Please visit the new home of Majikthise at bigthink.com/blogs/focal-point.

« Hivemind: Seeking spyware crash course | Main | The Talking Dog interviews Gitmo lawyer H. Candace Gorman »

January 16, 2007

Hivemind, follow-up: What is ComputerCop Pro?

Has anyone ever heard of an application called "Computer Cop Pro"?

Googling yields virtually no information on the program.

I need to know what this application is and how it works. ComputerCOP Pro was described to me as a search tool that law enforcement officers sometimes use to find porn on hard drives.

Clarification: As far as I know, CCP is used on computers that have already been seized. It's not something the police use to monitor people's computers remotely.

I'm told that CCP lets you search by obscene keyword, or look for various kinds of graphics files. You run the program and it generates a report about when each of these files was created, when it was last accessed, and so on.

According to one of my sources, CCP can determine when a machine got infected with a particular popup and what site the computer got infected from.

What I need to know is whether CCP is designed to differentiate between a user clicking through to a site vs. a piece of adware or malware executing a fake click-through.

Update: Here's ComputerCOP's website. Here's the company's description of the ComputerCOP Pro.

I wasn't getting any Google hits earlier because I was spelling "Computer Cop" as two words.

I'm still not sure whether this application is capable of differentiating between click-throughs as a result of adware vs. real click-throughs. Thoughts?

Comments

I am looking into this. I have heard of spy cop, net cop, and computer start up cop but never Computer Cop.

Seems Computer Cop is a little too invasive to be true and never be heard about.

Just to clarify, AFAIK, the program doesn't scan computers remotely or secretly. It's an application they run on computers that they've already seized with search warrants.

I've never heard of this particular piece of software, but I've been a system administrator and programmer since before there was a web, and to the best of my knowledge there is no way to reliably differentiate forensically between a file or file fragment that was downloaded via user interaction and one that wasn't. In the case of a 3rd party application downloading data, you can sometimes tell by the location where it was stored. In the case of a popup loading a bunch of material and leaving it in the browser's cache, there is no way to tell from an inspection of the cache alone whether those pages/images were viewed deliberately. The information simply isn't there. Worse, since the starter popup/popunder page may have been triggered from an e-mail rather than from a web page browsed earlier, you cannot even hunt back through the cache for likely starter candidates to make that determination. Plus, the webserver may not let the browser cache the main pages, but only the images, to make dynamic changes more robust while preserving most of the bandwidth savings. If that happens, there's no useful information left on the system whatsoever about what those embedded bits came from.

From your basic description of CCP, though, it doesn't sound particularly sophisticated. Searching a live filesystem for filenames with keywords or particular extensions (or even autodetected file types based on magic bytes in the headers) is trivial tech. On a Unix system, I could script a simple interface to do that in a few minutes.

Searching a filesystem for deleted files that match those criteria is a little more difficult, but on FAT32 it's trivial, on NTFS it's still not that complicated, and you can get the first few kilobytes out of each file on most Unix filesystems without too much trouble, though actually trying to recover an entire large deleted file is a lot of work.

Determining when a machine was infected with a given piece of malware simply requires that you have a database of which malware packages stick which files where, and then looking at the timestamps on those files if they exist.

My guess from its lack of visible presence and apparently trivial feature set is that CCP is somebody's homebrewed, quickly written simple search system that through the miracle of nepotism got spread pretty widely through a number of police departments. I would be exceedingly surprised if it were sophisticated enough to even try to determine what was user generated and what was machine generated.

The above comment was written before the site was found.

After having scanned the site briefly, I remain relatively unimpressed with the general tech, except that someone has obviously spent a fair amount of time getting the user interface pretty well polished, which is good from a training and best practices standpoint.

The details on the website, however, show that it's just a filescanner capable of handling deleted and compressed files (and I'd be quite curious to see how many compression formats and filesystems it really understands, something not listed on the website). After that, it just allows those files to be brought up for display. It also appears to include its own spyware system, complete with keylogger, for investigative use. The positive testimonials are obviously by people with little technical experience.

The keylogger, incidentally, would allow you to determine whether a file was requested or whether malware pulled it up, if it's written well enough to capture mouse movement and clicks and match that against timestamps. This only works, however, if you've installed the keylogger prior to the downloading.

This isn't to heap abuse on the product, incidentally -- making this sort of basic search user friendly is something of immense value in terms of investigative consistency, but there's nothing miraculous about it.

I've just looked at the one page, http://www.computercop.com/prof.html

I'm not impressed.

The very first sentence has a couple of grammatical errors ("has" instead of "have"; missing "and" near the end of the sentence), with more to follow.

Poor proofreading, e.g. "To order Professional Professional, use our Toll Free# ..." instead of "To order ComputerCOP Professional...".

The HTML in the page head declares a style sheet (<link href="text.css" rel="stylesheet" type="text/css">) but there's no such file on the server, perhaps because they typed href="text.css" instead of href="actualname.css".

Rather than fix the style sheet reference, they have littered the HTML for the page body with all sorts of font tags, strings of non-breaking-space entities, and more.

One can hope that the authors of the application were more knowledgeable, and more diligent, than the webmaster, but the web site is the face they present to the world.


As for distinguishing a page fetch triggered by a mouse click from one triggered by malware, maybe. But it seems to me that if the malware author were sufficiently devious he (I gather it's usually "he") could inject suitable low-level data into the MS-Windows event queue so that any higher level software would think that the user had moved the mouse to a particular spot in the browser window and clicked the left button. A mouse motion logger might register an extremely abrupt mouse movement, but not if the malicious code only acted when the mouse was already close to the link.

I don't know if any malware writer would ever go to such lengths, but I'm sure there are lots of people out there with enough technical ability to make this a plausible alternative hypothesis to the guilt of the defendant.

Glad you found the website for that app. I concur, having used other forensic apps, it looks weak.

After thinking about this some more after I wrote to you, I think your best bet for the question as to differentiating between a software generated event and the mouse button being depressed (e.g., intent) would be to find a coder who is familiar with the IE API. I don't do windows, so I can't help there.

Good luck.


--Jamie

Ted,

I'd find such a defense highly dubious, unless malware was found in the wild with such a property. So far, none have been.

But frankly, I'd be quite surprised to find a mouse logger show up in court for that kind of defense, period.

Zed: such (or at least, very similar) malware has been found.

I'm not a security expert, but I've been computin' for a long time, and my computers have been subjected to forensic investigations. I'm with Zed on this.

If you're talking about seized computers, that probably means the keylogger wasn't installed. Without a keylogger (a mouselogger, really) to record the actual input from the user, all you've got is files in the browser cache, and those look the same regardless of how they got there. You couldn't tell whether the user clicked to get the file or not.

On the other hand, if the file is found someplace other than the browser cache, that could imply a manual download. I've heard that in child porn cases, investigators have a much easier time proving their case if the files are organized on the hard-drive in some sort of directory structure that had to have been created by the user.

Note that even without a keylogger, you could do some guesswork based on cache timestamps and history data and stuff like that. It probably wouldn't hold up in a criminal prosecution, but might be good enough to figure out which member of your family has been downloading all that porn.

ComputerCop Pro doesn't look particularly sophisticated, but disk search software intended for forensic use has different requirements than software intended for IT management or document control. Among other things, it needs to preserve the chain of evidence in a way that will hold up in court. If opposing counsel accuses the investigator of intermingling files from another case, or otherwise corrupting the search, it's awful nice if the forensic software has features that prevent that from happening.

It looks like the CCP folks also offer computer forensic services. If CCP is an in-house product that's been used successfully in court cases so there's a history of judges and juries accepting its results, that can make up for a lot of technical shortcomings.

Oh, I see the disconnect now. Ted had mentioned keyloggers or similar suveillance devices. and I missed that.

I seriously doubt that's what happened here.

I'm merely asserting that given (a) unintentionally installed software (adware, malware, pick a word) that can access system facilities as the logged in user, (b) it could generate, for instance, "clicks" that most likely look like the user, for values of "click" meaning generating application events such as making an HTTP request via an open browser, and (c) the resultant popups created by such a request to a porn advertiser would be difficult to distinguish from popups created as the result of intentionally seeking to create them.

I qualify that in a couple of ways:

- IE, to my knowledge, records historic events differently for "things clicked on" and "things typed in the address bar". This may vary by version (I can't say), but the intent of doing so it facillitating they type-ahead feature. So, it could be that the defendent actually typed something in, and this was distinguishable. That would at least go a long way towards providing intent. (Although a paranoid could claim that that was fakable, too, and they'd be technically correct.)
- There may be other records kept by IE and related subsystems to record triggering events. I doubt this, but it is possible.
- This software looks like pretty low-end stuff, targeting very specific functions the primary audience for the software is interested in. I'm not suggesting bias, only that it wouldn't surprise me if the latest in methods of finding exculpatory evidence were not due until the next version.

Ok, I do know the API for IE, and a good bit for windows as well. More or less the long and the short of it is it would be nearly impossible to determine given a total compromise (and most compromises tend to be total as power user is no defense). At that level the system itself becomes non trustworthy in reporting about itself. However, this sort of compromise is generally reserved more for the reinfection routine rather then the malware itself.

However malware that displays popups is generally fairly crude. It does not say search google for "boobies" and then click on a designated site. Rather it just loads the designated site. Also since malware authors rarely operate porn sites on their own, the earnings of a malware operator are tracked by the site operator by affiliate codes. With enough sleuthing, those codes, and the fact that porn sites affiliate programs don't like malware vendors (at least publicly), it might be possible to tie the links to a single source or two.

Looking over that whole substitute teacher article (assuming that this is the source), it wouldn't even really be necessary to have malware. There are a number of tricky javascript hacks that can work on older browsers (aka 2004 era) that will get things stuck in either an ever escalating, or at the very least constant stream of popups. A mistyped URL or a poorly clicked link could well cause much chaos.

Really I would have to see much more of the evidence. Neither expert (in soundbite form) seemed completely accurate.

There are a number of tricky javascript hacks that can work on older browsers (aka 2004 era) that will get things stuck in either an ever escalating, or at the very least constant stream of popups.

All the JavaScript author has to do is register an "onunload" event handler for each page in a series. The intended purpose of such a handler is:


The onunload event enables you to undo the effects of your onload handler or other scripts in your web page. For example, if your application opens up a secondary browser window, the onunload handler provides an opportunity to close that window when the user leaves your main page.
JavaScript: The Definitive Guide by David Flanagan

It also provides an opportunity to load a page from the next porn site in the series. When the user tries to navigate away from that one, yet another one gets loaded. And of course the last page in the series will be programmed to load the first one again.

There are a lot of good comments here. Let me try to add some, as someone who works on the "defensive" side of the adware/spyware problem, on the ground, among real users (thousands of them).

1) In terms of real evidentiary value, most of what could be picked up from a windows based platform (more than likely the target here) is questionable, either from alterability, to whether it is conclusive. In reality, enter the legal system, and the enforcers can make a tool like the one you describe seem like a highly authoritative source. The guns and badges folks hate having to share the party with technical system types, so this type of tool is wildly popular.

2) In order to really have a good idea about what the software puports to prove, one would have to been already installed on the system at the time of the incident. Furthermore, the application would likely have to be running in ring zero (privileged state) to do it. If these folks have a staff trained by certain Israeli Intelligence units, I'd tend to believe in the product more. Believe it or not, Microsoft has purchased a heck of a lot of the available expertise (Mark R from Sysinternals, The Pelican intellectual property and many others).

3) Windows users, for convenience, often run as administrative users. This means, that anything process they start has full system privilege. That's how an awful lot of the adware/spyware spreads.

4) If scripts (java, vbs etc) are part of what is downloaded, unless the scripting engines for each is proxied to a scanner, the code runs before it is ever scanned.

5) The nature of adware/spyware often depends on what it tries to do. Tons of popups are usually due to writers trying to drive "eyeballs" to specific sites. Sometimes they are paid for driving the traffic. Gambling, porn, travel are high frequency destinations. Others are looking to steal credentials and hopefully money, others attempt blackmail. There are lots of kits and code encrypters available to stay one step ahead of the scanning signatures.

6) Claiming to be an expert in this area is likely to be short lived. I know about specific attacks that I have cleaned. I also know, that by and large, on an infested machine, it is usually far more cost effective to rebuild.

Questionable Conviction of Connecticut Teacher in Pop-up Porn Case

By Lindsay Beyerstein, AlterNet. Posted January 19, 2007.

The comments to this entry are closed.