The bank had discovered a small hardware device, around in inch in size that had been placed at the connection point between the computer and the keyboard. The device was in fact a ‘Keycatcher’, a piece of keylogging software used to store any keystroke entered by all users of any machine that it was connected to.
Keylogging software such as this can record, store and often broadcast large amounts of important information, for example credit card details and personal information. CY4OR were asked to examine 10 computers in total, and directed to look for any signs of keylogging software installed on the machines, or any log files that may have been created by the device.
The first stage involved seizing the computers in a forensically sound way, adhering to ACPO (Association of Chief Police Officer’s) guidelines so that any evidence obtained would be admissible in court. CY4OR’s advice to the bank security team was to pull the plug on the computers – literally, further to which they were stored in a secure area on CY4OR’s premises, and an image was made of the hard drives.
Forensic analysis was then carried out to reveal that 5 out of the 10 machines had keylogging software on them. The suspect’s computer was shown to contain internet records that he had accessed various keylogging vendor sites and purchased the software. Snapshots of the ‘checkout’ purchasing page were also recovered, which clearly showed the suspects name, credit card details, product details and delivery address. All of which combined to be damning evidence against the unscrupulous employee.