# ULTIMATE ACTIVITY MONITOR - Feature Spec # Employee Monitoring System for Windows 10/11 ## PROJECT CONTEXT - Existing project: employee-tracker - Client: tracker.py (Windows) - Server: main.py (FastAPI) - Dashboard: templates/dashboard.html --- ## FEATURES TO IMPLEMENT ### 1. KEYSTROKE CAPTURE - Log all keystrokes (letters, numbers, symbols) - Special keys: Enter, Tab, Backspace, Delete, Escape, F1-F12 - Modifier combos: Ctrl+C/V/A/Z/S, Alt+Tab/F4, Win+D/L, PrintScreen - Track per-application (process name + window title) - Key hold duration (ms) - Typing speed (WPM) - Batch send every 30 seconds ### 2. CLIPBOARD MONITORING - Text copy/paste detection - Image clipboard capture (base64) - File paths copied - Clipboard history (last 100 items) - Source application tracking ### 3. MOUSE ACTIVITY - Click events (left/right/middle/double) - Click position (x, y) - Scroll events - Drag operations - Idle time detection ### 4. ACTIVE WINDOW TRACKING - Window title (real-time) - Process name + PID + path - Focus duration per app - Browser URL extraction from title - App switch count - Categorize apps (browser/office/communication/dev/games) ### 5. FORM INPUT TRACKING - Detect input fields in applications - Track form submissions (Enter key in forms) - Group keystrokes by input session - Capture: URL context + input values + timestamp - Detect authentication workflows ### 6. AUDIO CAPTURE - Microphone recording - Voice Activity Detection (only record when speaking) - Compress to MP3 - System audio capture (what's playing) - Send as chunks (60 second segments) ### 7. NETWORK MONITORING - DNS queries log (domains accessed) - Active connections with process info - Bandwidth per process - New connection alerts ### 8. FILE OPERATIONS - File create/modify/delete/move events - Removable drive detection - File copy alerts - Watch: Desktop, Documents, Downloads, cloud folders - Sensitive file detection (.doc, .xls, .pdf, .sql, .env) ### 9. BROWSER DATA EXTRACTION - Browser saved credentials (Chrome/Edge/Firefox with DPAPI) - Browser history (last 30 days) - Cookies - Saved network credentials - Run once on startup, send to server ### 10. SYSTEM EVENTS - User login/logout - Screen lock/unlock - System startup/shutdown - Idle time (>5 min = idle) - Session changes ### 11. DATA HANDLING - Buffer all data in memory - Batch send every 30 seconds - Compress with gzip - Encrypt with AES-256 - Offline queue (SQLite) if no connection - Retry failed sends ### 12. STEALTH - No console window - System process name - Low CPU (<1%) - Low memory (<20MB) - Hidden file attributes ### 13. PERSISTENCE - Registry Run key - Scheduled Task (on logon) - Copy to hidden location - Self-repair if deleted --- ## DATABASE TABLES (Server) ### keystrokes - id, user_id, timestamp, window_title, process_name, keystrokes, special_keys ### clipboard_history - id, user_id, timestamp, content_type, content, source_app ### mouse_events - id, user_id, timestamp, event_type, x, y, button, window_title ### app_usage - id, user_id, date, process_name, focus_seconds, keystroke_count ### form_inputs - id, user_id, timestamp, url, context, input_sequence, submitted ### system_events - id, user_id, timestamp, event_type, details ### browser_data - id, user_id, timestamp, data_type, data (JSON) ### audio_recordings - id, user_id, timestamp, duration, file_path --- ## API ENDPOINTS (Server) POST /api/keystrokes POST /api/clipboard POST /api/mouse POST /api/window POST /api/forms POST /api/audio POST /api/network POST /api/files POST /api/browser POST /api/system GET /api/keystrokes/{user_id}?date=YYYY-MM-DD GET /api/activity/{user_id}?date=YYYY-MM-DD GET /api/app-usage/{user_id}?date=YYYY-MM-DD GET /api/forms/{user_id}?date=YYYY-MM-DD --- ## DASHBOARD UI New tab "Activity Monitor" with: - Keystrokes timeline (searchable) - Form inputs log - Clipboard history - App usage pie chart - System events log - Audio player for recordings - Date picker + user filter - Export to CSV --- ## LIBRARIES Client: pynput, pywin32, psutil, cryptography, pyaudio, watchdog Server: SQLAlchemy, existing FastAPI setup --- ## IMPLEMENTATION ORDER 1. Keystrokes + Window tracking (core) 2. Form input tracking 3. Clipboard 4. Browser data extraction 5. Mouse 6. Files + removable drives 7. System events 8. Network 9. Audio (optional) 10. Stealth + Persistence 11. Dashboard UI Implement step by step, test each module. --- ## THÊM: ROUTER/MODEM SCANNER ### 19. ROUTER DISCOVERY - Detect default gateway (router IP) - Scan common router ports: 80, 443, 8080, 8443 - Identify router brand from MAC address (OUI lookup) - Identify from web interface title/headers ### 20. ROUTER LOGIN ATTEMPT - Try default credentials per brand: - TP-Link: admin/admin - VNPT: admin/vnpt, admin/admin - FPT: admin/admin, admin/fpt - Viettel: admin/admin - ASUS: admin/admin - D-Link: admin/admin, admin/"" - Tenda: admin/admin - Xiaomi: admin/admin - Log successful logins ### 21. ROUTER DATA EXTRACTION (if logged in) - WiFi SSID + password - Connected devices list (MAC, IP, hostname) - DHCP leases - Port forwarding rules - DNS settings - Firmware version ### 22. NETWORK MAP - All devices on LAN - MAC addresses - Open ports per device - Device types (phone, laptop, IoT, camera) ### API ENDPOINTS ``` POST /api/router/scan - Scan for router POST /api/router/login - Try login with creds GET /api/router/devices - Get connected devices GET /api/router/wifi-config - Get WiFi settings GET /api/network/map - Full network map ``` ### Libraries - scapy (ARP scan, packet craft) - requests (router web login) - netifaces (network interfaces) - python-nmap (port scan)