Key Logger

Hello,

I need some help, I'm an admin at a school and I have network reports of a key logger on the network. Now, I've narrowed it down to 12 nodes.

Another aspect to take into consideration is that there is a specific user on the network who has the Key Logger installation program in his personal folder and says that he was hacked awhile back and this file was planted there. This user has been used in the past to find security holes and is extremely knowlegable on networks and security. Though, he claims he didnt plant the logger.

My final question is---> How do we locate the user who DID plant this logger? Keep in mind that there are 12 nodes with keylogger data on them, NOT including the node that the user previously mentioned works on.

PLEASE HELP
SANDMAN

Hello,

I need some help, I'm an admin at a school and I have network reports of a key logger on the network. Now, I've narrowed it down to 12 nodes.

Another aspect to take into consideration is that there is a specific user on the network who has the Key Logger installation program in his personal folder and says that he was hacked awhile back and this file was planted there. This user has been used in the past to find security holes and is extremely knowlegable on networks and security. Though, he claims he didnt plant the logger.

My final question is---> How do we locate the user who DID plant this logger? Keep in mind that there are 12 nodes with keylogger data on them, NOT including the node that the user previously mentioned works on.

PLEASE HELP
SANDMAN

The keylogger probably sends its infos somewhere, so check with your logs where is this "somewhere" and trace who can view it or who accessed previously to it. It's more than probably the same person who planted it.
If this "somewhere" is out of your network, it could become more difficult to trace the user but it's still possible.

The keylogger probably sends its infos somewhere, so check with your logs where is this "somewhere" and trace who can view it or who accessed previously to it. It's more than probably the same person who planted it.
If this "somewhere" is out of your network, it could become more difficult to trace the user but it's still possible.

Yaya, KissCool is right. I would probably download a free port scanner, and watch the traffic moving across. If you find a particularly active node, you've probably found your culprit (or at least someone who's probably doing something they shouldn't :D ). That's how I'd do it.

Yaya, KissCool is right. I would probably download a free port scanner, and watch the traffic moving across. If you find a particularly active node, you've probably found your culprit (or at least someone who's probably doing something they shouldn't :D ). That's how I'd do it.

Ive had experiences with keyloggers that log in a text file in the root directory of your startup drive. check there for incriminating words such as keylog.txt, keys.txt, klog.txt, klogger.txt and the like.

Ive had experiences with keyloggers that log in a text file in the root directory of your startup drive. check there for incriminating words such as keylog.txt, keys.txt, klog.txt, klogger.txt and the like.

if individual users have there own directories, search all of their directories for any files that sound incriminating, IE prophets .txt file reccomendations, or any variant.....

if individual users have there own directories, search all of their directories for any files that sound incriminating, IE prophets .txt file reccomendations, or any variant.....