet analysis.


One-Way Network Sniffer (OWNS) functions like a regular sniffer but goes further in its processing of the information. OWNS attempts to reconstitute the files that it observes passing through the network. This allows you to examine the files that were passed on the network with minimal analysis and no reconstruction on your part. OWNS attempts to break out the Graphics Interchange Formats (GIFs), Joint Photographic Experts Groups (JPEGs), e-mail, and other file types, which are all very useful in determining what someone is doing online. This is a good sniffer to use if you are actively monitoring the person in real time. It is also good for capturing e-mail sent with Microsoft Outlook, Outlook Express, and AOL mail. The biggest downside to OWNS is that it is an older piece of software and no longer updated.

Download From

OWNS can be found at either or at The current version is


OWNS uses WinPcap, which should already be installed on the system. Installing OWNS is quite simple and is done by double-clicking on the OWNS archive file and extracting it to a directory of your choosing. It is important to note that this application does not create an icon on the desktop or Start menu, so keep a note of where it is extracted.


OWNS is very simple to use. To start using it, click on the Owns.exe file in the directory that you extracted the application to. Doing so brings up the OWNS interface, as seen in Figure 5.44.

Figure 5.44 Initial OWNS Screen

The Source tab allows you to select the sniffer and source that it will collect on. Because we installed WinPcap previously, this option should be selected. You also have the option of using a file or network interface as the source. The file could be a tcpdump file from a previous session captured by any of the previously mentioned sniffers. However, for our demonstration we will use the network interface to collect and analyze the files that are viewed by our target. By selecting the Parameters tab, the next set of options (Figure 5.45) can be displayed.

Figure 5.45 OWNS Parameters Tab

This tab allows you to determine where the output files will go and in what form they will be saved. In the example shown in Figure 5.45, OWNS will create a directory named “files” wherever the executable resides, to store the collected files. After sniffing the network, you can go back to this directory and look at what was found. Clicking on the HTTP Filter tab brings up the next set of options (Figure 5.46).

Figure 5.46 OWNS HTTP Filter Tab

The Save Files option allows you to select which types of files should be saved. For our purposes saving them all is recommended. We also recommend lowering the minimum file length for saving. Currently, it is set at 10,000 bytes, or about 10KB. You should lower this setting to about 1,000 or even 500 bytes. This will be important in later chapters because you will discover that some sites, in order to reduce bandwidth, will transmit their Web pages compressed. These compressed Web pages are often well under the 10,000-byte default. Make sure you also check the For all HTTP Connection box in the “Save http headers” and “Save TCP streams” sections. Select the Other Filters tab for more options (Figure 5.47).

Figure 5.47 OWNS Other Filters Tab

The Other Filters tab allows you to select if you want to capture e-mail and news traffic. Once these have been selected, the Start Capture button will begin sniffing.

As OWNS works, the Stats tab will update with the traffic going by (Figure 5.48). Selecting Stop Capture stops the sniffer. Once OWNS is stopped you can go into the files directory and examine the files that were transferred. This makes it very easy to determine what the person was looking at. Additional help on OWNS can be found in the doc directory that was installed with OWNS. Double-click on the index.html file to view the help file.

Figure 5.48 OWNS Stats Tab

OWNS provides an extremely powerful capability for network traffic analysis. It can break out all of the material flying across the network, making visualization simple and easy. Using OWNS on your Snort log files can significantly reduce the amount of time you spend analyzing them looking for interesting material.

Tips & Tricks …

Live Web Browsing Monitor

You can watch the pictures that fly across your network in real time by opening an Explorer window to your OWNS collection directory and setting your view options to thumbnails. Any pictures that OWNS can see and reconstruct will appear one by one in the directory. You can at any time double-click on one for close inspection by using your installed image-viewing program.

Remote Access Tools

Some tools like Snort are very effective spy software because they run quietly on a target machine. Others like Ethereal, need more intimate access. What do you do if you can’t get continual access to the computer? You install a remote access tool.

A remote access tool is a piece of software designed to allow you to control a computer from another box, as if you are physically sitting at the computer. Three very good and easily available options are Back Orifice (2k and XP versions), Microsoft’s Remote Desktop, and VNC. In this book, we utilize the program UltraVNC ( in our examples.


VNC comes in several flavors. There is the original VNC or RealVNC (, an optimized version TightVNC (, and the version we will be using, UltraVNC ( We believe that UltraVNC is the best choice for several reasons. First, it contains most of the optimizations of TightVNC. Second, it has built-in stealth options, making discovery by your target slightly more difficult. Finally, it also has extra capability for file transfers and other added functionality.


UltraVNC can be downloaded either from our site or from its home page at It comes either as an archive of all necessary files or as a self-installer. For this book, we cover only the self-installer.


Once you download the self-installer, you can run it by double clicking on the executable. This will launch a Setup screen that will prompt you to ask what components you wish to install (Figure 5.49).

Figure 5.49 Installation of the UltraVNC Remote Access Tool

This prompt is very important because it will determine what software is extracted and installed on which computer. Unlike the other applications, you need to install this in two places: (1) on your target’s machine and (2) on the remote machine that you are planning on using to access the target’s computer. On your target’s computer you want to check only the UltraVNC Server option and click Next. This will also ask you if you want to create a desktop icon; we suggest that you leave this box unchecked. If you want this to restart upon each book, check the Register UltraVNC Server as a system service. Next, it will install the software.

Next you can start the server from the Menu bar or from the icon that is created on the desktop tray. The first thing that you need to do is configure a password and other specific options that you desire (Figure 5.50). In particular, we suggest that you check the Enable File Transfer box so that you can copy files to/from this computer.

Figure 5.50 Configuration of the UltraVNC Remote Access Tool

Meanwhile, you need to install the viewer on your computer. To do this follow the same aforementioned steps, but this time check only the box that says UltraVNC Viewer in the Select Components dialogue box. Once this is complete, you will be ready to remotely access the computer.


Usage of this tool is covered indepth in Chapter 6.

Tips and Tricks ….

Take a Trip Back in Time

Throughout this chapter we have been instructing you to install software on your target’s computer. In doing so, we continuously urge you to be as stealthy as possible with making a note of changes and returning the system to its original state when all is complete. However, there is one thing that you cannot prevent when you install software, and that is the presence of new files.

If you install a keystroke logger on your target’s computer, and he stumbles across it, you could be caught. In fact, your target will have found not only the software but also a means of determining when it was installed. Microsoft Windows keeps track of time attributes having to do with file creation time, modification time, and last access time.

One thing you can do to help keep the accusatory fingers from pointing at you is to set the clock back on the computer before you install any software or access any files. For example, if you were out of town last week, and you set the clock back to that date, then when your mark notices the access time, you couldn’t possibly be a suspect! This is also an easy way to evade searches done for specific access times. For example, let’s say your mark always uses the Microsoft search tool (Start | Search | All files or folders | When was it modified) to look for files that have been recently accessed. By changing the date back, you will evade your target’s search. But whatever you do, do not forget to change the time back.

You can change the time by double-clicking on the time displayed in the bottom right of the computer screen. A calendar and a clock will appear on your screen. Both can be changed by selecting either new dates or a new time and clicking the OK button.

Mastering Your Domain

The first steps you must take are to “master your domain.” Like a good spy, you must develop knowledge of what you are up against so that you are prepared to operate in it. This involves becoming familiar with the networks, computers, and software you will be monitoring. As with all of our spying endeavors, from now on we will follow the six steps of the SLEUTH methodology to help us accomplish our goals.

In attempting to understand your environment, you should at a minimum try to learn the following information:

 What computers are in your home network?

 What operating systems do they have installed?

 Are they connected to the Internet, and if so how?

 What security software do they have?

 Do you have an account that you can use to install software?

 What access does your account give you?

 What account does your quarry use?

You should also make an effort to determine if and how the computer is connected to the Internet.

 What other objects are on the network?

 Is the computer connected via wireless or wires?

 Do all the computers connect into a hub or switch?

In addition to the concrete factors mentioned, you should also study your target and determine how, when, and where they use computers.

 Do they send and receive e-mail from home?

 Do they chat?

 Do they plug in a work laptop to your network?

 Do they leave themselves logged in all day?

 Do they set a password on their account?

 Do they stay up and use their computer late at night?

All of these factors will play a part in how you spy. The techniques you utilize against someone who sends and receives e-mail from a family computer will be different from the ones you use against someone who plugs in a laptop wirelessly. Another problem can arise if your target logs on and off frequently with a password-protected account. Not an insurmountable problem, but one nonetheless. If you are successful, you will have the requisite knowledge needed to develop a more involved spying campaign against your targets.

Despite the apparent simplicity of your goals, they are involved enough to lend themselves to two separate missions. The first is done around the house before you even touch a computer; the second is done at computers of interest. The first determines targets of interest; the second penetrates them and collects the information that you will need for further surveillance against them. Everything so far has been presented as one unified plan; however, in reality, it has two logical parts, which will be executed at two different times. Even though we introduced both parts together, we now break them up into two separate missions, each of which will follow our SLEUTH methodology.

Mission 1: Assess Your Surroundings (Before You Sit Down)

Set Goals

The goals for this mission are to obtain a working knowledge of your home computing environment. This includes all of the computers and peripherals, who uses which machine, when and what for, and how they connect to the Internet. After the mission is completed, you should have a better idea of your targets of interest, and know what computer or computers in your home you would like to run a more involved spying operation against.

Layout a Plan

Now that you have an idea of the information you need, you can develop a plan for obtaining it. Because it will be from and about a computer, the plan is broken into several parts. The first is a general information-gathering plan that will inform you about your home’s computing environment and people’s usage patterns. It will be used to help you focus your efforts on each computer that is significant to your goals. The second part of the plan will give you a more in-depth picture of your target of interest. It will give you the information you need to develop a deeper and more involved spying campaign against that system.

Before you even sit down at a computer, you can answer a few of the questions asked in the “Goals” section. Walk around your house and count the computers. For each computer, make note of who uses it and for what. Once you have that information you can probably narrow down your collection to those machines of interest.

Before you begin to look at your newly targeted machines, look at your home network. Figure out how it’s connected. Is it cable, DSL, dial-up, or something else? Document how it works. Locate and document some of the critical infrastructure pieces. Look for your cable or DSL modem. Find out where it’s connected. Is there a router for your home network, a switch or a hub? Locate each of these. At this point, it may help to draw a diagram of your network. It doesn’t have to be sophisticated; boxes will do to represent computers, hubs, and routers. Draw in the network wires that are used to connect them. If the computer is connected wirelessly to the Internet, give it a special marking. Now you have a network map. You will use this later on when we address sniffing.

Finally, before you sit down, plan to take some time to look for usage patterns. This can be helpful since the next few steps will require you to spend some time physically at the computers you’re interested in. In some cases, you may want to do this covertly, so it’s important now to determine when you will have windows of time to fit your spying in. If the computer looks like it will be difficult to access, develop a plan to obtain access to it. For example, if your kids are on the computer nonstop when they’re home from school, and you can’t get to it when they’re in school, work on a plan to get them out of the house while you’re home. Send them on an errand or send them on an outing with your partner while you stay home to “catch up on work.”

Evaluate Risks

For the first mission, your risks are relatively limited. The information you wish to collect can be obtained easily and with little effort; it can be done by overt observation. The biggest risk is in alerting your target to your interest in computers, which may alarm them if you are not usually uninvolved in the home computer and network. Luckily, your quest for this information can usually be passed off as simple curiosity or obsessive compulsiveness, whichever works for your situation. Another risk to consider is that any notes and diagrams you make can be discovered. Different methods can be developed to address this. For example, you can designate several pages of a “work” notebook for your information. Putting your computer diagrams in the middle of a notebook filled with boring accounting may be one safe place. Other steps would involve physical security of all your documentation. At this point, discovery of any thing you document will be the weakest link in your operations chain. While your activities may be dismissed, the fact you are recording information may be a little harder to dismiss. Develop a method to minimize the risk of your documentation being discovered.

Use Best Judgment to Execute Your Plan

Goals are set, a plan is developed, and the risks are assessed and minimized. It is time to execute your plan. This mission should be relatively simple and straightforward; we foresee few obstacles preventing successful completion. However, make this practice for your future operations. Don’t stray far from the SLEUTH methodology and remember the other important spy principles. Don’t be greedy in your search for information. Remember, many successful operations take time. Trying to get too much too fast may clue others in to your intentions. Don’t modify your behavior too much. Try to get the information you need while making it look like you’re not doing anything unusual.

Take in Observations

This is the most crucial step of your first mission. It is important to carefully document the information you’ve obtained. Below are some of the specific details you should be looking for:

 How many computers do you have?

 For each computer determine:

1. Where is the computer located?

2. Is the computer a laptop?

3. Is the computer connected to network? The Internet? How?

4. Who uses the computer? What do they use it for? When do they usually use it? What account access do they have?

5. Can you access the computer?

 What other devices are on the network? Routers, cable modems, and so forth?

Handle the Situation

Now that you’ve collected your information, it is time to use it. You know your target and now hopefully you know about their computing habits; what machines they use, when the use them, and for what. Basically, you should have a good idea of your target machines and when you can physically access them. This is the information you will need to begin your second mission, a more in-depth collection of information.

Mission 2: Penetrate Your Targets (at the Computer)

Set Goals

The first mission helped you narrow down the computers you will be going after and helped you determine a good time to have physical access to those machines. Now that they have been determined, it is time to gain a deeper knowledge of your targets of interest. The second mission is about obtaining the appropriate information from each machine to be able to carry out more in-depth and remote spying. The specific goals for this mission are to identify the operating system and its users, the passwords or knowledge of how to obtain access, and the security software installed for each computer you have targeted.

Lay Out a Plan

For this mission, you will seek to accomplish the following objectives:

 Obtain access to the machine

 Determine the operating system

 Determine security software

 Create a method for sustained access

The first step you need to plan for is obtaining access to the machine. This requires that you have physical access for a certain period of time; we recommend 30 minutes. All of the procedures can be done in less than one minute, and almost instantaneously by a piece of software; however, it is always good to build in extra time for mistakes and possible errors. Thirty minutes should give you enough time to get into the machine, record the necessary information, and clean up.

The next step is to make sure you can log on to the machine. Many home machines don’t have passwords, but some do. If you encounter a password prompt such as the one shown in Figure 5.51, you will have to obtain a password to access the machine.

Figure 5.51 Windows XP Password Prompt

When faced with a prompt you have several choices. If you’re an advanced computer user you could boot to a different media and mount the drive, or power down the computer and take its hard disk out to view elsewhere. These techniques, although effective, are involved, take experience, and leave traces. For example, a paranoid user may notice their computer has been reset since they were last on.

Obtaining the password is generally a better solution. You can go about this in several ways. One is to “guess.” Guessing generally works in the movies, but we’ve never had much luck with that method. To improve your chances with guessing, you can look for a password “reminder” lying around. In movies, this is a post-it note stuck to the monitor, and in this case, we actually agree with the movies. Another great place to look for a password reminder is under the keyboard.

Using a keystroke logger offers an alternative to guessing passwords. A keystroke logger is a piece of software or hardware that captures user input at the keyboard. When a keystroke logger is software, it collects the keystrokes and writes out textual interpretations to a file. A hardware keystroke logger can take many forms (see Figure 5.52). It is a small device that fits between a keyboard with a PS/2 connector and the PS/2 slot. It quietly records keystrokes and stores them in its internal buffer. The keystroke logger can then be taken to another computer and its cache of keystrokes viewed. In cases when you can’t log on to a computer, a hardware keystroke logger is the best bet for getting the password.

Figure 5.52 Hardware Keystroke Logger

Once you’ve obtained access, the next step is to determine the operating system. In most cases, this can be done visually, but there are several guaranteed methods that should be used for verification. The ver command will reveal the operating system version and can be launched by opening a command prompt and typing ver.exe. Figure 5.53 shows the results of running ver on a Windows XP machine.

Figure 5.53 Running ver.exe on a Windows XP Machine

Although this can give operating system version and build information, it does not necessarily do it in an easy-to-understand format. For example, service packs are never clearly stated. An additional way of finding out the operating system version, including service packs, is to open the control panel, find the System icon, double-click to open it, and select the General tab. You should then see a window like that shown in Figure 5.54, giving the operating system, service packs, and information about the CPU and main memory.

Figure 5.54 Determining OS Version

Next, it is time to look for security software, in particularly for virus scanners and firewalls. These are the types of software that can play havoc on spy tools. They are designed specifically to prevent what you are attempting to do. Although most of our tools should bypass virus scanners, it is still good to be aware of them. Firewalls, on the other hand, can prevent some of our tools from working altogether. You can find most of these tools by looking at the small icon bar in the lower right-hand corner of the screen. Hold your mouse over each icon and its title will be displayed. If you are using Windows XP, you might have to click on the arrow that displays show hidden icons to see all of the running software. Popular virus scanners are made by the Norton and Mcaffee companies. Popular firewalls are Zone Alarm, Norton, and Microsoft’s built-in firewall. If you are using Windows XP Service Pack 2, you can go to Control Panel | Security Center. This gives you all of the information about installed firewalls and virus scanners.

Finally, it is time to create a method of sustained access. This is how you will have continued access to the computer. In some cases where there is no password and physical access is easy, there is nothing to do. If you had to obtain the password from a hint or a keystroke logger, it is a good idea to leave a keystroke logger and means of remote access in place in case the password is ever changed. If you do not think you will have ample opportunity to physically reach the computer again, it is a good idea to install one of the remote access tools described in the “Software” section. You can use these tools to access the machine remotely, almost as if you were physically sitting at the computer.

If you are going to install remote access software, you need to take the following steps:

1. Install and configure the remote access software.

2. Determine the information necessary for reassessing the machine.

The first step is relatively obvious and follows the procedures mentioned in the “Remote Access Software” section. The second requires that you know three things: the port number you plan to run the software on, the IP address, and whether the firewall will allow it to run. The first of those values, the port number, is easy to determine. Unless you configure your backdoor (assumed to be UltraVNC) to use a different port, it will be 5900. Figuring out the IP address is also a relatively simple process. On older Win9 x machines you can run winipcfg.exe to get a graphical display of IP address information. The current method is to open a command prompt, as explained in the “Basic Skills” section. At the command prompt type in ipconfig. The results should look like Figure 5.55.

Figure 5.55 Running IPconfig

Finally, you need to make sure your remote access software works with the currently installed firewall, if there is one. If the machine is Windows XP Service Pack 2 or greater, Microsoft’s firewall will be running by default, but also be prepared to expect Zone Alarm or Norton Firewall. The best way to test for this is to run your software and look for a pop-up prompting about it. Before you permit your software to run, look for an option to make sure it is always permitted. On Zone Alarm this means selecting a Make This the Default Action, and in Norton, select the Always Permit versus the Permit option.


If you are installing remote access software or any software that uses the network, make sure you test it first, and make sure that the firewall allows it. You may have to explicitly tell the firewall to let the software connect and receive connections. When doing this, make sure your choices for allowing the software access become the default action for that firewall. You don’t want your user to be prompted by his firewall anytime you want to access your target’s computer.

Notes from the Underground …

Password Profiling

If you’re lucky enough to obtain a password, either through a keylogger or via some other means, make sure you record it. Keep a list of passwords for your targets. After you’ve compiled some you can begin the process of password profiling. This is the process where you look at passwords and, using your knowledge of your target, look to see how they generated their passwords. In addition, you want to look for any similarities between their different passwords; in many cases, people will use the same password for many different types of accounts.

To begin profiling, start by writing the person’s name on a piece of paper. Make sure to include their maiden name, nickname, or any other moniker applicable. Then write down their parent’s name, spouse’s name, kid’s names, pet’s names, as many names of those close to your target as you can discover. Now, write down their birthday, anniversaries, license plates, and other relevant numbers. Follow this with a list of all of the passwords you’ve obtained so far. Now begin to look for patterns and similarities. Do they use parts of their names? Any significant numbers? Although people are encouraged to generate strong passwords, most don’t. There usually is some weakness and familiarity in what they use. Once you find that you can compile a list of frequently used passwords and a list of possible passwords.

For example, assume we are targeting John Doe. Our profile sheet for him might look like this:

Name John Doe

Wife Jane Doe

Child Billy Doe

Dog: Spot Doe

B-Day: 10-10-1959

Anniversary: 6-12-1981

Hobbies: Hunting, cooking, car repair

PC password: johnd59

AIM id: johnd59

AIM password: meandjane81

Yahoo id: johndoe

Yahoo password: meandjane81

MSN id: hunter1959

MSN password: johndkillsit

From our example, we see that his “typical” password is meandjane81, basically the story of his wedding. Since it’s used multiple times, we have a high likelihood of seeing it again for other accounts. We also notice that his password for his PC is his login ID for another account. Finally, we see that he uses words relating to his hobbies and numbers from significant numbers in his life to build his passwords. Most real profiling will not be as easy, but it’s a worthwhile exercise.

Evaluate Risk

Like the previous mission, your risk should be minimal, and easily explainable, but it is still present. This time, because you will actually be at a computer, it is important to make sure that you have sufficient time to sit at and work at the computer without being discovered. Make sure that you plan for some “oops” time, as things can go wrong. Have a mission clock and set a make or break time. Once you’ve reached this point you either continue your operation or give up. It’s also good to set a conservative finish point, a time by which you will leave the computer regardless of mission status. Determining these values beforehand will help reduce on-the-fly decision-making and mitigate the risk posed by the “I-just-need-5-more-minutes” problem.

Using Best Judgment to Execute Your Plan

Once again, it is time to actually execute your plan. Hopefully, your prior planning and preparation will pay off allowing you to accomplish all of your goals quickly and without being detected. Remember that you are working in the real world and not a spy book, so expect something to go wrong. Someone may discover or confront you, or the technical steps you so carefully planned may not work out as expected. Be prepared. Have a good story for those that you may encounter, and if the computer is not co-operating, don’t panic. Write down what you observe, step backwards, try to unset anything you did, and go back to the planning phase.

Take in Observations

For this mission, you want to have two types of observations. First, collect your targeted information, the stuff you want to learn about each computer. For each machine you target you should note the following:

 Operating System This is important. When selecting software in future missions you, will have to make sure that it runs on that operating system. Most software discussed here will have documentation showing what it will run on. Know this before you try to install it.

 Security Software Knowing what security software is there helps with planning for your software implants. If you can, get copies of the security software and test your future implants with them. This will help you set things up so that your remote access tool doesn’t trip firewall alarms, or your keystroke logger isn’t caught by a simple anti-virus program.

All of this will be useful in the future. However, you should also collect some operational intelligence. As you do so, record things that you may or will change so that they can be reset to their original values when you are complete. For example, if you change the View options on Explorer, make sure to change them back. If a certain user was not logged in, make sure you log out completely. Try to leave things exactly as you found them.

Handle the Situation

By now you should have a complete view of your target’s computing environment. You have all of the information to begin planning a more in-depth attack against their system. By learning the operating system, user’s involved, and connectivity information, you can plan what will or will not work on a computer. Installing persistent access either via means of remote access such as VNC or collected passwords, will allow you to re-enter your target at a future date to conduct further operations.


This chapter covered a wide variety of topics. It introduced some basic skills and tricks for working with a computer, described the many pieces of software you will be using in depth, and performed two operations. You should have learned the following important lessons from this chapter:

 Covering your tracks is critical to being a successful cyber-spy.

 Explorer and the command prompt give you the ability to closely examine and run little known commands on your target computer.

 Different utilities such as IZArc and Superscan are not necessarily spy software, but they will help with your spying efforts.

 Microsoft’s built-in search tool and Google’s desktop search tool offer you the ability to look for files of interest on a target computer.

 Sniffers offer an extremely powerful capability to collect information from the network, in some cases even from computers you are not literally sitting at. Ethereal and Packetyzer are great tools for watching traffic on the network. Snort is a great tool for covertly installing on a target’s machine. OWNS is a great tool for automatically analyzing and decoding interesting network traffic.

 The first mission had you profile and narrow down your targets.

 The second mission helped you obtain specific information about your targets that will be used to conduct a more sustained spying effort against them.

By now you should have a good idea of proper tradecraft, and how to apply to the SLEUTH methodology to your spying endeavors. Hopefully, you have a good deal of information about your target’s computing habits, and their computer systems. Everything you’ve learned so far, in both collected intelligence and tradecraft, will be necessary and useful in the following chapters.