There are numerous tools that can monitor a remote computer over a network using several methodologies. Some are platform dependent, some require 'administrative' access and most would probably require some kind of a warrant to be admissible in many courts. As Casey (2004, 15.1) notes, “security professionals can minimize the risk of being criticized for violating a system owner's rights by obtaining written instructions from their attorneys and management.“ However, not even the system owners “have unfettered legal authority to monitor users of the network”. (Salgado, 2004, p226). Still this is a logical first step for investigators, analogous to collecting any sort of evidence from a third party's property. It should then be followed up with courts and warrants if investigators believe they could be accused of violating the suspect's rights.

In the Windows environment there are some tools available with the OS such as Remote Assistance and Remote Viewer (Microsoft, 2010), some available commercially like Big:Eye and School PC and some for free including PenyuPC (Free Download Manager, n.d.) and VNC (Wikipedia, 2010). Any of these should be rigorously examined at the application, operating system and network layers if one is seriously considering using them to collect forensic evidence.

In the UNIX environment many applications are free. VNC is available, as are the X-Windows APIs and the command line 'screen' utility. It's difficult to set these up so that an advanced user can't tell they're running, but not impossible if one replaces system binaries like 'ps' with trojans or gives the user a jailed shell.

All of the above mentioned are simple GUI or CLI screen level monitors. As such they require some software 'agent' on the machine to be monitored. An entirely different type of monitoring can be accomplished at the network level (Casey, 2004, 15.6). While this is nowhere near as simple it is much harder for the one being monitored to detect. The legality and admissibility of this strategy isn't very different from agent based monitoring. The evidence will need to be authenticated and some sort of warrant will probably be necessary. But the value of stealth that these methods provide may balance the greater resources of time and expertise they generally require.

Casey, E. (2004) Digital Evidence and Computer Crime – Forensic Science, Computers and the Internet 2nd edition

Free Download Manager (n.d.) Best free remote monitoring downloads [Online]. Available from: (Accessed: 11 July, 2010)

Microsoft (2010) Windows Remote Assistance: frequently asked questions [Online]. Available from: (Accessed: 11 July, 2010)

Salgado, R. (2004) 'Legal Issues', Know Your Enemy P225-252 [Online]. Available from: (Accessed: 11 July, 2010).

Wikipedia (2010) Virtual Network Computing [Online]. Available from: (Accessed: 11 July, 2010)