Overview - WikiLeaks



FINFISHER: FinSpy 3.10 User Manual -914400-1371600Copyright2012 by Gamma Group International, UKDate2012-03-19Release informationVersionDateAuthorRemarks1.02011-12-15AHInitial version1.12011-03-19LHUpdate for version 4.01OverviewFinSpy is designed to help Law Enforcement and Intelligence Agencies to remotely monitor computer systems and get full access to:Online Communication: Skype, Messengers, VoIP, E-Mail, Browsing and moreInternet Activity: Discussion Boards, Blogs, File-Sharing and moreStored Data: Remote access to hard-disk, deleted files, crypto containers and moreSurveillance Devices: Integrated webcams, microphones and moreLocation: Trace computer system and monitor locationsFinSpy Agent TOC \b FinSpyAgent \o "1-4" \h \z \u 2.1FinSpy Agent – User Manual PAGEREF _Toc314078193 \h 62.1.1Quick Start and Overview PAGEREF _Toc314078194 \h 62.1.2Target List PAGEREF _Toc314078195 \h 82.1.2.1Target List – Active PAGEREF _Toc314078196 \h 112.1.2.2Target List – Archived PAGEREF _Toc314078197 \h 122.1.2.3Target List – Target Licensing PAGEREF _Toc314078198 \h 122.1.3Analyse Data PAGEREF _Toc314078199 \h 152.1.4Visualize Data PAGEREF _Toc314078200 \h 192.1.5Target History PAGEREF _Toc314078201 \h 202.1.6Configuration PAGEREF _Toc314078202 \h 212.1.6.1Configuration – General PAGEREF _Toc314078203 \h 232.1.6.2Configuration – Tracking PAGEREF _Toc314078204 \h 292.1.6.3Configuration – Add & Remove Module PAGEREF _Toc314078205 \h 292.1.7Emergency Configuration PAGEREF _Toc314078206 \h 302.1.8Live Session PAGEREF _Toc314078207 \h 312.1.8.1Live Session – Spy Calls PAGEREF _Toc314078208 \h 322.1.9Evidence Protection PAGEREF _Toc314078209 \h 332.1.10Remove Data PAGEREF _Toc314078210 \h 332.1.11Remove Infection PAGEREF _Toc314078211 \h 332.1.12Create Target PAGEREF _Toc314078212 \h 342.1.12.1General PAGEREF _Toc314078213 \h 362.1.12.2Network Configuration PAGEREF _Toc314078214 \h 372.1.12.3Heartbeat Options PAGEREF _Toc314078215 \h 382.1.12.5Self-Removal PAGEREF _Toc314078216 \h 392.1.12.6Select Modules PAGEREF _Toc314078217 \h 402.1.12.7Target Options PAGEREF _Toc314078218 \h 402.1.12.8User Permissions PAGEREF _Toc314078219 \h 412.1.12.9Summary PAGEREF _Toc314078220 \h 412.1.13Tools PAGEREF _Toc314078221 \h 422.1.13.1Tools – Deployment SMS PAGEREF _Toc314078222 \h 422.1.13.2Tools – WAP Push PAGEREF _Toc314078223 \h 44FinSpy Agent – User ManualQuick Start and Overviewright0This chapter describes the handling and layout of FinSpy Agent user interface. To start the FinSpy Agent there will be an icon on the Desktop which needs to be clicked and which will start the main interface.Username and passwordAddress and port of FinSpy Master to which the FinSpy Agent connectsThis data will be remembered after the first successful loginLogoff from the FinSpy MasterAfter a successful login the main interface will open. It shows the main interface of the FinSpy Agent. NameDescriptionData AnalysisMonitors and analyzes data of a selected FinSpy Target or all FinSpy Targets.Create TargetIt will open a wizard which guides easily through the creation of a FinSpy Target. Deployment SMSA PopUP will open to send out a SMS with the Mobile Trojan as a link.WAP PushTo send out the Mobile Trojan via WAP Push message.ConfigurationBasic Settings for the FinSpy Agent and FinSpy Master can be defined.Show LogfilesGives the possibility of viewing the FinSpy Master system logfiles.Agent ListInformation about FinSpy users, their user rights, logins and current connections.License InformationDisplays information regarding the license. AboutShows the FinSpy Agent version and software agreement.Online HelpConnects to online help on the Gamma Group homepage via internet.Target ListThe Target List contains all actions to manage data and FinSpy Infection of a FinSpy Target. All FinSpy Targets are listed in two tables under the following categories:The following information of infected FinSpy Targets is available:NameDescriptionNameName of FinSpy Installer Package (changeable after FinSpy Infection)M (Data on Master)New downloaded data available on FinSpy MasterT (Data on Target)New data available on FinSpy Target (data is ready to download)C (Configuration Pending)The target configuration was changed but not pushed yet to the target UIDFinSpy Target Unique Identifier IMSIInternational Mobile Subscriber Identity – Identification to the Mobile NetworkPhone NumberDisplays the Mobile Number of the infected Mobile PhoneCountryCountry in which the FinSpy Target is located (detected by public IP)CityCity where the FinSpy Target is located (detected by public IP)OSIcon representing the Operating System running on the FinSpy Target mobile ProviderTo which Telecommunication Provider is the mobile phone connectedBase StationCoordinates of the Base station the mobile phone is connected toLast Heartbeat TimeWhen was the last time the mobile phone was connecting to the FinSpy MasterIMEIThis is a unique identifier of each mobile phoneModelTries to identify the exact model of the used mobile phoneOS detailsDisplays the correct version number of the Operating systemRoamingIs the mobile phone roaming Roaming HostThe name of the Network which host the device while in roamingGlobal IPWith which IP address is the Target connected to the InternetData linkThe data link of the Target (Wifi, 3G, GPRS)WifiIf Wifi available on the TargetGPS coordinatesLast known GPS coordinates of the TargetHeartbeat TypeHow did the Target connect to the FinSpy Master (SMS, TCP)GPS SourceThe source from where the polar coordinates were retrieved.VersionThe currently installed Trojan LicenseLicenseDisplays the License ID of the TargetActive: List of FinSpy Targets currently infectedArchived: List of FinSpy Targets not infected anymoreClicking on a specific target opens all possible actions. Available actions depend on the status of the FinSpy Target (offline/online).Right-Clicking on any column header allows the user to choose which columns shall be displayed.Target List – ActiveThe possible actions of an online target are:NameDescriptionAnalyse DataAnalyzes data which is already downloaded and available on the FinSpy MasterVisualize DataShows the recordings on a visual graphTarget HistoryWill display information about last known Target locationsConfigurationManagement of the FinSpy TargetEmergency ConfigurationTo configure the FinSpy Target via SMS in case it is not onlineLive SessionOpens a live session to monitor a FinSpy Target liveRemove InfectionRemoves the FinSpy Infection from the FinSpy TargetTarget List – ArchivedPossible actions for a FinSpy target, which is no longer infected. The recorded data is still persistent on the FinSpy Master but the FinSpy target is not infected anymore.NameDescriptionAnalyse DataAnalyzes data which is already downloaded and available on the FinSpy MasterVisualize DataShows the recordings on a visual graphTarget HistoryWill display information about last known Target locationsRemove DataRemoves the recorded data from the FinSpy MasterTarget List – Target LicensingThe number of FinSpy Targets which can be monitored on the system is part of the license information which is imported on the FinSpy Master during the installation. After infection, the FinSpy Target has no associated license and all its collecting data features are disabled. The FinSpy Master will allocate a license to the newly infected FinSpy Target, if available. If there is no license available, the FinSpy Agent can still see the FinSpy Target in the Target List and can only work limited with it until an existing infection is removed. Previously gathered data can still be analyzed.Once the license is installed on the FinSpy Target all the features become available and the user gains full control over the FinSpy Target.If all the licenses are used, the new infected FinSpy Targets will be shown as disabled until a new license is available. To free a license, an existing infection has to be removed from a licensed FinSpy Target. The infection can be removed immediately from an online FinSpy Target or can be scheduled for removal from an offline FinSpy Target. Either way the license will be freed immediately and allocated to an unlicensed target.right319405Target List – Recorded Data AvailabilityA star (1) indicates, that there is new “Data on Master” available. This means, new data was downloaded from the FinSpy Target to FinSpy Master.A bullet (2) indicates, there is new “Data on Target” available. This means, there is new recorded data available on the FinSpy Target (e.g. Keylogger recordings, Skype recordings, etc.) which is not transferred to the FinSpy Master, yet.396176573660Target List – Configuration Change PendingA square (3) indicates that the target configuration was changed by one or more agents but it was not pushed yet to the target. The configuration will be push to the target when the target sends a TCP heartbeat. Analyze DataAnalyse Data gives the possibility of showing all the recorded data which was transferred to the FinSpy Master. The recorded data can be viewed, deleted or exported. “Analyze Data” will show a list of all data recorded of the selected FinSpy Target.All the data of the selected FinSpy Target is displayed as a list. All new entries in the list are displayed with bold characters. This indicates that the data was not processed yet. Once the data is viewed or exported, the data will not be displayed in bold anymore.NameDescriptionDescriptionIdentifies the module (device/application) of the recorded data set.I (Importance)An importance level can be associated to the collected evidence and can be used as ordering criteria. To change the Importance Level, right click in the importance level column of an evidence entry and a popup with all the available importance levels is displayed.NameFinSpy Target NameUIDUnique internal reference to the FinSpy TargetSizeSize of the data set in bytesAcquiredThe date when the data was recordedPossible actions for the data entries can be shown and additional information are displayed.NameDescriptionShowOpens the recorded data. In case of streaming data (video, sound) an external player is opened.DeleteDeletes the data set from the FinSpy Master.ExportThe data is exported to the FinSpy Agent computer. A folder will open where the data is saved in and the downloaded file mentsOpens a window where comments to the data can be stored. Every change of the Importance Level is also logged as a ments which are once done for a specific data cannot be edited or deleted. The Comments are ordered by time in descending order which means, that the last introduced comment is displayed on top.There is also the possibility define the search by using filters:The following filters are available:NameDescriptionStart – End DateFrom which data to which date should be searchedModuleModule by which the data was recorded (e.g. Webcam, Microphone, Keylogger, ... )Advanced OptionsIn case a specific module is selected, additional filters can be applied depending on the module(e.g. All targets of a certain time zone)Visualize DataVisualize Data enables the FinSpy Agent to display recorded data in a graphical way. A typical overview will look like the following:The type of visualization. It will give two different graphs. It can be chosen between Detailed view per day (default)Detailed view per hourThe recorded data on that day. Each data is displayed with the amount of recordings for each module per day.The importance level can be set. Detailed view per hour:The overview is divided by modules.Amount of recording per module is shown. Additionally the options “Change Importance”, “Export Record” and “Remove Record” can be selected.Meta-Information for each recording can be viewed if a recording is selected.To navigate through date and time the mouse can be used, either via mouse-wheel (up/down) or by dragging the scrollbar.Target HistoryTarget History gives the possibility of displaying the last known locations of the FinSpy Target.The mobile target history contains information about all the target heartbeats including the time stamp in UTC, the location information and the channel used to send the heartbeat information.ConfigurationTo access the configuration of an infected FinSpy Target, the target needs to be selected and “Configuration” clicked.A new window opens within the FinSpy Agent. The following image illustrates the layout of the FinSpy target configuration. This Workspace is divided in two parts. The first part is on the left, which contains the modules and different configuration options and the second is one the right, where module specific configuration options can be set.Configuration Options:GeneralThe following modules are available:Module NameModule IconAvailable on the following OS:Address Book Logging Messages Phone Call Logs Phone Call Interception Spy Calls SMS Messages Tracking Blackberry Messenger Configuration – GeneralInfection Executable InformationThis information is not changeable.Infection Unique ID: An internal ID of the FinSpy Target InstallerInfection Name: Given name of the targetInfection Owner: Internal user ID of the user who generated the FinSpy TargetMax Infections: Maximum number of FinSpy Targets which can be infected by the device or applicationInfection Self-removalComputers which never go online may become infected by mistake and spread an infected application through an organization. To avoid keeping offline computers infected still recording data, the FinSpy Target can remove itself.Scheduled Removal: Date on which the FinSpy Target removes itself from the infected computerTime Out Removal: Time after which the FinSpy Target removes itself from the infected computer, if communication with the FinSpy Master fails (even if there is a functional internet connection). This renewal will be disabled once the FinSpy Target contacts the FinSpy Master for the first time.Target SettingsBehaviour and identification of the FinSpy TargetMobile Target Name: FinSpy Mobile Trojan may infect different targets. To separate the FinSpy Targets the previous Target ID of the infected media can be changedTime Based Heartbeat OptionsTime Based Heartbeat options can be defined here. This means in which regular intervals will the heartbeat take place.Heartbeat Interval: The FinSpy target will send “alive” packets in a defined interval to the FinSpy Master. This is used to update the online/offline status of the FinSpy Target and control certain events.Event Based Heartbeat OptionsEvent based Heartbeat options control the behaviour of a heartbeat when certain events occur on the mobile phone.SIM Card ChangedMCC/MNC/CellID/LAC ChangedCellular Network ChangedIncoming/Outgoing Phone CallWifi Connection AvailableData Link AvailableNetwork Services ActivatedRecorded Data AvailableLocation Changed1 km to 250 kmLow Battery (Battery level drops below 10%)Low Memory (Less than 10% storage space available)Heartbeat RestrictionsThis defines the communication channels which shall be used to send a heartbeat.Wifi3GSMSWhen the Roaming status becomes active and the exception “The device has Roaming status enabled” is checked, the phone will send a last heartbeat with the new roaming status and will stop the heart beating until the FinSpy Target is again in a non-roaming state.Relay Network SettingsThe settings of the network configuration between FinSpy Target and FinSpy Master are:Relay IP Address(es): Pre-configured with connected FinSpy Master. This must be the external IP or Hostname address of the FinSpy Master or of the FinSpy Relay. Several IP or hosts can be defined. The infected computer will connect to one of the configured addressesRelay Port(s): Pre-configured with settings retrieved by the FinSpy MasterRelay Cellular ConfigurationThis configuration contains the information about the Relays where the Mobile Targets make the TCP/IP connection as well as the phone numbers where the SMS Heartbeats are sent to.There must be at least one phone number installed. Otherwise the initial heartbeat cannot be sent. This initial heartbeat is mandatory as this is the only possibility for the FinSpy Infrastructure to determine the FinSpy Target Phone number.The Phone numbers must be specified in the following format:Syntax:+<ContryCode><PhoneNumber>Example:+49170111111Positioning OptionsThis section defines the positioning and locationing options.Possible options are:Last Known PositionWifi Positioning SystemCell Site TriangulationActive GPS DeviceThe order can be sorted with the arrow-up & arrow-down icons. It can also be configured that certain methods will be disabled.Configuration – TrackingThe sdfsdfsdfConfiguration – Add & Remove ModuleTo add & remove modules it is not required to create a new FinSpy Target Package. This can be done easily through the Configuration dialog.The modules will then immediately be removed from the FinSpy Target or immediately downloaded from the FinSpy Master to the FinSpy Target if added. Removing a moduleAdding a moduleEmergency ConfigurationThe Emergency Configuration gives the possibility to remotely configure a mobile phone in case it is not actively coming online anymore or the FinSpy Master Phone number did change for any reason. In this case the configuration can be changed via pushing out a SMS to the target.The Emergency Configuration is slightly different from the normal Configuration. No Modules can be added or changed. Furthermore the GUI is also slightly different as it will first of all give an overview of the infection.If any setting is changed and “Save” is selected the SMS will be sent out to the target.Live SessionAvailable live access depends on the installed modules on the target. To establish a live session expand a target and select “Live Session“. All modules which are installed on the Target and furthermore allow a live session will be listed in a dialogue: NameDescriptionSpy CallsDirectly activates the Microphone of the target phone and allows listening to itEach Live Session is opened in a new tab inside the FinSpy Agent. After closing the live sessions, the connection to the target computer can be ended by clicking “Disconnect” inside the expanded FinSpy Target of tab Target List. The following chapters describe live access of each module in more detail.Live Session – Spy CallsFor a live-session of the FinSpy Target’s Display, Webcam or Microphone use the “Start” button inside the FinSpy Agent. The quality of the recording depends on the predefined configuration. To stop recording live images or microphone, move the mouse over the image and click the “Stop” button.Evidence ProtectionThis feature helps protecting the collected evidence by using digital signatures and by logging the actions taken to collect the evidence from a FinSpy Mobile Target.To use the Evidence Protection, it can be selected via “Evidence Protection” on each FinSpy Mobile Target.The Evidence Protection Tab contains the following sections:NameDescriptionEvidenceAll the collected evidence is listed and the user can check if the signature is valid. Mobile HistoryA history of the FinSpy Mobile Target activity can be shown.Evidence Protection – EvidenceThe digital signature can be checked by clicking in the “Check now” (1) field. Upon a signature was verified successfully, the field text will change to “Valid” (2). The signature can be checked for all the collected evidence at a time or by selecting all the entries (Ctrl+A). Exporting of all or certain evidence is possible (3). The folder where the evidence is exported will be opened in a Windows Explorer once the downloaded is finished. A progress dialog will monitor the download of the evidence since this could be a lengthy operation.Evidence Protection – Target HistoryThis gives an overview about historical information of a FinSpy Mobile Target such as:NameDescriptionDateTimestamp with the FinSpy Master time represented in UTC.Location SourceThe method/device used to obtain the Target Location (in Polar Coordinates)BasestationMobile Country Code/Mobile Network Code/Local Area Code/Cell IDCoordinatesThe Polar Coordinates of the Target Location. The position accuracy depends on the Location Source value.CountryIn which country was the TargetCityIn which city was the TargetRemove DataPurging of data removes all data for the selected FinSpy Target from the FinSpy Master database.To initiate purging of recorded data, expand the respective FinSpy Target in the tab “Target List” and click on “Remove Data“.Remove Infection“Remove Infection” will irrepealably delete the Infection on the FinSpy Target and a further infection is not possible without a restart of the FinSpy Target computer. Create TargetA Target is an executable file or Office Document which includes all modules with which a FinSpy Target can be monitored. Click “Create Target” on the left navigation pane of the FinSpy Agent. This will open the Target Creation Wizard.Within the wizard, to navigate between the dialogs for configuration, “Next” or “Previous” buttons can be used or clicking on the items on the left navigation pane is possible.The following dialogs consist of:NameDescriptionGeneralName and heartbeat of FinSpy Installer work OptionsSettings retrieved by the FinSpy Master. Heartbeat OptionsCriteria when the infection removes itself from the FinSpy Target.Self-RemovalOptions to define the removal of the FinSpy Trojan.Select ModulesDefining which modules should be integrated with their settings.Target OptionsAdvanced configuration of the behaviour of the FinSpy Trojan on the FinSpy TargetUser PermissionsAssigning users to the FinSpy TrojanSummaryInfection Summary GeneralGeneral settings configure the behaviour and identification of a FinSpy Installer Package. Some parameters are changeable after infection of a FinSpy Target.The Operating System of the Target has to be chosen. This will result in a different FinSpy Trojan with different modules.Currently supported are the following Operating Systems:The following Mobile Operating Systems are supported:Mobile Operating SystemOS IconVersionAndroid2.xBlackberry4.65.x6.x7.xWindows Mobile6.16.5Network ConfigurationThese settings are explained in chapter: Relay Network Settings & Relay Cellular Configuration.Heartbeat OptionsThese settings are explained in chapter: Time Based Heartbeat Configuration, Event Based Heartbeat Configuration & Heartbeat Restrictions.Self-Removal“Infection Limit” defines the amount of maximum infections per Trojan. If “Max Infections” is set to “3”, then only the first 3 Trojans heart beating to the FinSpy Master will be accepted. “Infection Self-Removal” is explained in chapter: Infection Self-removal. Select ModulesCheck the boxes of respective necessary modules.For detailed description how to configure each Module see the following chapters:Configuration – TrackingTarget OptionsDifferent Installer options can be defined.For detailed description see the following chapter: Positioning OptionsUser PermissionsEach creation of a FinSpy Trojan allows assigning users to work with it. Multiple users can be chosen (1). Furthermore it is possible to give special rights to each user like establishing a Live Session or configuring the FinSpy Target (2).SummaryA Summary of the generated infection can be reviewed. Listed is the name of the infection, some configuration settings and all chosen modules.ToolsOn the left side of the FinSpy Agent can be two configuration options be found which are meant for Deployment of the Trojan. Currently two possible in-built deployment methods are given.Tools – Deployment SMSTo send a SMS to the Target the in-built Deployment SMS can be used.The Deployment SMS basically consists of two parts:Target Mobile NumberTextThe Target Mobile Number must be in the format which contains the country code and the regular phone number.The Target Mobile phone might display the message like this:The Text cannot be more than 140 Characters as this is a protocol limitation of SMS and should contain a link to the uploaded FinSpy Mobile Trojan. The Trojan must be uploaded to some web space where the Target can download it from. Tools – WAP PushWAP Push SMS are so called Flash SMS or Class-0 SMS. These SMS directly flash onto the screen of the mobile phone and the Target doesn’t need to open the SMS application or similar.Example:SupportAll customers have access to an after-sales website that gives the customers the following capabilities:Download product information (Latest user manuals, specifications, training slides)Access change-log and roadmap for productsReport bugs and submit feature requestsInspect frequently asked questions (FAQ)The after-sales website can be found at: Password: -914400-1386840 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download