FinFireWire - WikiLeaks



-1047750-1371600FINFISHER:FinFireWire 2.2User ManualCopyright2011 by Gamma Group International, UKDate2011-08-04Release informationVersionDateAuthorRemarks1.02010-09-27PkDraft release1.12010-09-27mjmReview1.22011-08-04PkUpdate for FinFireWire 2.2 ReleaseTable of Content TOC \o "1-3" \h \z \u 1Overview PAGEREF _Toc300692105 \h 42Requirements PAGEREF _Toc300692106 \h 52.1Agent Operating System PAGEREF _Toc300692107 \h 52.2Target Operating System PAGEREF _Toc300692108 \h 53Software Installation PAGEREF _Toc300692109 \h 64Usage PAGEREF _Toc300692110 \h 74.1Menu Panel PAGEREF _Toc300692111 \h 84.2Updates PAGEREF _Toc300692112 \h 94.3License PAGEREF _Toc300692113 \h 104.4About PAGEREF _Toc300692114 \h 114.5Main Panel PAGEREF _Toc300692115 \h 124.5.1Welcome Screen & Initialization PAGEREF _Toc300692116 \h 124.5.2Device Name PAGEREF _Toc300692117 \h 134.5.3Connect PAGEREF _Toc300692118 \h 144.5.4Operation Selection PAGEREF _Toc300692119 \h 154.5.5Unlock - Target Configuration PAGEREF _Toc300692120 \h 164.5.6Unlock – Auto Detect Feature PAGEREF _Toc300692121 \h 174.5.7Unlock - Advanced Configuration PAGEREF _Toc300692122 \h 184.5.8Unlock - Summary / Start PAGEREF _Toc300692123 \h 195Quick Step-by-Step Introduction PAGEREF _Toc300692124 \h 225.1.1RAM Dump Information - Configuration PAGEREF _Toc300692125 \h 235.1.2RAM Dump Information - Summary / Start PAGEREF _Toc300692126 \h 256Support PAGEREF _Toc300692127 \h 26OverviewFinFireWire is a tactical kit that enables the operator to quickly and covertly bypass the password-protected Login-Screen or Screensaver. No modifications are done on the actual Target System and no reboot is required so all essential forensic evidence can be recovered live from the running system.The following topics are covered within this document:InstallationConfigurationUsageUpdates / SupportRequirementsAgent Operating System FinFireWire can be installed on the following Operating System(s):Ubuntu Linux 9.10 / 10.04Target Operating System3933825286385FinFireWire supports the following Target Operating Systems:Microsoft Windows XPMicrosoft Windows Vista Microsoft Windows 7399097541910Mac OSX (without FileVault)4057650243840Backtrack 4 Ubuntu Free BSD SuSESoftware InstallationFinFireWire is pre-installed on the delivered Laptop. If you must install FinFireWire by yourself, insert the CD-ROM and start the “FinFireWire-VERSION.ggi” - Installer.Copy the installer “FinFireWire.X.X.ggi” to /tmp:via CDROMsudo mount /media/cdrom0cp /media/cdrom0/FinFireWire.X.X.ggi /tmpORvia USB- Stick (only FAT32 file system is supported!)sudo mkdir /mnt/usb sudo mount /dev/sdb1 /mnt/usb (/dev/sdb1 could be different!) cp /mnt/usb/FinFireWire.X.X.ggi /tmpsudo umount /mnt/usbStart the installer with:sudo chmod 700 /tmp/FinFireWire.X.X.ggisudo /tmp/FinFireWire.X.X.ggiThe installer writes files into the following directory:/usr/local/finfirewireFigure SEQ Figure \* ARABIC 1: Welcome ScreenFigure SEQ Figure \* ARABIC 2: Installation CompletedUsageThis chapter describes the handling and layout of FinFireWire software.21In this chapter:1 – Menu Panel2 – Main PanelMenu Panel REF _Ref250456850 \h \* MERGEFORMAT Figure 3 shows the FinFireWire Menu Panel. Figure SEQ Figure \* ARABIC 3: Menu PanelThe left navigation panel contains the following entries:Updates: Change Update settings and check for Updates.License: Install a new License or display License information.Language:Select Display LanguageAbout: Display FinFireWire version and EULA.Online Help: Visit the FinFisher Support Website.Updates REF _Ref250456825 \h \* MERGEFORMAT Figure 4 shows all Update settings. Figure SEQ Figure \* ARABIC 4: Overview FinFireWire UpdateThe following Update settings can be configured:Disabled:No Update request will be done automatically.At Startup:An update request will be triggered on application start.Daily:An update request will be triggered every day. Weekly:An update request will be triggered every week.Monthly:An update request will be triggered every month.Check now:An update request will be triggered immediately.Import:Import Update File for offline UpdateLicense REF _Ref249802295 \h Figure 5: shows all License information. A new license could be imported. Figure SEQ Figure \* ARABIC 5: License InformationFigure SEQ Figure \* ARABIC 6: Choose the license file to importIf the license is invalid or not installed, press the “Import License” button to install a new License File.About REF _Ref265077415 \h Figure 7: shows the “About” dialog. The About Dialog displays the Version Number and the EULA.Figure SEQ Figure \* ARABIC 7: About Dialog Main PanelFinFireWire will be controlled with the “MAIN Panel”. Welcome Screen & Initialization REF _Ref273349797 \h Figure 8 shows the “Welcome screen” of the FinFireWire wizard. Figure SEQ Figure \* ARABIC 8: Main Panel – “Welcome” Screen After FinFireWire was started an initial Setup will be done automatically. FinFireWire tries to:Search for a FireWire Adapter (internal or external adapter).Load all necessary standard FireWire Kernel drivers, to handle the adapter.Load a ROM File, which emulates a FireWire device on your Target System. Device Name REF _Ref273350228 \h Figure 9 shows the 2nd slide of the FinFireWire wizard. In this step, FinFireWire provides the possibility to customize the device name. Maximum 32 characters are supported.Figure SEQ Figure \* ARABIC 9: Main Panel – “Change Device Name” Screen The default Device Name is “GAMMA Hard Disk” and should be changed. Connect REF _Ref300243701 \h Figure 10 shows the 3rd slide of the FinFireWire wizard. In this step, FinFireWire shows how to connect your FinFireWire system with your Target System. Before you continue, you should wait a little bit, because the Target System must install a new device and load some drivers. This could take up to 2 minutes!Figure SEQ Figure \* ARABIC 10: Main Panel – “Connect” Screen Operation Selection REF _Ref300243673 \h Figure 11 shows the 4th slide of the FinFireWire wizard. In this step the operation could be selected.12Figure SEQ Figure \* ARABIC 11: Main Panel – “Select Operation” Screen Supported Modes are:Bypass a password-protected Login Screen or Screensaver.Dump Memory Information into a file for forensic analysis.Unlock - Target Configuration REF _Ref273350831 \h Figure 12 shows how to configure your Target System. 123Figure SEQ Figure \* ARABIC 12: Main Panel – “Target Configuration” Screen Select the option ?Unknown“, if you are unsure. FinFireWire will try all known combinations. This will increase the estimated operational time.Select the Operating System from your Target PC.Select the version of the Operating System from your Target PC.The maximum memory size of your Target PC will be automatically estimated.Unlock – Auto Detect Feature REF _Ref300244846 \h Figure 13 shows the Auto Detect function, to detect the running Operating System and size of the installed memory.Figure SEQ Figure \* ARABIC 13: Main Panel – “Auto Detect” Feature This function could be used to:Detect Operating System of the Target PC (only Windows / Linux)Detect the size of the installed memory on Target PC.Limitations:Using Auto Detect could failed or crash/freeze your Target PC!Only Operating Systems (e.g. Windows/Linux) can be identified, no OS Version (e.g. XP/Ubuntu). If this fails, select the OS manually or select Unknown.Sometime the size of Installed Memory cannot be identified. Accept default setting or modify it through the Advanced Configuration.Unlock - Advanced Configuration REF _Ref273351538 \h Figure 14 shows how to configure advanced RAM settings. Figure SEQ Figure \* ARABIC 14: Main Panel – “Advanced Configuration” Screen Be careful to not exceed the actual existing RAM in the Target PC when configuring the maximum value.Operating SystemDefault RAM (max) valueWindows XP256 MBWindows Vista512 MBWindows 7896 MBLinux (graphical Interface)512 MBLinux (Console)256 MBMac OSX512 MBFigure SEQ Figure \* ARABIC 15: Default (“secure”) RAM – ValuesThese RAM values are based on the minimum system requirements. The system could have more memory installed.Unlock - Summary / Start REF _Ref273351501 \h Figure 16 shows a short summary of your settings. After pressing the Unlock button, process information about the current unlocking action will be displayed.Figure SEQ Figure \* ARABIC 16: Main Panel – “Unlock - Summary / Start” Screen Pressing the Stop button will interrupt the current unlocking process immediately. REF _Ref273352041 \h Figure 17 shows the Popup Message, which will be shown if the authentication mechanism of the Target PC could be patched. Now, any password will be accepted.Figure SEQ Figure \* ARABIC 17: Main Panel – “Restore” Question Please verify if you can login into your Target PC. Two options exist:Login was successful. Answer the question with ?YES“. The previous state of the Login function will be restored. The next time when you lock the system, only the original password will be accepted. I you need to login again, restart the unlock process again.Login was unsuccessful. Answer the question with ?NO“. The unlock process will continue and tries to find another combination. REF _Ref273353196 \h Figure 18 shows the Popup Message, if the Target PC couldn‘t be unlocked. We recommend changing the following options (exactly in this order!)Change the Operating System Selection e.g. Linux / Ubuntu Linux / UnknownIf Auto Detect features wasn’t used or failed, increase the RAM (max.) value step by step and continue with step 1 & 2.Figure SEQ Figure \* ARABIC 18: Main Panel – “System couldn’t be unlocked” Quick Step-by-Step Introduction REF _Ref273353175 \h Figure 19 shows a short overview about the 5 main steps when using FinFireWire. Figure SEQ Figure \* ARABIC 19: Step-by-Step IntroductionRAM Dump Information - Configuration REF _Ref300247082 \h Figure 20 shows how to configure the Memory Dump feature. 123Figure SEQ Figure \* ARABIC 20: Main Panel – “RAM Dump Configuration” Screen Select Output Filename. (Default File Name is: “memdump_DATE_TIME_RAM-Size.dump”)File Splitting is integrated (minimum File Size = 256MB, maximum File Size = 2048MB)Set maximum RAM size. (maximum RAM Size = 4096MB)Additional functions:Auto Detect size of installed MemoryRun a Performance Scan Result: Minutes / Gigabyte OptionNotesAuto DetectUsing Auto Detect could failed or crash/freeze your Target PC!BenchmarkNon-Critical, cannot crash/freeze your Target PC!RAM Dump Information - Summary / Start REF _Ref300247098 \h Figure 21 shows a short summary of your settings. After pressing the Dump button, process information about the current memory dump action will be displayed.Figure SEQ Figure \* ARABIC 21: Main Panel – “RAM Dump - Summary / Start” Screen Pressing the Stop button will interrupt the current memory dump process immediately.SupportAll customers have access to an after-sales website that gives the customers the following capabilities:Download product information (Latest user manuals, specifications, training slides)Access change-log and roadmap for productsReport bugs and submit feature requestsInspect frequently asked questions (FAQ)The after-sales website can be found at ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download