As a security administrator, auditor or “ethical hacker,” there are times when you will be tasked to monitor a person’s computer usage, including Internet sites visited, files created and/or modified and computer accounts created and/or modified. As a head-of-household, you face many of the same challenges, especially as a parent. Built-in, free and commercial computer usage analysis products are readily available to provide you with the means to accomplish computer usage monitoring and auditing.
Instructions
-
1
KeyghostInstall a hardware keylogger, such as Keyghost, on the target computer between the keyboard cord’s connector and the keyboard port on the back of the target computer. Later, play back the target’s keystrokes on the source computer to determine computer usage, passwords and other vital information regarding the target computer.
-
2
Install a software keylogger on the target computer. Configure it so that the target’s keystrokes are sent to a destination of your choosing (to your remote source/monitoring computer, for example).
-
3
Install NetNanny on the target home system. Use NetNanny’s reporting feature to monitor Internet usage.
-
4
Firewall outgoing logLogin to your firewall/router as the administrator and enable outbound logging. View and collect the IP addresses of the sites visited by each computer on your internal network.
-
5
Install an instant messaging log viewer, such as the free SkypeLogView, on the target computer. Run the IM log-viewing program on the target computer to read transcripts of any chat logs that have not been deleted from the computer.
-
6
Acronis True ImagePurchase an external hard drive with at least as much space as the target system. Next, purchase and run a hard drive duplication program, such as Acronis True Image or Norton Ghost, on the target system. Use the software to make an exact copy of the entire hard drive contents. Uninstall the duplication software from the target computer. Review and analyze your exact copy using your source computer.
-
7
IE historyLogin to the target computer as an administrator. Double-click “My Computer.” Double-click the “C:” drive. Double-click “Documents and Settings.” Double-click the folder belonging to the target user. Double-click “Local Settings.” Double-click “History.” Within this history area, double-click each folder in turn, and review the browsing history within each folder (such as Today’s history).
-
8
Browser cookiesLogin to the target computer as an administrator. Double-click “My Computer.” Double-click the “C:” drive. Double-click “Documents and Settings.” Double-click the folder belonging to the target user. Double-click “Local Settings.” Double-click “Temporary Internet Files.” Within this area, review the user’s cookies, because often history is erased yet cookies remain.
-
9
Radmin remote controlInstall the commercial software radmin (remote administrator) client on your monitoring computer; next install radmin server on the target system. Set the target radmin server to silent mode so that you may connect to the target system without permission and without being seen. Run the radmin client on your monitoring computer. Connect to the target computer, and you will see everything the user types and everything the user sees.
Proxy Redirect
-
1
Microsoft ISAInstall and configure commercial proxy/firewall software (such as Microsoft ISA [Internet Security and Acceleration Server]) on your monitoring system. Alternatively, install free proxy/firewall software).
-
2
WebMarshalInstall and configure commercial Web traffic monitoring software, such as WebMarshal, on your monitoring system. Alternatively, install free Web traffic monitoring software.
-
3
IE proxy settingsLogin to the target system as an administrator and set the Internet Explorer browser settings (Tools, Internet Options, Connection Settings, LAN settings) to point to your monitoring proxy server. Be sure to choose “Use a proxy server” and enter the IP address of your monitoring proxy server. Continue to click “OK” until you have exited the various settings modules.
-
4
Proxy default gatewayAdditionally, modify the target system so that all Internet and Web traffic passes through your monitoring proxy/firewall server: Click “Start,” “Settings,” “Control Panel”; right-click on “Network”; choose “Properties”; select the target’s primary network card; right-click; select “Properties”; select “TCP/IP V4”; select “Properties”; then set the “default gateway” of the target’s network card to point to your source computer’s proxy/firewall server. Click “OK” and continue clicking “OK” in the various panels until you exit the network card settings. Reboot if prompted to do so.
-
5
Run the proxy/firewall product’s monitoring and analysis tools on your monitoring system to track and review the target’s Internet and Web traffic and habits.
Tools and Methods
Tips & Warnings
-
Passive after-hours monitoring is best, since the target user may not be using the system at that time. If you are sure the user will be away for a certain period, monitor the system, and, when done, return settings to normal, wipe out any traces of monitoring where possible and then reboot. A reboot often clears many of the messages the user otherwise would have seen. When looking at an outbound firewall log, most often the site is displayed as a numbered IP address. To determine more about that address, visit arin.net and enter the address.
-
If you are not authorized to monitor the target computer, your actions may be illegal, depending upon where each computer and user resides. If you are disabling a firewall, the target user may notice, since most modern computer systems notify the user when the firewall is off and/or when computer changes have been made. Nonwireless hardware keyloggers require you to visit the target computer to retrieve them. Nonembedded hardware keyloggers often can be spotted via casual physical inspection.
