Hello all,

I have an unique oportunity to actually learn and watch a cracker at work (without him/her suspecting a thing).

Here is the situation. My mom has an XP pro box that has Norton Personal Firewall and Norton AV on it. What happened is that she had someone work on her system (not me -- which was her first mistake... lol) ,and we think that he/she installed a spy program that allows remote access and works in stealth mode. The only reason I know this prog is on the system is I happened to stumble accross the log files (it takes a screenshot every 10 - 15 sec). I do not recall the exact program at the moment. If you need to know, pm me and i will get it for you tonight. Anyways, we do not have proof that he/she did it, but we want to get proof. I have created a ghost image of her system as i am going to redo her machine with a clean install of everything and a copy of all the other stuff that she needs. However, I want to gather forensic evidence of this person in action. I also want to prove that the perp is who i think it is. Any help with the following questions would be greatly appreciated.

1) Is it legal to set up a box on my network with this ghosted image for the sole purpose of catching this person in action?

2) Will this cause legal issues if my mom decides to press charges? (I know for a fact that the person in question has done this before... I caught him/her red handed)

3) If i set up this box on my router, is it best to put it in the DMZ?

4) What network sniffing prog (preferably free as im not rich by any means) would be best to use so that i can capture all traffic going to this box?

5) How do I record this log info in such a way that it is admissible in court if i need it?

6) I am pretty sure i know who the perp is and this one fact. (the suspected perp is using a static ip) So, once i find the ip of the person remote connecting to the box, how do i find out (legally) if that ip matches up with the suspect?

Just to reitterate, I am trying to gather electronic evidence against the perp that is admissible in court, however, due to my mom needing this box back for her work at home, I need to do a reinstall ASAP and there isnt time to let the box sit on my network for a couple weeks.

Thanks for all your help! -- Th3>kLuTz

EDIT.......... It looks like the perp uninstalled the proggie, however, there are a meriad of open listening ports on port numbers 1000 and up....