WikiLeaks
Copyright 2010 by Gamma Group International, UK
Date 2011-07-18
Release information
|Version |Date |Author |Remarks |
|1.0 |2010-05-03 |MJM |Initial version |
|1.1 |2010-05-31 |LH |Updated to FinSpy 2.30 specifications. |
|1.2 |2010-05-28 |HT |New format |
|1.3 |2010-08-03 |AH |Updated to FinSpy 2.40 specifications. |
|1.4 |2010-10-22 |LH |Updated to FinSpy 2.50 specifications. |
|1.5 |2011-01-18 |LH |Updated to FinSpy 2.60 specification. |
|1.6 |2011-02-23 |LH |Move the Mac OS X feature for planned to supported section. |
|1.7 |2011-07-01 |LH |Updated to FinSpy 3.0 specifications. |
|1.8 |2011-07-18 |TM |Review |
Table of Content
1 Overview 5
1.1 Terminology 6
2 Capabilities 7
2.1 Target System 7
2.1.1 Installer 7
2.1.2 Framework 9
2.1.3 Data Collectors 15
2.1.4 Infection Limit 29
2.1.5 Auto-Removal 30
2.2 Headquarter 31
2.2.1 Target Creation 31
2.2.2 Target List 32
2.2.3 Target Control 33
2.2.4 Hiding the Location 42
2.2.5 Database 43
2.2.6 Evidence Protection 44
2.2.7 Administration 48
2.2.8 User Management 49
2.2.9 LEMF Interface 49
2.2.10 License System 50
3 Components 51
3.1 Agent Systems 51
3.2 Infrastructure 52
3.3 Documentation 54
4 Anti-Virus Testing 55
5 Updates & Support 56
Overview
FinSpy is designed to help Law Enforcement and Intelligence Agencies to remotely monitor computer systems and get full access to:
▪ Online Communication: Skype, Messengers, VoIP, E-Mail, Browsing and more
▪ Internet Activity: Discussion Boards, Blogs, File-Sharing and more
▪ Stored Data: Remote access to hard-disk, deleted files, crypto containers and more
▪ Surveillance Devices: Integrated webcams, microphones and more
▪ Location: Trace computer system and monitor locations
[pic]
This document describes the full capabilities, included hard- and software, antivirus testing and the support and update system.
1 Terminology
|Name |Description |
|FinSpy Target |Software that is deployed on the Target System |
|FinSpy Master |System in Headquarter that manages all FinSpy Targets and receives their data |
|FinSpy Relay |Proxy that can be deployed around the world to hide the true location of the FinSpy Master server |
|FinSpy Agent |GUI software to: |
| |Create FinSpy Target Installers |
| |Access and configure installed FinSpy Targets |
| |Analyze gathered Data |
| |Export gathered Evidence (Data) |
| |Configure FinSpy Master and Proxy |
Capabilities
1 Target System
The following sections describe the features concerning the Target System.
1 Installer
The installer is the part of the FinSpy Target that deploys the actual software onto the Target System, ensures the loading on system boot and the hiding from Anti-Virus software.
1 Supported Operating Systems
The FinSpy Target component currently supports the following Operating Systems:
▪ Microsoft Windows 2000 Clean / SP1 / SP2 / SP3 / SP4
▪ Microsoft Windows XP Clean / SP1 / SP2 / SP3
▪ Microsoft Windows Vista Clean / SP1 / SP2 / SP3 (32 Bit & 64 Bit)
▪ Microsoft Windows 7 (32 Bit & 64 Bit)
▪ Mac OS X 10.6.x
▪ Linux 2.6
The FinSpy Target can be installed on these Operating Systems with Administrator and regular user accounts.
2 Permanent Installation
The FinSpy Target is installed covertly onto the Target System and will be run at every system boot. The exact installation technique depends on whether the software was deployed from a limited user or full administrator account.
If deployed in the Master Boot Record, the software is resistant to:
▪ Security software like Deep Freeze who remove all created and installed files after logout
▪ Re-Installation of Operating System
▪ Regular Format of Hard-Disk and Re-Installation of Operating System
3 Permutation
In order to prevent having a simple way of detection whether FinSpy Target is deployed on a Target System or not, several Permutation techniques are implemented that ensure:
▪ Random File-Names and Storage Locations
▪ Random Module Names
▪ Random Auto-Start Techniques
▪ Random Communication Techniques (depending on configuration)
4 Active Hiding
Enable the user with the capability to use intrusive techniques to hide infection files and folders, registry entries, network connections.
5 Hide inside Files
For initial deployment, the FinSpy Target executable can be hidden inside various file-types:
▪ Executable: Hide inside other Software (.exe)
▪ Screensaver: Hide inside a Screensaver (.scr)
▪ Microsoft Office Word Document: Hide inside any Word 97-2003 file (.doc)
▪ Microsoft Office Excel Document: Hide inside any Excel 97-2003 file (.xls)
▪ Other Files: Hide inside any given file by converting it to an Executable
with the original Icon and behaviour
After the first run of these prepared files, the FinSpy Target software will be deployed on the Target System and removed from the original file to remove any evidence of the infection that was done through the given file.
2 Framework
The following sections describe the basic framework of the FinSpy Target software.
1 Modular System
The software is designed as a modular framework; therefore it consists of a small core application (approx. 150KB) and all features are implemented as separate modules.
[pic]
All modules can be:
a) Configured at creation time and included in the Installer package
b) Uploaded and Configured or Removed in a Live Session with the Target System
c) Updated separately during Live Sessions
2 Communication
The communication between Target System and Headquarter is based on reverse connections using standard ports and protocols.
FinSpy Target sends regular heart-beats in configurable intervals to the FinSpy Master.
[pic]
In case a FinSpy Agent creates a live connection with the FinSpy Target, it does not actively connect it but rather use the connection which was established by the Target System in order to bypass all common network- and host-based firewalls. FinSpy Target also randomly selects Proxies and Ports for each connection it creates.
All communication between the Target System and the Headquarter is end-to-end encrypted using the following algorithms:
▪ RSA 2048-bit
▪ AES (Rijndael) 256-bit
▪ SHA 256-bit
On generation, each FinSpy Target gets assigned a dedicated RSA key-pair for the encryption to ensure integrity of all other FinSpy Targets if one got compromised.
3 Data Encryption
All Data that is recorded and temporary stored on the Target System is fully encrypted before writing it to disk using the following algorithms:
▪ RSA 2048-bit
▪ AES (Rijndael) 256-bit
▪ SHA 256-bit
When encrypting the data, FinSpy Target uses the RSA public certificate of the Headquarter and therefore is no longer able to decrypt the data but still able to send it back to the FinSpy Master.
4 Time-Based Events
Several modules can be configured to activate their functionality through Time-Based Events (TBE) which are configured with the following values:
▪ Start Event Date: The date when the recording should start
▪ Event Time: The time when the recording should start
▪ Time Zone: The time zone to be used for the scheduled tasks:
o Local: The local time on the FinSpy Master server
o UTC: Coordinated Universal Time
o Target: Local time on the Target System
▪ Interval: The repetition of the task:
o Once: Do not repeat the recording
o Daily: Repeat the configured task on a daily basis
o Weekly: Repeat the configured task on a weekly basis
o Monthly: Repeat the configured task on a monthly basis
▪ Duration: Duration of the recording
Configuration Dialog
[pic]
The following modules can be used in time-based events:
▪ Microphone Recording
▪ Screen Recording
▪ Webcam Recording
Example of scheduled Events
[pic]
5 Application-Based Events
Application-Based Events (ABE) is a feature that allows FinSpy Target to react to applications that are running on the Target System. It mainly contains of 3 options:
▪ Disabled: Do not use Application-Based Events
▪ Active for Event: The module will be activated whenever the application is running
▪ Inactive for Event: The module will be de-activated whenever the application is running
ABE Example
[pic]
Active for Event can for example be used to not do any network and system activity unless a certain process is running, e.g. no data is send unless skype.exe, bittorrent.exe ... are running.
Using this technique the created traffic is hidden effectively in existing network traffic that is created by other running applications.
Inactive for Event can be used effectively for Anti-Forensics, for example FinSpy Target can be configured to hold all communication and activities as soon as certain software is running like Network Analyzers (e.g. Wireshark) or Debuggers (e.g. IDApro).
3 Data Collectors
The following chapters outline the basic functionalities of the data collection modules.
1 Keylogger
The Keylogger module is designed to capture everything that is typed on the Target System’s keyboard and therefore capture information like passwords, e-mails, chats and more.
The Keylogger can be used in 2 different modes:
▪ Permanent Background Recording: Record the keystrokes permanently in the background and transmit the recorded data in configured intervals
▪ Live Session: Display all typed characters in real-time while the Target System is online
Additional to the Keystrokes, the following information is recorded:
▪ Target Window: The Window where the data has been sent
▪ Time: Timestamp of Event
Using this meta-information, it is possible to apply filters to the recorded data and easily separate it according to where the keys have been sent to.
Functional keys like Backspace, Space and Return are recorded in raw-format and can be displayed in raw format or interpreted by the viewer application.
Example Keylogger Recording
The Keylogger module has full Unicode and IME (Input Method Editor) support.
Through the implemented Application-Based Events, the Keylogger module is able to filter the recorded data inputs through the following configuration options:
▪ Process Name: Ignore all or only record keystrokes that are being sent to a certain process (e.g. Offline Games)
▪ Window Title: Ignore all or only record keystrokes that are being sent to an application with a certain window title (e.g. only record the keystrokes for specific websites instead of all keys that are being sent to the Web-browser)
2 File Access
The File Access module is designed to enable the Operator to remotely access files which are located on the Target Systems Hard-Disk or any attached Storage Device (e.g. USB Dongle or external Hard-Disk).
The File Access module can be used in the following mode:
▪ Live Session: Provide full access to all existing drives while the Target System is online
The File Access module displays all files including the following meta-information:
▪ Location: Location where the file is saved
▪ Filename: The original name of the file
▪ Size: Size of the file in KB
▪ Created: Date and Time when the file was created
▪ Last-Accessed: Date and Time when the file was last accessed
▪ Last-Modified: Date and Time when the file was last modified
▪ Attributes: File Attributes (e.g. Hidden or System)
When downloading a file from the Target System, this information is recorded as part of the meta-information. Multiple files and recursive folders download is supported.
Furthermore an upload of files is possible. Original file and target destination must be specified.
Example File Access
[pic]
The module also contains a Search functionality which enables the Operator to search selected drives and folders using the standard Windows file-search regular expressions, e.g. “*.doc”.
3 Screen
The Screen module is designed to capture the content of the Screen on the Target System as it is displayed on the Target’s monitor.
The Screen module can be used in 3 different modes:
▪ Scheduled Background Recording: Record the Screen in the background according to the scheduled recording times and durations
▪ Live Session: Display the Screen in real-time while the Target System is online
Example Screen Recording
[pic]
▪ Application Based Events recording: a recording is done to the full screen of to the window only (depending on the configuration) if a specified application window has the focus or when a specified window has the focus.
The following options can be configured for the Screen module:
▪ Video Quality: Compression of captured image (Best, High, Normal, Low)
▪ Image Size: Resolution of recorded image (100%, 80%, 50%, 25%)
▪ Mode: Record images in colour or black/white
▪ Frequency: Interval in which images are recorded (every 2 seconds up to every 1 hour)
▪ Automatic Recording: disabled, record only the window which has focus if is in the list described below or record the full screen if the window which has focus is in the list described below.
▪ Application Category: The application names and/or window titles for which the automatic recording should be triggered.
Example Screen Configuration
[pic]
The size per image is between 4 KB and 291 KB, depending on the configured settings.
The recorded images are compiled into an OGV (Theora) video file.
4 Webcam
The Webcam module is designed to capture images from the Webcam on the Target System.
The Webcam module can be used in 2 different modes:
▪ Scheduled Background Recording: Recorded the Webcam in the background according to the scheduled recording times and durations
▪ Live Session: Display the Webcam in real-time while the Target System is online
Example Webcam Recording
[pic]
The following options can be configured for the Webcam module:
▪ Video Quality: Compression of captured image (Best, High, Normal, Low)
▪ Image Size: Resolution of recorded image (100%, 80%, 50%, 25%)
▪ Mode: Record images in colour or black/white
▪ Frequency: Interval in which images are recorded (every 2 seconds up to every 1 hour)
Example Webcam Configuration
[pic]
The size per image is between 3 KB and 233 KB, depending on the configured settings.
The recorded images are compiled into an OGV (Theora) video file.
5 Microphone
The Microphone module is designed to capture the audio signal from the Microphone on the Target System.
The Microphone module can be used in 2 different modes:
▪ Scheduled Background Recording: Record the Microphone in the background according to the scheduled recording times and durations
▪ Live Session: Play the audio signal from the Microphone in real-time while the Target System is online
The following options can be configured for the Microphone module:
▪ Sound Quality: Configure the audio quality (Best, High, Normal, Phone, Low)
Example Microphone Configuration
[pic]
The size of the audio recordings depends on the configuration. 1 minute of recording is usually between 70KB and 200KB. The audio is recorded in OGG (Ogg Vorbis) format.
6 Command Shell
The Command Shell module is designed to enable the Operator to remotely access the Operating Systems command shell.
The Command Shell module can be used in the following mode:
▪ Live Session: Provide full access to all Command Shell
Example Command Shell Session
[pic]
The executed commands and the outputs of the command shell are recorded as log files in the FinSpy database.
7 Skype
The Skype module is designed to capture all communication that is done through Skype on the Target System.
The Skype module is used in the following mode:
▪ Permanent Background Recording: Whenever a configured Skype event occurs, it is immediately recorded in the background
The following features are included in the module:
▪ Phone Calls: Record all incoming and outgoing Skype calls including meta-information
▪ Text Messaging: Record all incoming and outgoing Skype chats including meta-information
▪ File Transfers: Intercept all incoming and outgoing files that are transferred through Skype
▪ Contact List: Retrieve the Skype contact list on first start or if something changed within.
Example Recorded Data
[pic]
The following options can be configured for the Skype module:
▪ Recording Mode: Configure what data to intercept (Calls, Chats, Transferred Files, Contact List)
▪ Sound Quality: Audio quality of intercepted Skype calls (Best, High, Normal, Phone, Low)
▪ File Options: Record all transferred files or limit recording to certain file-types (e.g. Office and PGP files)
Example Skype Configuration
[pic]
The following data files are created by the Skype Module:
▪ Skype Calls: The calls are recorded in OGG (Ogg Vorbis) files. The audio is separated over 2 channels (Stereo) with the Target System on the left channel and the other call-participants on the right channel
▪ Skype Chats: The conversations are recorded into log files
▪ Skype Files: The transferred files are stored in raw format including the meta-information
▪ Skype Contact List: The retrieved contact list is stored in an CSV file
8 Changed Files
The Changed Files module is designed to make a recording of all the files which are changed on the Target System; this includes also copied, moved and new created files.
The Changed Files module can be used in the following mode:
▪ Permanent Background Recording: Whenever a file is changed on the disk a copy of it is made.
The main feature of this module is file recording filtering, and for this purpose there are three levels of filtering:
▪ The location(s) where the software watches for changes, which can be the whole file system with all drives and folders or just some specific location(s).
▪ Exceptions to the selected locations which have to be watched configured in the filter above. These exceptions are actually subfolders of the folders selected in the filter above.
▪ The file types which should be taken in consideration and recorded.
[pic]
9 Deleted Files
The Deleted Files module is designed to make a recording of all the files deleted from the system no matter if they are sent to Recycle Bin or completely deleted (using Shift+Delete).
The Deleted Files module can be used in the following mode:
▪ Permanent Background Recording: Whenever a file is deleted a copy of it is made.
The main feature of this module is file recording filtering, and for this purpose there are three levels of filtering:
▪ The location(s) where the software watches for deletion requests, which can be the whole file system with the all drivers and folders or just some specific location(s).
▪ Exceptions to the selected locations which have to be watched configured in the filter above. These exceptions are actually subfolders of the folders selected in the filter above.
▪ The file types which should be taken in consideration and recorded.
[pic]
10 Forensics Module
The Forensics Module is designed to execute predefined binaries on the FinSpy Target system. These applications will allow the FinSpy Agent to retrieve data stored on the FinSpy Target.
[pic]
To be executed, the specified application needs to be uploaded to the FinSpy Target and is then executed. The application resides hidden on the FinSpy Target system until it is deleted manually.
The following categories exist:
▪ System
▪ Network
▪ Passwords
▪ Internet
11 Printer Module
The Printer Module is in charge with capturing and recording of the documents which are sent to the printer. The captured jobs are encoded as PDF documents.
12 VoIP Module
VoIP module provides a generic method of capturing the incoming and outgoing audio streams for VoIP applications. The user is enabled with the capability to enable/disable recording for certain application groups as well as for individual applications.
Besides capturing the audio streams the module generates also a screenshot of the application being under surveillance to provide additional information about the conversation members.
[pic]
14 Accessed Files Module
Records all the accessed documents, which meet the conditions specified by the filters configured in the module configuration.
▪ The location(s) where the software watches for accessed files, which can be the whole file system with the all drivers and folders or just some specific location(s).
▪ Exceptions to the selected locations which have to be watched configured in the filter above. These exceptions are actually subfolders of the folders selected in the filter above.
▪ The file types which should be taken in consideration and recorded.
[pic]
By default in Windows 7 and Windows VISTA the pictures are opened with Window Explorer which has an unexpected behaviour and can generate more than the accessed picture files if in the folder are more picture files. For this reason the picture files opened with Windows Explorer recordings are disabled by default. The user can access this feature enabling the Record image files accessed by explorer.exe .
4 Infection Limit
In order to prevent accidental infection of non-Target Systems (e.g. when the Target forwards an infected Office document to other contacts before opening it), a maximum number of infections can be specified.
Example Infection Limit
[pic]
When the number of infections with this specific FinSpy Target executable has been reached, all further systems will not get infected when running the application.
5 Auto-Removal
The FinSpy Target can self-destruct itself and delete all its data from the Target System on a configured date and time. This is often required for the legal system in countries where Target Systems can only be monitored for a certain period of time that is specified by a Warrant.
Example Auto-Removal Configuration
[pic]
2 Headquarter
The following sections describe the features concerning the Headquarter systems.
1 Target Creation
For each Target System, a new FinSpy Target can be easily generated and customized through the FinSpy Agent software which includes configuration of:
▪ Infection Name: Assign a custom name to the Executable. Additional to this, a unique ID for the FinSpy Target executable will be created and each infected Target System will be assigned a separate unique ID in case the Executable is used to infect multiple Target Systems
▪ Configure Network Communication: Configure up to 50 FinSpy Relay proxies and up to 20 TCP ports that are used for the communication between Target System and Headquarter
▪ Configure Auto-Removal: Configure a fixed date when the FinSpy Target should self-destruct and remove itself automatically from the Target System (online or offline)
Note: This value can be changed in live connections
▪ Configure Application-Based Events: Select what applications should trigger the in start or stop of the data transmission
▪ Select Modules: Select which Modules to include and configure Module-specific options
▪ Prepare Infection: Apply infection techniques (e.g. infect Microsoft Office Document)
FinSpy Target Creation
[pic]
2 Target List
The FinSpy Agent software displays an overview of all infected Target Systems in 3 sections:
▪ Online: Target System is online and can be accessed
▪ Offline: Target System is offline, only recorded data can be accessed
▪ Archived: Target System is no longer infected but recorded data can still be accessed
Example Target List
[pic]
The following information is displayed for each Target System:
▪ Name: Name of FinSpy Target
▪ UID: Unique ID of Target System
▪ Data on Master: New data is available on the FinSpy Master
▪ Data on Target: New data has been recorded on the Target System
▪ Computer: System name of Target System
▪ User: Username of User that executed FinSpy Target
▪ Install Mode: Mode in which the Target was installed
▪ Country: Country where the Target System is located
▪ City: City where the Target System is located
▪ Global IP: External IP address of Target System
▪ Local IP: Local IP address of Target System (e.g. LAN address)
▪ OS: Installed Operating System
▪ OS Details: Patch level of the Operating System and Architecture
▪ Target Time: Current time on Target System
▪ Time Zone: Time Zone setting on Target System
▪ Alarm: Configured Alarms
▪ Version: Current version of installed FinSpy Target
▪ License: License String of the Target
3 Target Control
After the FinSpy Target software has been deployed on a Target System, it can be controlled and configured from the Headquarter through the FinSpy Agent user interface.
Example Target Control Selection
[pic]
1 Analyse Data
All data which has been acquired from Target Systems can be analyzed and classified in the user interface.
Example Data Analysis
[pic]
The following information is displayed for each recorded file:
▪ Name: Target Name
▪ UID: Target unique ID
▪ Recorder Module: Which module created this file
▪ Module Configuration: Quality Settings, etc.
▪ Download Time Master: Local time on Master when the file was downloaded
▪ Download Time Target: Local time on Target when the file was downloaded
▪ Size: Size of File
▪ Comments: Individual Comments which have been added by the Operators
▪ Importance Level: Classification of importance that has been set by the Operators
The other Meta information depends on the type of module, for example:
▪ Skype: Logged in User, Chat/Call Partner(s), Duration of Call, etc.
▪ Downloaded Files: Opened/Edited/Created headers, original Location, etc.
Example Comments
[pic]
To facilitate a better visualization of the recorded evidence interval viewers were implemented to display the data in an intuitive format.
▪ Key Logger Recordings Viewer
[pic]
▪ Forensics Tool Viewer
[pic]
▪ Audio Recording Viewer
[pic]
2 Download Schedule
In order to transmit the recorded data from the Target System to the Headquarter, different techniques are implemented:
▪ Event-Based: Transmit data when a certain event occurs, for example: The screensaver is running, the screen is locked or new data has been recorded
Example Event-Based
[pic]
▪ Time-Based: Transmit data at configured dates/times. This data transmission can be configured to be repeated daily, weekly or monthly
Example Time-Based
[pic]
3 Download Now
Selective download capability is provided, and the user can select the recordings which should be downloaded and manually trigger the download.
[pic]
This feature enables the user with the capability of defining an order in the download of recorded data, decide the removal of recorded data if is of no interest directly on the target without the overhead introduce by the download of the unwanted recorded data.
4 Live Sessions
Live Sessions can be established with Target Systems that are currently online. Using Live Sessions, it is possible to get real-time access to the modules like Microphone, Screen, Webcam and File-System.
The chapter “Data Collectors” covers all modules in detail.
Example Live-Session Modules
[pic]
All data that is streamed during the Live Sessions is in parallel recorded in the central database for later analysis.
5 Configuration
The Target Systems can be easily configured through the user interface, this includes:
▪ Main Options: Configure the name of the FinSpy Target, network communication options, Application-Based Events and more.
▪ Modules: Add and Remove modules or temporary disable them. Configure all module-specific options (e.g. quality settings)
Example Configuration Dialog
[pic]
The licensed Targets which are offline can be also configured by the Agent and the configuration will be uploaded by the Master to the Target as soon as the target comes online.
6 Alert Settings
Individual alert events can be configured for each Target System (online or offline):
▪ Target Online: A message will be sent when the Target Systems appears online
▪ Data Available: A message will be sent when the Target Systems recorded new data
▪ Data Downloaded: A message will be sent when new data has been retrieved on the FinSpy Master server
Alert Configuration Example
[pic]
When an alert occurs, a notification E-Mail is sent to the configured E-Mail address.
The content of the E-Mail contains short information about:
▪ Target System
▪ Type of Alert
The generated E-Mail is in short form so that it could be combined with an E-Mail-to-SMS gateway which forwards them directly to a configured mobile phone.
7 Remove Infection
When the monitoring of a specific Target System is no longer required, the FinSpy Target software can be remotely removed from it.
This feature removes all files related to the FinSpy Target component and all temporary-stored data from the Target System.
8 Remove Data
In case the data which has been recorded from a specific Target System is no longer required, it can be locally deleted from the Headquarter servers.
9 Update
When a new version is available the button becomes enabled and the user can choose to update the Infection from the Target system. This can be achieved also automatically by setting up the appropriate flags on the FinSpy Master.
4 Hiding the Location
When analyzing a Target System where FinSpy Target is installed and has not been configured with paranoid settings in Application-Based Events, forensic professionals will be able to detect the outgoing traffic that is created by the FinSpy Target software. In order to prevent them from being able to determine the location and country of the Headquarter, FinSpy Relay was developed which enables the operator to setup anonymous proxies around the world.
The FinSpy Relay software currently supports the following Operating Systems:
▪ Debian / Ubuntu Linux: min 256 MB RAM, recommended 512 MB
▪ Microsoft Windows Server 2003/2008: min 512 MB RAM, recommended 1 GB
Example Setup
[pic]
As the FinSpy Relay is usually setup on Virtual Private Servers (VPS) in several different countries and continents, it is practically impossible to trace the connection back to the Headquarter or even to the country where the FinSpy Master is located.
5 Database
The central database of the FinSpy system is part of the FinSpy Master component.
All data is strictly separated on a per-target basis so that it can be easily analyzed, exported or removed.
Database Structure
[pic]
For each file that is received from a FinSpy Target, 2 files are created:
▪ Data File: Containing the actual data of the file (e.g. Skype Call)
▪ Meta File: Containing all Meta-Information about the Data file
The Meta File content usually contains this generic information (depending on the type of file):
▪ Recorder Module: Which module created this file
▪ Module Configuration: Quality Settings, etc.
▪ Download Time Master: What local time was the file downloaded
▪ Download Time Target: What time on Target was the file downloaded
The other Meta information depends on the type of module, for example:
▪ Skype: Logged in User, Chat/Call Partner(s), Duration of Call, etc.
▪ Downloaded Files: Opened/Edited/Created headers, original Location, etc.
See the individual module sections for a detailed list.
6 Evidence Protection
Most countries legal systems require proof of:
▪ Configuration: How was the deployed FinSpy Target initially configured, what configuration has been done after the deployment and what modules have been used
▪ Action Log: What features were used by which Operator at given dates and times
▪ Acquired Data: Ensure the integrity, prevent tampering of data
The Evidence Protection that is implemented in FinSpy uses the following algorithms and formats for signing:
▪ PKCS#12 /X509 certificates (RSA 2048 bit)
▪ S/MIME (detached) signatures
Note: It is possible to import a custom PKCS#12 into the FinSpy Master and use this custom certificate for all signing operations.
Example Evidence Protection Configuration
[pic]
1 Action Log
The Action Log feature enables full logging on the FinSpy Master server of all activity that is related to the selected Target System:
▪ Date: Timestamp of activity in UTC.
▪ User: Name of the Operator that performed the activity. In case of automated tasks, FinSpy Master is named.
▪ UserUID: The unique ID that is associated with the account of the Operator.
▪ AgentUID: The unique ID that is associated with the Agent system.
▪ Module: The data collection module used within the action. In case the event does not relate with any specific module, this field is left blank.
▪ Event Description: Brief description of the event.
Example Action Log
[pic]
2 Target History
Provides information about the target location (City, Country), the public IP address and the online and offline timestamps.
Example History Log
[pic]
3 Data Signing
Before importing data from Target Systems into the database, it is signed with the dedicated data signing certificate to ensure the integrity of the recorded data.
In case of any modifications of the data within the database, the signature verification will fail and therefore alert the Operator about tampered evidence.
Example Data Verification
[pic]
4 Evidence Verification Tool
To present the case-related evidence in front of court, a stand-alone Evidence Verification Tool is provided.
After exporting all related data in the FinSpy Agent system it can be loaded into the external tool to automatically verify the signatures of:
▪ Action Log: Tab-separated Log-File
▪ Data: Each file has its own signature which is verified in order to check for modifications
Example Evidence Verification Tool
[pic]
7 Administration
To administer the FinSpy Master from the FinSpy Agent, there is the possibility to make changes to the FinSpy Master, viewing Log files or displaying who is currently using the system.
[pic]
|Name |Description |
|User Management |Add/Remove users and configure the Users rights. |
|Agent Configuration |Specify where all exported Data will be saved. |
|Network |Configuration of the Internal and External Network Interfaces. |
|Relay Network Configuration |Configuration of connection details for the FinSpy Targets. |
|Email Notification |To configure the Email server, user and password for Email notification. |
|Updates |Configuration of the FinSpy Master and FinSpy Target Updates. |
|Evidence Protection |Configuration of the Evidence Protection certificates, logging activity and functionality. |
|LEMF Interface |LEMF database configuration. |
8 User Management
User Management provides the capability to add, remove and configure access of users to the FinSpy system.
[pic]
Three user groups are provided: System Administrators, Administrators and Regular Users. The System Administrators have full access to the system configuration as well as to all the targets and collected evidence. The Administrators have no restricted access to Targets and collected evidence but they have no rights to configure the FinSpy system. The regular Users have access to the targets assigned to them. Further, these rights can be configured as shown below.
[pic]
9 LEMF Interface
A data submission module is part of the FinSpy Master that is able to transmit all recorded data and the according meta-information to a Law Enforcement Monitoring Functionality (LEMF, e.g. traditional IP monitoring system).
The FinSpy Master server is connected to the LEMF through a dedicated network interface and with a unidirectional Ethernet cable in order to not compromise the security of the database.
[pic]
The exact protocol specifications are provided on request so the data acquired by the FinSpy system can be integrated into any existing central storage systems.
10 License System
FinSpy comes with a built-in license system that restricts the number of:
▪ FinSpy Agents: Only the specified number of FinSpy Agent systems can be connected to the FinSpy Master in parallel
▪ FinSpy Targets: Each Target System gets a license ID assigned. If more Targets are infected than licenses are available, they are temporary disabled until an active Target is de-infected.
Components
1 Agent Systems
|Component |Details |
|FinSpy Agent |Model: Lenovo ThinkPad SL510 4319 |
|[pic] |CPU: Intel Core Duo 2 2.1 GHz T6570 |
|[pic] |RAM: 4 GB |
| |Hard-Disk: 320 GB |
| |Optical Drive: DVD-Writer - HL-DT-ST DVDRAM GSA-T50N |
| |Network: Gigabit Ethernet and WLAN : 802.11 a/b/g/n Intel WiFi 1000 BGN |
| |OS: Windows 7 Pro (64-bit) |
| |Display: 15.6" Widescreen TFT 1920 x 1080 |
| |Additional Software: |
| |Microsoft Office Professional Plus 2007 |
| |FinSpy Agent |
|Head-Set |Model: Logitech ClearChat Comfort USB Headset |
|[pic] |Frequency Response: |
| |Headset: 20 Hz–20 kHz |
| |Microphone: 100 Hz–10 kH |
| |Input sensitivity: -62 dBV/µbar, -42 dBV/Pa +/- 3 dB |
|USB Hard-Disk |Model: Freecom Mobile Drive Classic 2 - 2.5" |
|[pic] |Size: 500GB |
| |Power: Buspowered, no AC adapter needed |
|CD-R / DVD-R |Sony 16x DVD-R Media - 4.7GB - 100 Pack |
|[pic] [pic] |Sony 32x CD-R Media - 700MB - 100 Pack |
|1 Evidence Protection CD |Evidence Protection – Stand-alone Verification Tool |
|[pic] | |
2 Infrastructure
|Component |Details |
|1 FinSpy Master |Model: Fujitsu PY RX300S5 6X3.5 |
|[pic] |CPU: Intel® Xeon® E5504 4C/4T 2.00 GHz 4 MB |
| |RAM: 4GB DDR3-1066 PC3-8500 rg d ECC 1 MODUL |
| |Hard-Disk: |
| |2x Fujitsu HD SATA 3G 250GB 7.2K HOT PLUG 3.5" BC |
| |4x Fujitsu HD SATA 3G 750GB 7.2K HOT PLUG 3.5" BC |
| |RAID: 5/6 SAS based on LSI MegaRAID 256MB |
| |Network: 3x Fujitsu Eth Ctrl 1x1Gbit PCIe CT Desktop Cu lp |
| |Power: Fujitsu Power Supply Module 800W (hot plug) Plus Spare Fitted |
| |OS: Debian |
| |Additional Software: |
| |FinSpy Master |
| |FinSpy Proxy |
|1 Spare FinSpy Master |See FinSpy Master |
|[pic] | |
|1 Console |Model: Avocent 17" Single Rail ps2 LCD Rack Console |
|[pic] |KVM: Builtin 8 Port KVM Switch |
| |Cables: 8 connector cables |
| |Resolution: 1280 x 1024 Pixels SXGA |
| |Monitor: 17in |
|10 Network Cables |Belkin RJ45 CAT-5e Snagless Molded Patch Cable Grey 10m (32.8 ft) |
|[pic] |Belkin RJ45 CAT-5e Snagless Molded Patch Cable Grey 5m (16.4ft.) |
|1 Switch |Model: HP ProCurve Switch 2124 |
|[pic] |Ports: 24 auto-sensing 10/100 ports (IEEE 802.3 Type 10Base-T, IEEE 802.3u Type 100Base-TX); Media|
| |Type: Auto-MDIX; Duplex: half or full |
| |Performance: |
| |Latency: < 8.5 µs (LIFO) |
| |Switching capacity: 2.6 Gbps |
| |MAC address table size: 4,096 entries |
|1 UPS |Model: APC Smart-UPS 1000VA |
|[pic] |Output Power Capacity: 640 Watts / 1000 VA |
| |Max Configurable Power: 640 Watts / 1000 VA |
| |Typical recharge time: 2 hour(s) |
| |Audible Alarm: |
| |Alarm when on battery |
| |Distinctive low battery alarm |
| |Configurable delays |
|1 SurgeArrest |APC Surge Arrest Surge Protector 78,000A |
|[pic] | |
|1 Ruggedized Box |Model: RACK-TRANSPORT-30-6 |
|[pic] |6U 30" Deep Shock Isolated Transport Case |
| |Generic Caster Kit for Shock Isolated Transport Case |
|1 FinSpy Relay |Debian Installer (2.6 Kernel) |
|[pic] |Windows Installer (XP, 2003, 2008, Vista, 7) |
3 Documentation
|Component |Details |
|Documentation |FinSpy User Manual |
|[pic] |FinSpy Specifications |
Anti-Virus Testing
FinSpy utilizes various techniques to bypass most known Anti-Virus and Anti-Spyware tools. In case a product cannot be bypassed, the agent will be faced with one of the following scenarios:
• The product displays pop-ups warning about suspicious activities and/or programs which can be accepted or rejected by the agent
Due to regular updates of these products, their behavior cannot exactly be specified. Regular tests are conducted within the Gamma Quality Assurance where all FinFisher products are checked against the latest version of these security products and new techniques for bypassing them are being researched in case a new detection has been discovered.
Current Antivirus systems in our quality assurance environment:
|Kaspersky Internet Security |Comodo Internet Security Pro |
|Norton Internet Security |ESET Smart Security |
|F-Secure Internet Security |avast! Professional Edition |
|Panda Internet Security |AVG Internet Security |
|ZoneAlarm Internet Security Suite |BitDefender Internet Security |
|Bullguard Internet Security |CA Internet Security Suite Plus |
|McAfee Internet Security |Trend Micro Internet Security PRO |
|ClamAV |Sophos Security Suite |
|VIPRE® Antivirus + Antispyware |F-PROT Antivirus Version |
|G DATA Internet Security |Ikarus |
|Mamutu |NORMAN SECURITY SUITE |
|Outpost Security Suite Pro |RISING Internet Security |
|Spybot Search & Destroy |Spyware Doctor |
|Steganos Internet Security |Trustport PC Security |
|VirusBuster Internet Security Suite |Windows Defender |
|Quick Heal Total Security |K7 TotalSecurity |
|Ad-Aware PRO |Ashampoo AntiSpyware |
|a-squared Anti-Malware |Avira Premium Security Suite |
|Dr.Web Security Space |Security Essentials |
Updates & Support
The software has a built-in update feature that pulls updates automatically from the Gamma Update server at configured time intervals. In case the system it not connected to the Internet, download locations are provided on request so the updates can be manually downloaded from other systems.
Every update is done through a secure encrypted link to ensure integrity of the transferred update files.
The amount of updates per year depends on the changes in the IT Intrusion field and the requirement of bug-fixes and new features. At least two major feature updates are provided per year per product.
Additionally to the updates, all customers have access to an after-sales website that gives the customers the following capabilities:
• Download product information (Latest user manuals, specifications, training slides)
• Access change-log and roadmap for products
• Report bugs and submit feature requests
• Inspect frequently asked questions (FAQ)
Furthermore support is provided via telephone and E-Mail.
[pic] [pic]
-----------------------
FINFISHER: FinSpy 3.10
Product Specifications
user1@monekey
Dear Mr. John,
as promised we will ship out the required equipment
......
-----------------------
FinSpy / Product Specifications
FINUSB SUITE
SPECIFICATIONS
2
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.