# My write up detailing some other ways to monitor or gather intelligence...



## ToCatchACheater (Jun 21, 2013)

Hi 
I thought it might be helpful to others out there for me to share some of the generally unknown and a little more advanced ways to monitor a spouse. This might be helpful to anyone who is looking for reassurance of a partner finally being on the "straight and narrow" post an infidelity, or to anyone who has that terrible gut feeling that just won't quit and needs a solid answer.

This is not a positive post - I will provide you with some lesser known and more invasive ways to get undeniable evidence with solid black and white answers. My work has an element of forensic data recovery, with my clients amongst others being my country's law enforcement and government departments. 

Obviously I cannot provide any information that is of a secure or sensitive nature - and in most cases the more advanced stuff is privy to restricted access by warrant etc anyway, so not any good to Joe Public.

I'm only providing basic stuff here - stuff that can be done by anyone who has enough computer skill to turn on a computer and open a file or browser window basically.

My last bit of advice before I begin - Use this to get the answers you need. If you suspect something, hopefully this helps you get a clear answer so you can either gather everything you need to confront and act, or put that uneasy paranoia in your gut to rest once and for all so that you can get on with enjoying your relationship with the person you love 

I'll start with the obvious ones:

Installing a Spyware Application on their Smartphone and/or Tablet

Most spyware applications have their problems and positives. I am yet to see one that totally works as advertised - but I have seen a few that will do the job, as long as you are realistic and aware of your partners overall technical grasp on life!

When all said and done, the best ones of a not quite perfect group of choice are Mobistealth, StealthGenie and Mobile-Spy. I have seen and can vouch for all three of them being able to log all the important communications you would require (SMS logging regardless of unsent draft or immediate deletion, Web URL history logging, Contacts List, Calendar, Call History and Location Tracking, apps installed, downloads)

I have seen these tasks done better and worse by each of the above products, but if I had to pick one, it would be Mobistealth. There is a thread here outlining the real time location problems that can happen with these apps, particularly Mobistealth and I have to agree with the statements made in that thread. 

Location accuracy can range from being able to tell what corner of a room someone is actually in, all the way to rare occasions where the location report is tens of miles (I have seen one report that was as far off as 50miles!). In general though, it is accurate enough that you can count on it, but make sure you back this up with other supporting info (texts, calls etc) if possible. 

Image/MMS logging is hit and miss with all of these apps - personally, I wouldn't bother wasting the extra money on this feature for any of them - it rarely works and the reality is that it will more than likely be of little use to you compared to the plethura of other info you will get from this. These apps generally will not be able to record third party or incognito browser history (chrome for mobile, incognito for android browser etc). Nor will they record other messaging systems such as skype or specialist hidden messaging applications/games.

I'm yet to see any of these apps be undetectable or "run as invisible" as claimed. All of them that I've seen have for some reason been incapable of this, meaning that there is almost always a "process" or "application" that is plain and easy to spot by anyone who is tech savvie, counter surviellence minded or is just plain toil foil hat paranoid.

Mobistealth for instance constantly runs a process (seen under settings/apps/running) called "SmartPhoneSecure" - which is believe it or not one of the better disguised ones. One of the more moronic failures of purpose from one I have seen on an android tab is "Peektab" - which in fact I can only assume was not correctly installed, as under grid view of application icons, the peektab application icon was clearly viewable like any other icon app... and in running services, the rather obvious icon of an eye peering sneakily through like a stalker didn't do anything to help take suspicion away from the equally obviously name of the app it was representing. 

Anyway - I will say what probably doesn't need to be said, but I will so it has been... Installing these types of spy applications on another persons phone or computer device is plain and simply illegal. Most of us don't abide by the speed limit either - so we're all law breakers in one way or another, its up to you to decide how far your willing to go and what the risk vs reward is for deciding to employ spyware apps. Potentially, you could be in some very very serious trouble with the law if a partner was to find out that you had done this. Then again, if you caught them disrespecting you and cheating on you like a fool, then **** em, good riddance to bad trash. Better still, consider the option of never revealing this particular source directly.

Basic exploitation of Internet Browser database files in order to gather intelligence:

This only applies to Windows platforms (might apply to apple os, not my area) and will not work at all on an Android phone/tab or iphone/pad. This is because the android OS and database/files are put together different and for the most part encrypted as well. I will address this in a separate follow up post for anyone who wants to know more on this. 

I haven't bothered actually doing this in practice with IE Browser or Firefox Browser as Chrome is the most common browser I come across these days, therefore its the only one I can provide practical experience reports for. Its pretty straight forward stuff though and I've detailed how to exploit this bit of IE and Firefox here too.

Its an amazingly obvious and pretty much in the long term unavoidable trap that will give up almost everyone eventually, especially if they are not 110% at all times on top of their counter detection discipline game.

It goes beyond normal in browser viewed internet history and it will usually have evidence of important stuff that has been deleted from history otherwise 

You will need access to the computer and user profile (logged in with permissions enabled) to do the following. By that, I mean you need to be able to view and operate the computer logged in as your spouse or whichever windows or open login they would usually use on their laptop or pc

Chrome:

Go to windows explorer - click desktop, then down the file tree you will see "AppData" - double click this and open the folder.

Next, find the folder "Local" - open then find "Google" then "Chrome" - Then "user Data" then "Default"

In this folder you will see a bunch of files at the bottom of the window (History, Webdata, Login Data to name a few...) - See them?

Now... create a folder on the desktop (dont forget to delete and empty from trash once you're done here! Make sure you copy this folder for your own records too though!) - name it whatever you like, but DataFiles is a nice easy one 

click on the following files, then COPY each of them - (Ctrl, select individual multiple files, copy) - and then paste them to the new folder you have just created on desktop. 

- Webdata
- Login Data
- History
- Cookies
- Archived History
- Last Session
- Last Tabs
- Visited Links
- Top SItes

There is more to investigate here, but lets start with these ones first...

Now - you can do this one of two ways - for those lacking time or confidence in downloading and installing a little bit of helpful software for viewing the files properly, here is the "no frills" way..

click any of the copied files to open - when windows prompts you to select which program you wish to open the file with, select "Notepad". This should open the files in a raw text format that will give you what you need to know initially. Some of the files might take a few minutes to open due to their potentially large size, some might be small and instant to open.. hundreds of mb of file size will take poor little notepad some time to open hehehe 

Now, once open, you will be looking at a messy unformatted and partially encrypted text file - so it won't likely be in an easily followed format of recording or historical timeline - but that doesn't matter for the purposes of this actvity 

Click "edit" and "find" - then start punching in your previously considered list of search terms! (Ie. suspected usernames, suspected email addresses, suspected secret websites used/visited, suspected OP email addresses and the like, suspected passwordse and so on. A good place to start is to search for things like @hotmail.com, @yahoo.com, @live.com, @gmail.com etc... I'll expand more on search term start points in a follow up post...

The second and more easy to follow way of viewing and searching these database files is to download a bit of software called SQLlite Databse Browser 2.0 b1 - its freely available from good safe downloads sites with a simple google search.

This WILL NOT show anything that has been accessed via other browser platforms or "Incognito" browsing. Anything viewed incognito browser is for all intents and purposes here, unviewable, unrecorded and safe from your snooping!

If someone has been super disciplined and on top of the human condition of inevitable lazyness that sometimes occurs, always accessing suspect sites via incognito, or only visiting their secret webmail provider login page and logging in from this feature, you have nothing - they might be doing it multiple times a day and you would never have anything to know it. 

HOWEVER - If like most people they are one day in a rush, get a bit lazy or plain and simply **** up and accidently forget to browse incognito (even just once!), then you've more than likely got them! Deleting the history after using the regular chrome browser window will not cover their tracks after this... I have even seen email addresses and contact details appear in this data that were only in play once, for example, might have been the "To" address in an email that has only been sent just one single time and all residual trace immediately deleted (so they think!).

In fact - when you see what data and information google has stored here, its downright concerning even. There is content from emails and webpages and documents that have barely even come into play for the browser or outlook etc - one starts to wonder where the scope of google data collection actually legitimately lies vs what is there 

IE:

IE is typically installed by default on new Windows-based computers and is used by most private and business computer owners. IE stores the Internet activity for each user under their Windows profile. In Joe's case, since he was using a Microsoft Windows operating system newer than Windows 2000, his IE activity was stored in the following directory:



C:\Documents and Settings\jschmo\Local Settings\Temporary Internet Files\Content.IE5\
The directory listed above stores the cached pages and images Joe reviewed on his computer. Inside the Content.IE5 directory there are additional subdirectories, each with a seemingly random name that contains the cached web data Joe had viewed. IE stores this cached information so that Joe does not have to download the same data more than once if he already reviewed the same web page.

We want to point out that there are two additional IE activity directories that may be of interest. The first directory contains the Internet history activity without locally cached web content:



C:\Documents and Settings\jschmo\Local Settings\History\History.IE5\
Under the directory above, there will be additional subdirectories signifying the date ranges where IE had saved the history. The last directory stores the cookie files for IE:



C:\Documents and Settings\jschmo\Cookies\
An investigator will typically check all three information stores for Internet activity data. Note that an individual can consciously clear these files for many reasons. In addition, several types of software are routinely installed on computers that periodically purge these files. But that does not mean that the information is not available. In part 2, we'll discuss what to do to find these files if they do not immediately appear available. For now, we'll assume that the data and files exists. Then, if we enter any of the directories presented above, you will find a file named Index.dat. The Index.dat file contains the Internet activity for each information store. In the cached web pages directory, this file is populated with more information than the others, even though the internal file structures are identical. In order to rebuild a web page a user had visited, the Operating System must find the correct locally cached web page and the corresponding URL the user visited. This relationship is mapped in the Index.dat file. This is the same technique we will use when reconstructing Joe's Internet browsing activity. The Content.IE5 Internet activity directory will be the most useful to us when we reconstruct Joe's activity because we can view the same web pages Joe viewed in the past through his cached versions of these web pages.

The Index.dat file is saved in a proprietary binary format that is only officially known to Microsoft. However, the following whitepaper describes some of these internal data structures that may be helpful if you try to reconstruct the file by hand.

Firefox/Mozilla/Netscape Based Web Browsers:

Firefox/Mozilla/Netscape and other related browsers also save the Internet activity using a similar method to IE. Mozilla/Netscape/Firefox save the web activity in a file named history.dat. One significant difference between a history.dat file and an index.dat file is that a history.dat file is saved in an ASCII format rather than binary. This makes reviewing the file simpler than the corresponding IE file. The second difference with the history.dat file is that it does not link web site activity with cached web pages. Therefore, we cannot readily assemble views of web pages Joe visited in the same manner that we can with IE.

Firefox files are located in the following directory:



\Documents and Settings\<user name>\Application Data\Mozilla\Firefox\Profiles\<random text>\history.dat
Mozilla/Netscape history files are found in the following directory:



\Documents and Settings\<user name>\Application Data\Mozilla\Profiles\<profile name>\<random text>\history.dat
The process of reconstructing web activity manually can be quite tedious. Fortunately, there are several tools, both free and commercial, that streamline this process considerably. The following sections present some of these tools. Please follow along with the web activity data you downloaded in the introduction to this article, and use the tools mentioned in this article to reconstruct the analysis.

Google search will give you a plethora of information if you want more 

Gmail Account Search History: 

If the person in question has a gmail account (most people with an android do these days!) then there is a fair chance they have been lazy and left that account logged in and associated to their phone! This will result in any searches (internet, maps etc) being recorded in the Google Account. This can be viewed by logging into the gmail account (assuming you have found it and the password associated with it from the above described method!) and then clicking on "account" - "Manage your web history".

You can also have a little snoop at what apps have been downloaded and installed on their device/s from the play tab here - which if you know what you're looking for might even reveal anything from installed secret messaging apps (some appear as innocent programs like calculators or sudoku games etc) through to seemingly innocent and otherwise regular game apps (words with friends etc) that can in fact be utilized as a sneaky and often missed method of communicating and messaging with a potential OP, in just the same regularity and manner that they would via SMS, just for free, and under the guise of scrabble or some other innocent platform.

Gaining access to this secret email account is the master key to everything though - it is more than likely going to be the password and account recovery address for all other suspect accounts related to what is going on... and don't forget to check this account for a secondary email that it recovers to while you are there 

From here, accessing other accounts and communications platforms is as easy as getting the username (again by above browser files mining) then going through the good old' "forgot password" sequence - opting to recover and reset any password and account access you like to the newly compromised for your convenience mail account within minutes, then covering your tracks by deleting to trash then deleting forever all evidence of your presence and activity's there 

If this is a primary and otherwise declared and known email account (that they wont allow you free access too) - there is a fair chance that this be the recovery address for anything from facebook password changes through to secret website accounts through to my next point of discussion - the online login and billing notifications for their mobile phone account.

One last thing though... Dont forget to:

Delete any search history that has logged during the time you have been logged into their gmail account!

Delete any email you have forwarded to yourself for record from sent items and deleted items!

Use incognito browser if possible at all times!

Mobile Phone Accounts:

These are a golden resource to those who can approach with methodical and patient analysis  A wealth of information that will cause almost everyone to come unstuck at some point - especially if the person you are investigating has no idea that you're looking - or is silly enough to underestimate your ability and their exposure!

Again - I can't be blamed for some of you breaking laws and it goes without me saying that accessing somone elses mobile phone accounts and records without direct permission of the account holder is highly illegal and morally questionable at best. Potentially, one could even further exploit a basic level of access gained to this account with ease - downloading for their own snooping perusal up to 7 years of itemized billing history (most providers will have available for tax and records purposes) - which of course would give you a second accurate copy of all numbers called, what time they were called and how many SMS's have been going to a certain number at all hours of day and night 

Its a great way to consolidate and validate your Spy App SMS/Call history logs for accuracy - checking that your spy app hasn't missed any calls or sms's sent and deleted before the app had a chance to log them (unlikely but still!) - or giving a history off communication and call origins at times and dates far before you may have even suspected anything...

Also a great way to highlight the "black hole" of missing activity - when the cheater has opted to leave the OP's number as an unlisted and un-named number which they prefer to religiously delete after each and every sms or call they share... but strangely cannot for the life of them think of who that number might be when you confront them with the 50million dollar question of "Who is *this* number?" 

I mean... sorry if its hard to believe you when you stand there and tell me you have no idea and it doesn't ring a bell at all - its just that it seems like you had no problem remembering it the other several hundred times you have punched it into your phone every day for the last "x" amount of years/months hahaha!


I'll leave this post at that for now - more to come and more to expand on with topics touched on above.

Hope its been of help so far 

Next Post: Basic Intercepting methods for obtaining uncompromised and untainted web access data.


----------

