Keylogger Screen Capture: How It Works and How to Detect It

Forensic Guide: Extracting Evidence from Keylogger Screen Captures

Scope

This guide covers Windows-focused steps and artifacts to locate, preserve, and analyze screen-capture evidence produced by keyloggers (including combined keylogger+screen-capture malware). Assumes investigator has legal authority and a forensic image or live access.

1) Prioritize evidence preservation

• Isolate the host (air-gap if possible) to stop further transmission.
• Capture volatile data first: RAM image, running processes, network connections, open handles. Use tools: WinPMEM/Belkasoft RAM Capturer, FTK Imager (live), or OS native memory dumper.
• Create disk image: Forensically image HDD/SSD (E01, raw) using dd, Guymager, or FTK Imager. Record hashes (SHA-256, MD5).
• Collect artifacts: Browser caches, thumbnails, swap/hiberfile, user profiles, registry, scheduled tasks, prefetch files, USB history, event logs.

2) Where screen captures commonly appear (artifacts & locations)

• Temporary or app-specific directories:
  • %APPDATA%\Local\Temp, %TEMP%
  • %APPDATA%\Roaming<malware_name> or custom subfolders
  • ProgramData<malwarename>
• User profile folders: Desktop, Pictures, Documents, Downloads.
• System caches:
  • Windows Thumbnails cache: %LOCALAPPDATA%\Microsoft\Windows\Explorer\thumbcache*.db
  • Pagefile.sys, hiberfil.sys, unallocated space (deleted images may persist)
• Memory: image buffers, clipboard contents, injected process memory (explorer.exe, svchost.exe, userland processes)
• Malware artifacts:
  • Persistency: Run keys (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run), Scheduled Tasks, Services
  • Network indicators: Hosts, firewall rules, DNS cache, open sockets
  • Logs created by malware (plain text, SQLite, custom formats)

3) Memory analysis (highest priority for captures)

• Use Volatility/Volatility3 or Rekall:
  • pslist/psscan to find suspicious processes.
  • dlllist and handles to find processes with file handles to image files.
  • netscan to identify connections sending image payloads.
  • yarascan/strings to search for image file headers (PNG: \x89PNG, JPG: \xFF\xD8\xFF).
  • carve images from process memory (procdump + bulkextractor or foremost).
• Dump suspicious process memory and scan for embedded images, base64 blobs, or known capture-format headers.

• Parse the file system with Autopsy/SleuthKit/EnCase/Magnet Axiom:
  • Recover deleted image files and candidates in unallocated space.
  • Search for filenames/strings commonly used by keyloggers (screenshot, screen, cap, snap_).
  • Extract and parse SQLite/JSON/CSV logs used by malware (search for timestamps and file paths).
• Analyze thumbnail caches and Windows Search DB for evidence of viewed/created images and timestamps.
• Inspect zip/rar archives and temp extraction paths — many exfiltration tools bundle captures.

5) Timeline reconstruction

• Correlate timestamps from:
  • File MFT (Created/Modified/Accessed), USN Journal, and LastWrite times.
  • Windows Event Logs (Security, Application, System), Task Scheduler logs.
  • Network logs and proxy/firewall logs for upload events.
  • Browser history or cloud sync logs (if user uploaded captures).
• Build ordered sequence: capture creation → local storage → staging → transmission.

6) Network & exfiltration analysis

• Inspect PCAPs, router/firewall logs, and IDS alerts for POST/PUT to C2 or cloud storage.
• Look for common exfiltration methods: HTTP(S) POST (multipart/form-data), FTP, SMTP, WebDAV, cloud API calls, or DNS tunneling.
• If encrypted exfiltration suspected, analyze timing, packet sizes, and destination endpoints; check TLS certs and SNI.

7) Artifact correlation and validation

• Match image file hashes (SHA-256) across sources: disk, memory, backup, cloud.
• Verify provenance: embedded metadata (EXIF) may contain creation timestamp, device name, or software signatures (but malware may strip/alter EXIF).
• Use image similarity tools (perceptual hash) when formats or resolutions differ to link captures.

8) Anti-forensic indicators

• Look for timestomping (MFT vs. content timestamps mismatch), wiped logs, shredders, or rootkit hooks.
• Examine signed drivers or tampered system files indicating kernel-level capture.

9) Tools & commands (representative)

• Memory capture: WinPMEM, FTK Imager (live)
• Memory analysis: volatility3, Rekall, Strings, bulk_extractor
• Disk imaging: Guymager, dd, FTK Imager
• File carving: foremost, scalpel, bulk_extractor
• File-system & timeline: SleuthKit, Autopsy, EnCase, X-Ways
• Network: Wireshark, Zeek, tcpdump
• Hashing & comparison: sha256sum, ssdeep (fuzzy), phash tools for images

10) Reporting & court-ready deliverables

• Preserve chain-of-custody and write acquisition logs with hashes and tool versions.
• Produce: forensic image hash summary, timeline (CSV/Excel), extracted image exhibits with metadata, memory/process dumps, network evidence (PCAP filtered), and a concise narrative describing how captures were created, stored, and exfiltrated.
• Include reproducible analysis steps and commands to support findings.

Quick checklist (actionable)

1. Capture RAM → image disk → compute hashes.
2. Scan memory for image headers and dump suspicious processes.
3. Carve images from memory, swap, unallocated space.
4. Search disk for image files, thumbnail caches, temp folders.
5. Correlate with event logs, scheduled tasks, and persistence artifacts.
6. Analyze network logs/PCAP for uploads.
7. Hash and compare artifacts; document chain-of-custody.
8. Produce timeline and court-ready report.

If you want, I can convert this into a step-by-step incident-response playbook tailored for Windows ⁄₁₁ (with exact commands and example Volatility/Volatility3 commands).