Forensic Checklist: Investigating a “Sondle Screenshot Keylogger” Compromise

Forensic Checklist: Investigating a “Sondle Screenshot Keylogger” Compromise

Summary

A focused, step‑by‑step forensic checklist to investigate suspected compromise by the Sondle Screenshot Keylogger (a commercial screenshot/keylogging product) on a Windows host. Assume immediate containment is required and preserve evidence for possible legal action.

Immediate actions (containment & preservation)

1. Isolate host: Disconnect network (airplane mode or unplug Ethernet). Do not power off unless required—volatile evidence is critical.
2. Document: Record date/time, user, machine name, IP, physical location, who performed actions. Take photos of the workstation state.
3. Preserve volatile data: Capture memory (RAM) image with a trusted tool (e.g., Belkasoft Live RAM Capture, Magnet RAM Capture) and save to external media.
4. Collect live system info: Export running processes, services, open network connections, scheduled tasks, drivers, loaded kernel modules:
   • tasklist /v, wmic process list, Get-Process (PowerShell)
   • netstat -ano, tcpview
   • schtasks /query /fo LIST /v
   • driverquery /v
5. Create full disk image: Bit‑for‑bit (dd, FTK Imager) to write‑protected storage. Verify hashes (MD5/SHA256).

Triage indicators to check

• Installed programs list for “Screenshot Keylogger”, “Sondle”, or similar names.
• Hidden/stealth installers: check Program Files, ProgramData, AppData (Roaming/Local).
• Services and drivers with unfamiliar names or marked as autostart.
• Autoruns at startup (HKLM/HKCU Run, RunOnce, Scheduled Tasks). Use Autoruns (Sysinternals).
• Unexpected browser extensions or toolbars.
• Unusual files with recent timestamps that match suspected install times.
• Presence of log files containing keystrokes, screenshots, or clipboard dumps (common names:.log, *.dat, *.db).
• Outbound network destinations and uncommon domains/IPs (from netstat, firewall logs, PCAP).
• Suspicious emails/download binaries matching compromise timeline.

Memory analysis targets

• Strings that include “screenshot”, “keylogger”, “sondle”, API calls (SetWindowsHookEx, GetAsyncKeyState), SMTP/HTTP upload routines.
• Running processes with injected threads or suspicious handles.
• Loaded modules not present on disk or unsigned DLLs.
• Active network connections and in‑memory config (C2 addresses, exfil endpoints).
• Decrypt and extract in‑memory artifacts (credentials, logs, screenshots).

Disk and file system analysis

• Search for known filenames/paths (Sondle site references: Screenshot Keylogger installers, versioned exe names).
• Look for scheduled tasks, service executable locations, and alternate data streams.
• Inspect Browser histories, cookies, and saved credentials.
• Recover deleted files (photorec, R-Studio) that may contain logs/screenshots.
• Analyze timestamps for lateral movement or persistence timing.

Network forensics

• Collect firewall, gateway, and proxy logs; capture PCAP if