User monitoring with Revealer Keylogger

Revealer Keylogger Free Edition (rkfree) is an easy-to-use, proprietary keylogger for Windows available at no cost. It won’t do for forensic use, but might serve the needs of casual users.

The no-cost version is clearly visible in the Windows task manager as rkfree.exe, “Revealer keylogger Free Edition”. The paid version (€25) claims to be invisible to the task manager and adds remote log delivery (email, FTP). All versions have a scheduled uninstall feature, which would be useful in conjunction with remote log delivery.

The following discusses the no-cost version.

PRE-INSTALLATION NOTES
The makers’ website has a poor reputation on WOT, but the software is considered safe by Cnet. The website’s secure certificate (seen when requesting the https version of the website) looked suspicious on August 2011; use caution if providing data.

In July 2011, rkfree was detected by F-Prot upon installation and by Ad-Aware on running, but was not detected by Windows Defender.

INSTALLATION AND CONFIGURATION
Download rkfree and install it in the normal manner. An MSI installer is not available, making institution-wide deployment tedious.

Rkfree installs to %SystemDrive%\Program Files\rkfree. The installation location is hardcoded, so it goes there even on versions of Windows localized into languages other than English.

Once installed, open the control panel with the default keybinding Ctrl – Alt – F9 and configure as desired.

USAGE NOTES
Open the control panel as described above to view the key logs. Logs appear in an easy to read format that is fine for casual use. Forensic analysis would need output in a format useful for filtering and parsing, such as that produced by PyKeylogger.

The raw logs are found (on XP) at %SystemDrive%\Documents and Settings\All Users\Program Data\rkfree\data\WINDOWS-USERNAME, with log names taking the format DDMMYYYY.rvl. The raw logs are in an undocumented binary format.

Logs can be manually saved as plain text files. On one installation on Windows 7, they were saved in UTF-16 encoding with no apparent way to change this; I had to convert them to UTF-8 (gedit can do this) before I could use tools such as egrep on the logs.

UNINSTALLING
The control panel contains an uninstallation option. If you excluded rkfree from any malware scanners upon installation, remember to remove the exclusions.

ETHICAL CONSIDERATIONS
Impress on the client the need to comply with local law and to use common sense when implementing user monitoring. Regardless of local law or custom, it is usually wise to clearly inform employees what constitutes acceptable use of employer-provided computers and that management reserves the right to monitor compliance.

REFERENCES
Alternatives to rkfree
Excluding files from malware scanners

These notes are based upon Revealer Keylogger Free Edition 1.4 and were last updated 11 August 2011.

Advertisements

About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

5 Responses to User monitoring with Revealer Keylogger

  1. Pingback: User monitoring software for Windows | A maze of twisty little passages

  2. Omprakash Jha says:

    Hi,

    Today morning I found the logs missing from my interface of Revealer keyloggers. But the data is saved in my laptop in .rvl format which is not readable. How do I convert this .rvl log files into any other readable format ?

    • Balazs says:

      Hello,
      A friend of mine is facing the same issue. :( Have you succeeded maybe to convert the rvl files or have you maybe tried to copy the logs and only put back the one you would like the program to load (or maybe a bunch of them)? I am just thinking on this because suddenly the application behaves that only shows the actualy day log and not the prior ones (as you described), but also the Import button does not work (I thought it should open/read the selected file).
      Thanks in advance,
      Kind regards,
      Balazs

  3. I believe what you published made a ton of sense.

    But, consider this, what if you wrote a catchier title?

    I mean, I don’t want to tell you how to run your blog, however what if you
    added something that grabbed folk’s attention? I mean User monitoring with Revealer Keylogger | A
    maze of twisty little passages is a little boring. You should look at Yahoo’s home page and watch
    how they write article headlines to grab viewers to click.
    You might add a video or a pic or two to get readers interested about everything’ve
    written. Just my opinion, it might bring your posts a
    little bit more interesting.

  4. That is a great tip especially to those new to the blogosphere.
    Simple but very accurate information… Many thanks for sharing this one.
    A must read post!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s