Revealer Keylogger Free Edition (rkfree) is an easy-to-use, proprietary keylogger for Windows available at no cost. It won’t do for forensic use, but might serve the needs of casual users.
The no-cost version is clearly visible in the Windows task manager as rkfree.exe, “Revealer keylogger Free Edition”. The paid version (€25) claims to be invisible to the task manager and adds remote log delivery (email, FTP). All versions have a scheduled uninstall feature, which would be useful in conjunction with remote log delivery.
The following discusses the no-cost version.
The makers’ website has a poor reputation on WOT, but the software is considered safe by Cnet. The website’s secure certificate (seen when requesting the https version of the website) looked suspicious on August 2011; use caution if providing data.
In July 2011, rkfree was detected by F-Prot upon installation and by Ad-Aware on running, but was not detected by Windows Defender.
INSTALLATION AND CONFIGURATION
Download rkfree and install it in the normal manner. An MSI installer is not available, making institution-wide deployment tedious.
Rkfree installs to %SystemDrive%\Program Files\rkfree. The installation location is hardcoded, so it goes there even on versions of Windows localized into languages other than English.
Once installed, open the control panel with the default keybinding Ctrl – Alt – F9 and configure as desired.
Open the control panel as described above to view the key logs. Logs appear in an easy to read format that is fine for casual use. Forensic analysis would need output in a format useful for filtering and parsing, such as that produced by PyKeylogger.
The raw logs are found (on XP) at %SystemDrive%\Documents and Settings\All Users\Program Data\rkfree\data\WINDOWS-USERNAME, with log names taking the format DDMMYYYY.rvl. The raw logs are in an undocumented binary format.
Logs can be manually saved as plain text files. On one installation on Windows 7, they were saved in UTF-16 encoding with no apparent way to change this; I had to convert them to UTF-8 (gedit can do this) before I could use tools such as egrep on the logs.
The control panel contains an uninstallation option. If you excluded rkfree from any malware scanners upon installation, remember to remove the exclusions.
Impress on the client the need to comply with local law and to use common sense when implementing user monitoring. Regardless of local law or custom, it is usually wise to clearly inform employees what constitutes acceptable use of employer-provided computers and that management reserves the right to monitor compliance.
These notes are based upon Revealer Keylogger Free Edition 1.4 and were last updated 11 August 2011.