Hacking Team RCS 9 Administrator’s Guide

]Haci<ngTeam[ RCS 9 The hacking suite for governmental interception Administrator's Guide 55?h X: <5 Administratnr's Guide - 1Jeri-fl

Information ownership COPYRIGHT 2013, HT S.r.l. All rights reseryed in all countries. No part of this manual can be translated into other languages andfor adapted andf'or reproduced in other formats andf'or mechanically, electronically processed or photocopied, recorded or otherwise without prior written authorization from HackingTeam. All corporations and product names may be legal or registered trademarks, property of their respective owners. Specifically Internet Explorer? is a Microsoft Corporation registered trademark. Albeit text and images being selected with the utmost care, HackingTeam reseryes the right to change andf'or update the information hereto to correct typos andfor errors without any prior notice or additional liability. Any reference to nam es, data and addresses of companies not in the HackingTeam is purely coincidental and, unless otherwise indicated, included as examples to better clarify product use. NOTE: requests for additional copies of this manual or product technical information should be addressed to: HT S.r.l. yia della Moscoya, 13 20121 Milano (MI) Italy Tel.: 39 02 29 060 603 Fax: 39 02 63 118 946 e-mail: info@hackingteam.com

Contents Glossary _.iv Guideintroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 1 New guide features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 2 Supplied documentation 2 Printconcepts for notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 3 Printconcepts for format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 3 Product and guide addressees 4 Software author identification data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 4 RC5 {Remote Control SystemDifferences between PCS 8.0 and PCS 16 versions 7? Glossarv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 7? RC5 Console for the Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 8 Starting the PCS Console .. 9 What the login page looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 9 Open RCS Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 9 Homepage description .. 10 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 What it looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 10 Wizards in the homepage _.11 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..11 Whatitlooks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..11 Shared interface elements and actions _.12 What the PCS Console looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Actions alwavs available on the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..14 Change interface language or password 14 Converting the PCS Console date?time to the actual time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 14 Table actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..1S Administrator's procedures .. 16 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..16 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 16 Preparing the PCS for use bv other users .. 16 Opening an investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 16 Closing an investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring the svstem Managing RCS login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 What vou should know about users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 19 Introduction _.19 Login privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 19 administrator's Guide ver.1.4 SE RES -pag.

Functions enabled by single role ..19 User groups per operation ..20 User groups for system alarm alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ._20 User management .. 20 Purpose -.20 Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 What the function looks like ..21 To learn more ..22 Registering and enabling a user for RC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Enablinngisabling a user .23 Immediately disconnecting a user -.23 Editing user data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 User data .24 Priyilege data ..25 Administrator authorizations .25 System administrator authorizations .25 Technician authorizations -.25 Analyst authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..26 Group management .. 26 Purpose -.26 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To learn more .22 Creating a group and linking users and operations -28 Editing group data and removing users and operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Operation and target .29 What you should know about operations .30 What is an operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Assigning the operation to a user group .30 What happens when a new operation is created .-30 What happens when an operation is closed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 What you should know about targets .. 30 What is a target .-30 Administrator tasks .30 What happens when a target is created .31 What happens when a target is closed -31 Opening and closing an operation ._31 Operation management ..31 Purpose -31 Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 32 What the function looks like .32 Administrator'sGuide yer.1.4 RES 201393 HT5.r.l. - pag. ll

To learn more .33 Creating an operation .33 Editing operation data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Closing an operation ..34 Deleting an operation -.34 Operation data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Operation page .35 Purpose -.35 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..35 To learn more Creating a target Closing a target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Editing target data .. 3? Deleting a target .36 Operation page data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Monitoring users .39 What you should know about user monitoring {Audit} -.40 What is user monitoring .. 40 How signaled actions are read .. 4D Selecting specific actions using filters -40 Exporta ble data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 40 User monitoring {Audit} ..41 Purpose -.41 What you can ..41 What the function looks like ..41 To learn more ..42 Selecting actions in a time range .. 42 Selecting actions based on proposed data .. 42 Remoying one or more filters -.43 Exporting displayed actions .. 43 User monitoring data {Audit} ..43 System monitoring ..45 System monitoring {Monitor..46 Purpose .. 46 What the function looks like ..46 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Define the alerting group or temporarily enablefdisa ble it .. 4? System monitoring data {Monitor} ..48 System component monitoring data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 48 License monitoring data .. 49 Administrator's Guide yer.1.4 RES 9 2613i? - pag. ll}

lossa ry The terms and their definitions used in this manual are provided below. A Accounting Console section that manages RC8 access. acquisition sequence Group of complex events. actions and acquisition modules that make up the advanced agent con?guration. Administrator The person who enables user access to the system. creates work groups and de?nes operations. targets and the type ofdata to be collected. Agent Software probes installed on devices to monitor. They are designed to collect evidence and communicate it to the Collector. alert rules Rules that create alerts when new evidence is stored or agents communicate back for the ?rst time. Alerting Console section that manages new evidence alerts. alerting group Group ofusers who receive notifications via mail whenever a system alarm is trig- gered {for example. when the database exceeds available free space limits}. Nor- mally this group is not linked to an operation. Analyst Person in charge of analyzing the data collected during operations. Anonymizer {optional} Protects the server against external attacks and permits anonymity during investigations. Transfers agent data to Collectors. Atlminish'ators Guide ver.1.4 SE Fit-1'5 I - peg. iv

Riff} - Glossary Audit Console section that reports all users' and system actions. Used to monitor abuse of RCS. back end Environment designed to and save collected information. In distributed archi- tecture. it includes Master Node and Shard databases. ERAS {Broadband Remote Access Server} routes traf?c toffrom DSLAM to the ISP network and provides authentication to the ISP subscribers. BSSID {Basic Service Set lDenti?er} Access Point and its client identifier. Collector Receives data sent by agents directly or through the Anonymizer chain. console Computer on which the RCS Console is installed. It directly accesses the RCS Server or Master Node. Dashboard Console section used by the Analyst. Used to have a quick overview of the status of the most important operations. targets and agents. DSLAM {Digital Subscriber Line Access Multiplexer} network device. often located in the tel- ephone exchanges of the telecommunications operators. It connects multiple cus- tomer digital subscriber line interfaces to a high-speed digital communications channel using multiplexing techniques. Adminish'ator Guide ver.1.4 I Riff} Lit-131.2: HT - pa 3.

C-ZI - Glossary entity Group ofintelligence information linked to the target and people and places involved in the investigation. ESSID {Extended Service Set lDenti?er} Known as SSID. identi?es the network. evidence Collected data evidence. The format depends on the type of evidence image}. evidence alerts Alerts. usually in the form of emails. sent to when new evidence matches the set rule. factory A template for agent con?guration and compiling. front end Environment designed to communicate with agents to collect information and set their con?gurations. In distributed architecture. it includes the Collector and Network Controller. injection rules Settings that de?ne how to identify HTTP traf?c. what resource should be injected and what method is to be used for the injection. Monitor Console section that monitors components and license status. mlminish'ators Guide SE Fill-1'5 I Ruff}? Eli-1'51: - peg. vi

Ruff} C-ZI - Eilossarv Network Controller Component that checks Network Injector and Anonymizer status and sends them new configurations and software updates. Network Injector Hardware component that monitors the target's network traffic and injects an agent into selected Web resources. It comes in two versions. Appliance or Tactical: the former is for deployment at the ISP. the latter for use on the field. Network Injector Appliance Rackable version of the Network Injector. for installation at ISP. See: Tactical Net- work Injector. 0 operation Investigation aimed at one or more targets. whose devices will be recipients for agents. RC3 em ote Control System I the product documented hereto. RC3 Console Software designed to interact with the RCS Server. RC3 3erver One or more computers. based on the installation architecture. were essential RCS components are installed: Shard databases. Network Controllers and Collector. 33H {Secure a network protocol for secure data communication. remote shell serv- ices or command execution. Administratt?n' s-?Eiuide I Fair} Eli-131.2: HT - pa g. vii

G) - Glossary System Console section that manages the system. System administrator The person who installs the servers and consoles. updates software and restores data in case offaults. Tactical Network Injector The portable version ofNetwork Injector. for tactical use. See: Network Injector Appliance. TAP {Test Access Port} a hardware device installed in a network that passively monitors the transmitted data flow. target The physical person under investigation. Technician The person assigned by the Administrator to create and manage agents. UPS {Virtual Private Server} a remote server where the Anonymizer is installed. Com- monly available for rent. WPA {Wi Fi Protected Access} WiFi network protection. WPA 2 {Wi Fi Protected Access} WiFi network protection. miminish'ator Guide ver.1

Guide introduction resentatio Manual goals This manual is a guide for the Administrator on how to use the RC5 Console to: . create users and workgroups . open and close investigations . monitor RC5 users . monitor the system Information on how to consult the manual is provided below. Content This section includes the following topics: Newguidefeatures Supplied documentation Print conceptsfornotes Print conceptsforformat Product and guide addressees Softwareauthoridentification data administrator's Guide ~.rer.1.4 SE P-2C-13 - RES - 2013a! HT S.r.l. - pag. 1

RC5 9 - New guide features New guide features List of release notes and updates to this online help. Reiease Code Software Description a'ate version. 30 sep. Administrator's 9 Updated documentation due to improvements to the tember Guide user interface. 2013 1.4 SE P-2013 Improved the contents. 3 Julv 2013 Administrator's 34 No documentation update. Guide 15 March Administrator's 33 Added user authorization management. See 2013 Guide "Priviiege data" on page 25 . 1.3 MAR-2013 15 October Administrator's 32 Added description of wizards in the homepage. See 2012 Guide "Wizards in the homepage" on page 11 1.2 OCT-2012 301mg Administrator's g_1 Close operation and target button. See "Operation 2012 Guide management" on page 31 . 1.1 JUN 2012 Load license button. See "System monitoring (Monitor)" on page 46. 16 April Administrator's 33 First publication 2012 Guide 1.0 APR-2012 Supplied documentation The following manuals are supplied with RCS software: Manuai Addressees Code Distribution Ji'or- mat System Administrator's System System Administrator's Guide administrator Guide 1.4 SEP-2013 Administrator's Guide Administrators Administrator's Guide PDF {this manual} 1.4 Administrator's Guide 1tier.1.?fl RC3 9 2013? - pag. 2

RC5 9 - Print concepts for notes Manuai Addressees Code Distribution for- mat Technician's Guide Technicians Technician?s Guide PDF 1.5 SEP-ZGIB Analvst's Guide Anaiyst?s Guide PD 1.4 SEP-2013 Print concepts for notes Notes foreseen in this document are listed below (Microsoft Manual of Style): I WARNING: indicates a riskvr situation which, if not avoided, could cause user injuryr or 4% equipment damages. 1? II CAUTION: indicates a risky situation which, if not avoided, can cause data to be iost. IMPORTANT: offers the indications required to complete the task. While notes can be neglected and do not in?uence task completion, important indications should not be neglected. NOTE: neutral and positive information that emphasize or add information to the main text. Thev provide information that can onlv be applied in special cases. 1 a a Tip: suggestion for the application of techniques and procedures described in the text according to special needs. It may suggest an alternative method and is not essential to text comprehension. l. Service caii: the operation may oniy be compieted with the heip of technif?'i Service- Print concepts for format A key to print concepts is provided below: Exampie Styie Description See "User data? itoiic this indicates a chapter, section, sub-section, paragraph, table or illustration heading in this manual or other publication of reference. indicates text that must be specified by the user according to a certain svntax. In the example is a date and could be ?1402011?. Administrator's Guide ver.1.4 RCSQ 20136:) - pag. 3

RC5 9 - Product and guide addressees Exampie Styie Description Select one of indicates the object specified in the text that appears in the adjacent the listed image. servers Click Add. bold indicates text on the operator interface, a graphic element Select the File table, tab) or screen button display). menu, Save data. Press ENTER UPPER indicates the name of keyboard keys. CASE See: Network - suggests you compare the definition of a word in the glossary or Injector content with another word or content. Appliance. Product and guide addressees Following is the list of professionals that interact with RCS. Addressee Activity System Follows the HackingTeam's instructions provided during the Expert administrator contract phase. Installs and updates RCS servers, Network network Injectors and RCS Consoles. Schedules and manages backups. technician Restores backups if servers are replaced. WARNING: the system administrator must have the i required necessary skills. The HackingTeam is not liable for equipment malfunctions or damages clue to unprofessional installation. Administrator Creates authorized accounts and groups. Creates operations and investigation target. I'vlonitors system and license status. manager Technician Creates and sets up agents. Sets Network Injector rules Tapping speciaiist technician Analyst Analyzes and exports evidence. Operative Software author identification data HT S.r.l. via della Moscova, 13 20121 Milano (MI) Italy Administrator's Guide ver.1.4 RC3 9 20133) - pag. 4

RC8 9 - Samurare author identi?cation data Tel.: 39 02 29 060 603 Fax: 39 02 63 118 946 e-mail: infa@hackingteam.cam Administrator's Guide uer.1.4 RC9 9 201393 - pag. 5

RCS (Remote Control System) resentatio Introduction RCS {Remote Control System} is a solution that supports investigations by actively and passively tapping data and information from the devices targeted by the investigations. In fact, RCS anonymously creates, sets and installs software agents that collect data and information, sending the results to the central database to be and saved. Content This section includes the follovving topics: Differences between RCS 3.0 and RC5 15 versions Ir' littlministrator's Guide ver.1.4 - RC5 - 20131? HT S.r.l. - pag. 6

RC3 C?i - [Differences between RICE- 8.CI and RICE- 1s versions Differences between RCS 8.0 and RCS 7.6 versions Differences with the RC5 16 version are described below Glossary RC5 v. 7.6 RC5 3.0 and higher Activitv Operation Agent Module Anonvr?nizer chain Anonvr?nizing chain Backdoor Agent Backdoor Class Factorv Collection Node Collector Injection Proxv Appliance Network Injector Appliance Log Repositorv Master Node and additional Shard Mobile Collection Node Collector Anonvmizer Administrator'sGuide ver.1.4 RC3 NEED HT S.r.l. - pag. 7'

RCS Console for the Administrator resentatio The Administrator?s role The Administrator's role is: . to manage svstem access lav assigning users the various roles foreseen lav the application . to create and close investigations . to define the involved targets . to inform the Technician user of the tvpes of evidence to be tapped . to monitor actions run bv users . to monitor licenses available for RC5 components Functions enabled for the Administrator To complete hisfher activities, the Administrator has access to the follovving functions: . Accounting . Operation . Audit . Monitor Content This section includes the follovving topics: Startingthe RC5 Console 9 Homepage description __10 Wizardsin thehomepage Shared interface elements and actions 12 Administrator?s procedures __1Ei Administrator's Guide ver.1.4 SE Pit-13 - RC5 - lit-131:1 HT - pag. 8

RCS 9 - Starling the RC5 Console Starting the RC5 Console When started, RCS Console asks you to enter your credentials previously set by the Administrator. What the login page looks like This is what the login page looks like: an: El an Console 9J1 UH:er fit": Area Description 1 Title bar with command buttons: ii Close RCS Console. El Expand window button. El Shrink window button. 2 Login dialog window. Open RC5 Con sole To open RCS Console functions: Step Action 1 In Username and Password, enter the credentials as assigned by the Administrator. 2 In Server, enter the name of the machine or seryer address to connect to. Administrator's Guide yer.1.4 RCSQ 20136:) - pag. 9

RC5 9 - Homepage description Step Action 3 6 Click the homepage appears with the menus enabled according to your account privileges. See "Homepage description?beiow . Homepage description - click? To View the homepage: Introduction The homepage is displayed when the RC5 Console is started, and is the same for all users. Enabled menus depend on the privileges assigned to the account. What it looks like This is what the homepage looks like, with recently opened items saved. For details on shared elements and actions: ?lm tut-1:6: ?crtla'mcr El ?pv.1r'rr< Tolig'h?uro Tinsl'l'ntr: .- 1.. Tl leaml Globu- '1 Recentl'bems IE- a - {3 a :i"ml Iu'mrnur Ii "x .- xx . I ?lti'w- Area Description 1 Title bar with command buttons. 2 RC5 menu with functions enabled for the user. 3 Search box to search operations, targets, agents and entities, by name or description. Administrator's Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 10

RC5 9 - Wizards in the homepage Areo Description 4 Links to the last five elements opened (operation in the Operations section, operation in the Intelligence section, target, agent and entity). Wizard buttons. Logged in user with possibility of changing the language and password. Download area with ability to View progress during export or compiling. noun-sin Current date and time with possibility of changing the time zone. Wizards in the homepage - click?? To View the homepage: Introduction For users with certain privileges, RCS Console displays buttons that run wizards. What it looks like This is how the homepage is displayed with enabled wizards: El Timid-nth: Go to '1 Recentl'bems -?a::?1u:l:m:i1:lc:l -- - :3 -- .. ?lti'w- awn-rm it'd-r. ?7 'J13'l: Administrator's Guide 1tier.1.dfl SE P-2013 RC8 9 2013 - pag. 11

Button RC5 9 - Shared interface elements and actions Function love-summon WI rl Open the wizard to quickly create an agent. Open the wizard to quickly saye operation and target data. NOTE: the button is only enabled for users with Administrator and Technician privileges. NOTE: the button is only enabled for users with Administrator and System Administrator priyileges. Shared interface elements and actions Each program page uses shared elements and allows similar actions to be run. For easier manual comprehension, elements and actions shared by some functions are described in this chapter. What the RC5 Console looks like This is what a typical RES Console page looks like. A target page is displayed in this example: an El no A .loocurcn: Hal'ch Horn: . null: Erma-.1 b- 13 E: a k; l:lJ a I a [la 1L ElOpersllom l?xlqe?: Lon-rth #311 Administrator's Guide SE P-2013 RC3 9 2013 - pag. 12

RC5 9 - What the RC5 Console looks like Area Description 1 Title bar with command buttons: *1 Logout from RC5. Page refresh button. El Expand window button. l;l Shrink window button. 2 a Return to homepage button RCS menu with functions enabled for the user. 3 Operation scroll bar. Descriptions are provided below: icon Description Muriel} Ii It Back to higher level. Show the operation page (Operations section). Show the target page. Show the factorv page. Show the agent page. Show the operation page (Intelligence section). Show the entity page. 4 Buttons to displav all elements regardless of their group membership. Descriptions are provided below: icon Description a Show all operations. Show all targets. 5? Show all agents. Show all entities. 5 Window toolbar. Administrator's Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 13

RC5 9 -Acl]'ons always available on the interface Areo Description 5 Search buttons and box: Object Description {bran?m it Search box. Enter part of the name to display a list of elements that contain the entered letters. Display elements in a table. Display elements as icons. Logged in user with possibility of changing the language and password. 3 Download area with ability to view progress during export or compiling. Files are downloaded to the desktop in RCS Download folder. . top bar: percent generation on server 1: bottom bar: percent download from server to RC5 Console. 9 Current date and time with possibility of changing the time zone. Actions always available on the interface Change interface language or password To change the interface language or password: Step Action 1 Click to display a dialog window with the user's data. 2 Change the language or password and click Save to con?rm and exit. Converting the RC5 Console date-time to the actual time zone To convert all dates-times to the actual time zone: Step Action 1 Click to display a dialog window with the current date-time: UTC time: Greenwich mean time (GMT) Local Time: date-time where the RC5 server is installed Console time: date-time of the console used and which can be converted. 2 Change the time zone and click Save to confirm and exit: all displayed dates-times are converted as requested. Administrator's Guide ver.1.4 SE P-2013 RC8 9 20136:] - pag. 14

Table actions RC5 9 -Table actions The RC5 Console displays various data in tables. Tables let you: 0 sort data by column in increasingldecreasing order 0 filter data by column Action Description Sort by column Filter a text Filter based on an option Click on the column heading to sort that column in increasing or decreasing order. Event ?LPath ?in. Sword?sh Sword?sh EVIDENCE Enter part of the text you are searching for: only elements that contain the entered text appear. 71 Info The example shows elements with descriptions like: "myboss" "bossanoya" Select an option: the elements that match the selected option appear. El Acquired Last 24 Hours I Last Week I From iTo 2 Administrator's Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 15

RC5 9 - Administrator's procedures Action Description Filter based on several Select one or more options: the elements that match all selected options options appear. Elm?: I Untagged I Law I I II Hinh a Critioal Change the column Select the edge of the column and drag it. size Administrator's procedures Introduction Procedures typically perform ed by the Administrator are indicated below with references to their pertinent chapters. Procedures Preparing the RC5 for use by other users Following are the procedures typically performed to prepare RCS for use by others: Step Ac tion 1 In the Accounting section, Users set the people who will have access to RC5. See "User management" on page 20 2 In the Accounting section, Groups create the user group (usually composed of system administrators and not linked to any operation) that will receive the system alarm e-mail notifications See "Group management" on page 26 3 In the Monitor section, select the group that will receive the system alarm e-mail notifications. See "System monitoring (Monitor)? on page 46 Opening an investigation Procedures typically performed to open an investigation are indicated below: Administrator's Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 16

RC5 9 - Cloa'ng an investigation Step Action 1 In the Accounting section, Users set the people who will belong to the investigation team and their roles. See "User management" on page 20 In the Accounting section, Groups set the team enabled to view investigation data and receive svstem alarms. See "Group management" on page 26 In the Operations section, open the investigation and link one or more groups. See "Operation management? on page 31 and "Operation page" on page 35 Inform the RC5 Technician of the 0f EVldenCE To be In the Audit section, monitor svstem access by the team and check their actions. See "User monitoring {Audit}" on page 41 Closing an investigation The typical procedure performed to close an investigation is indicated below: Step Action 1 In the Operations section, close the investigation. See "Operation management" If necessarv, ask the System administrator to save evidence in a Backup file. Monitoring the svstem The typical procedures performed to monitor RC5 use are indicated below: Step Action 1 In the Monitor section, monitor svstem messages and licenses used. See "System monitoring (Monitor}" on page 46 In the Audit section, monitor actions performed bv Technicians, and other Administrators. See "User monitoring (Audit}" on page 41 Administrator's Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 17

Managing RCS login resentatio Introduction Managing users and groups is essential to guarantee data confidentialityr and security. Content This section includes the following topics: What you should know about users and groups ._19 Usermanagement Userdata Privilege data ._25 Group management 25 administratorsGuide uer.1.4 - - 2CI13EI HT 3.r.l. - pag. 18

RC5 9 - Whatyou should know about users and groups What you should know about users and groups Introduction To guarantee maximum data con?dentiality and security, RC5 provides the Administrator the opportunity of assigning login privileges to each user and grouping users in workgroups for specific operations. The structure adapts to both situations were tasks are ented and situations where all tasks are performed by a few people. By managing users, the Administrator can also quickly disconnect a suspected user and temporarily disable hisfher RCS login. Login privileges RC5 was designed to guarantee maximum server and collected data security. To achieve this goal, four distinct roles were defined that usually refer to the professionals who can login to the system: It all! System administrator: exclusively in charge of hardware and software installation and backups . ?k Administrator: in charge of all system login, investigations and investigation goals in 6" Technician: in charge of setting up and installing tapping agents . Analyst: in charge of data analysis r: Tip: several roles can be assigned to the same user, for exam pl e, an Administrator can also have Technician privileges. Functions enabled by single role Following is the list of RCS functions reserved to users in a specific role: Role Enabled functions System SYSTEW administrator 4. Monitor Administrator Uperati on 1: Audit Monitor Technician operation a! System Analyst II Operation 1: Intelligence Dashboard Alerting Administrator's Guide ver.1.4 SE P-2013 RC8 9 20136:] - pag. 19

RC5 9 - User groups per opera?on User groups per operation Groups allow users to be grouped to assign them specific operations. This way, several operations can be managed simultaneously, guaranteeing maximum data confidentiality amongst vvorkgroups. See "Operation management" on page 31 IMPORTANT: operation assignments to a workgroup will be effective the next time the user in that group logs in. User groups for system alarm alerts A group of users exclusively intended to receive an e-mail in the event of system alarm can be created. This way, fast System administrator intervention can be guaranteed in the event of serious faults. See "System monitoring {Monitor}" on page 46 User management To manage I Accounting section, Users Purpose This function lets you: . register a user and allow himfher access to certain RES functions. Once registered, the user can login and view functions based on assigned roles . temporarily disable user login, for example, in the event of prolonged absence .- immediately disconnect the user from RES, for exam pl e, in the event of alleged illegal access to RES . monitor the date-time and IP address of the user's last connection to RC5 and other per- tinent data E. Tip: to block a user and prevent any access to RES, we suggest you immediately disconnect H?r? himfher (if connected) and disable himfher. NOTE: the function is only enabled if the user has User and group management authorization. Administrator's Guide ver.1.4 SE P-2013 RC3 9 2013 - peg. 20

RC5 9 - Next steps Next steps Several users can be linked to a workgroup, to assign them specific operations or send system alarms. See "Group management" on page 26 . What the function looks like This is what the page looks like: ITI a; memoir,? Accounting (Jamar-1n: dr um. owl:~ 51- El 51 heal-.m- .01 .Etr ?321:er Dim-rum .Etr nudilm 1P5: 2'36 W?rrm ?ailinl Hill I I'lt U412 14.11% m, hi m_ Mint-5': - Eric-Ir: L'HI-Iluular z. u: .z mm 2 4st" Area Description 1 RES menu. 2 Accounting menu. Administrator's Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 21

RC5 9 -To learn more Area Description 3 Window toolbar. Descriptions are provided below: icon Description . Add a user l+ EdIt the selected user. Delete the selected user. ?il Disconnect the selected user. 4 Main work area with list of registered users: .9 Registered user currently logged into RC5. Registered user but not currently logged into RC5. - Registered user but not enabled to login. The user cannot have access to RC5. 5 Selected user data. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 12 . For a description of the data in this window see "User data? on page 24 . For more information on users and groups see "What you should know about users and groups on page 1:9 . Registering and enabling a user for RC5 To register a new user: Step Action 1 Click New user: data entry fields appear. Administrator's Guide yer.1.4 5E P-2013 RC5 9 2013 - pag. 22

RC5 9 - Enablinngisabling a user Step Action 2 Enter the required data and make sure the Enabled box is selected if you want the user to login to RCS. Click Saye: the new user with the a icon appears in the main work area. Enablinngisabling a user To enable or disable a user to login to RC5: Step Action 1 Double-click a user: hisfher data appear. 2 Click Enabled to enable or disable. 3 Click Save: the new user appears in the main work area with icon (enabled) or 0 (disabled). IMPORTANT: if the user is logged in, sheihe will continue to work but the next login will be denied. To immediately disconnect a user see "immediately disconnecting user" below . Immediately disconnecting a user To immediately disconnect a logged in user: Step Action 1 8 Click on a user and click Disconnect user:the user appears with icon. in the main work area. if the user is logged in, sheihe will immediately be disconnected. The next login will be permitted unless the user is disabled. To disable the user see "Enabling/Disabling user" oboue . Editing user data To edit user data: Administrator's Guide 1yer.1.4 SE P-2013 RC8 9 2013 - pag. 23

RC5 9 - User data Step Ao tion 1 Double-click a user: hisfher data appear. 2 Edit data and click Save: data is considered from the next login or next alert messages. User data Selected user data is described below: Doto Description Enabled Select to enable user login to RC5. Do not select to leave the user registered but denv login to RC5. Name Name used to login to RC5. Description User's description Contact user's e-m ail. llvi PD RTANT: if the user has Analvst privileges, evidence alerts will be sent to this address. The e-mail cannot be changed by the user. Password User's password. The user can change it later from the status bar. Rules Privileges assigned to the user: uh 5vstem administrator 'k Administrator "Technician Analvst For a detailed description of privileges see "Priviiege data" on next page Advanced Opens the window to assign authorizations for each privilege. permissions Language Console Timezone Groups For a detailed description of authoritationssee "Privilege data" on next page RC5 Console interface language. The user can change it later from the status bar. Time zone used by the RC5 Console to displav time. User's groups. The user can onlv see the operations assigned to the group. Administrator's Guide ver.1.4 5E P-2013 RC5 9 2013 - pag. 24

RC3 9 - Privilege data Privilege data Administrator authorizations Following is a description of the authorizations assigned to Administrators: Data Description User and group Enables the Accounting section. mana ement -- - . . . . 0 NOTE: users with this authorization can naturally change their own and others' authorizations. Operations Enables Operations management. management Target Enables target management. management system auditing Enables the Audit section. License mnd_ Allows the license to be updated. i?cation System administrator authorizations Following is a description of the authorizations assigned to System Administrators: Data Description Frontend management Enables the System, Frontend section. Backend management Enables the System, Backend section. System Backup 8: Restore Enables the System, Backup section. Injector management Enables the System, Network Injector section. connectors management Enables the Connectors section. Technician authorizations Following is a description of the authorizations assigned to Technicians: Data Description Factory creation Allows factories to be created and set. Installation yector creation Allows installation vectors to be compiled. Agent con?guration Allows agent configurations to be edited. Command execution on Allows commands to be run on agents. agents Administrator's Guide SE P-2013 RC8 9 2013 - pag. 25

RC5 9 - Analyst authorizations Data Description Upload files to agent Import evidence Injector rules management Allows files to be sent to agent. Allows evidence to be imported. Allows rules to be added for Network Injectors. Analyst authorizations Following is a description of the authorizations assigned to Data Description Alerts creation File system browsing Allows alert rules to be created. Allows the agent's file system to be browsed. agents Evidence editing Evidence deletion Evidence export Entity management Allows priorities to be assigned to evidence and notes added. Allows evidence to be deleted. NOTE: this authorization is never enabled by default since it requires a user license. Allows evidence to be exported Allows intelligence entities to be managed. Group management To :11 onoge on groups: Accounting section, Groups Purpose This function lets you: organize users in work groups to assign specific operations create an alerting group to receive system alarm e-m ails Tip: to more simply and quickly group and manage users intended to receive RC5 alarms, create an "alerting" group without linking it to an operation but containing all the users to be alerted in the event of alarm.$ee "User management" on page 20 NOTE: the function is only enabled if the user has User and group management authorization. Administrator's Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 26

RC5 9 - What the function looks like the function looks like This is what the page looks like: 'd ITI uL- ?stuuntinn IJ'h'dl-J'n Gloups I. IE I- 51 IL'aml: I. u. in El Il-rl: d-l .1 I Ila-u I asl-n Area Description 1 RC5 menu. 2 Accounting menu. 3 Window toolbar. Descriptions are provided below: icon Description .1 Add a group. Iii-I- Edit the selected group. Delete the selected group. 4 Group list. 5 Users and operation assigned to the selected group. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions? on page 12 . Administrator's Guide SE P-2013 RC8 9 2013 - pag. 27

RC5 9 - Creating a group and linking users and operations For more information on groups and users see "What you should know about users and groups". Creating a group and linking users and operations To create a new group: Step Ar: Hon 1 Click New group: enter a name to be assigned to the group. 2 Enter the required data and click Save: the new group is displayed in the main work area. In the Users in this Group table, click ES to add users to the group. In the Operations in this Group table, click to add operations to the group: the next time group users login, they will see the added operation. IMPORTANT: if an operation is linked to a user who is logged in, the user will onlvr be able to view the operation the next time shefhe logs in. Editing group data and removing users and operations To edit group data: Step Ar: Hon 1 Double-click a group. 2 Edit the name and click Save. In the Users in this Group table, click l:l to remove users from the group. In the Operations in this Group table, click l:l to remove operations from the group: the next time group users login, the; will no longer see the operations in the list. IMPORTANT: if an operation is removed from a user who is r:urrentli,lr logged in, the user will no longer view the operation the next time shefhe logs in. Administrator's Guide SE P-2013 RC5 9 2013 - pag. 28

Operation and target Presentation Introduction Managing operations sets the targets to be tapped. Content This section includes the following topics: What you should know about operations .30 What you should knowabouttargets Operation management Operation data .35 Operation page 35 Operation pagedata 33 administratorsGuide uer.1.4 - RES 9 - 2CI13EI HT Srl. - pag. 29

RC3 9 - Whatyou would know about operations What you should know about operations What is an operation An operation is an investigation to be conducted. An operation contains one or more targets meaning the physical individuals to be tapped. The Technician assigns one or more agents, desktop or mobiie, to the target. Thus the agent can be installed on a computer or mobile phone. Assigning the operation to a user group To guarantee maxim um data con?dentiality, we recommend you only link an operation to the RC5 users assigned to the investigation. Users not linked to the operation will not see any operation data or collected evidence. For this reason, the person who creates the operation must be part of at least one of the groups linked to the operation when created. What happens when a new operation is created When an operation is created it is already declared open thus operation targets can be created and the Technician can generate and install agents. When the operation is open, agents begin to collect data and send it to RC5. What happens when an operation is closed The operation must be closed when the investigation is closed, and it is certain that all agents have already transmitted all the collected evidence to the Backend. Closing the operation automatically closes the targets and agents. When an agent is closed, uninstallation occurs at the first leaving the device clean. A closed operation cannot be re-opened. Only the operation data and collected evidence are left in the database. CAUTION: for infrequent Ji'or example, every four days, wait Jliar the iast I: piannealr before ciosing the operation. What you should know about targets What is a target A target is the physical person to be investigated. The Technician assigns one or more agents, desktop or mobile, to the target. Thus the agent can be installed on a computer or mobile phone. Administrator tasks The Administrator manages targets on the general organizational level; the Technician sets and works on targets according to the Administrator's instructions. The Administrator is in charge of: Administrator's Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 30

RC3 9 - What happenswhen a targetis created . creating a new target within an operation instruct the Technician on activation schedules and the types of evidence to be collected through a certain target's agents, based on the instructions received from legal authorities monitoring correct instruction application through Audits . closing a target What happens when a target is created When a target is created it is already declared open and thus the Technician can be asked to generate and install agents. What happens when a target is closed A target can be closed, for example, when closing investigations for that target. Closing a target automatically closes its agents. When an agent is closed, uninstallation occurs at the ?rst leaving the device clean. A closed target cannot be re-opened. Only the target data and those sent by agents are left in the database. I when a target is closed, all linked agents are automatically uninstalled. Only . close a target when certain to have all the required data. Jl?or infrequent Jfor example, every Jll'our days, wait Jll'or the last . planned before closing the target. t: Tip: only close the target when you are sure that agents have downloaded all the required information. Opening and closing an operation When an operation is closed, all of its targets are irreversibly closed and all their agents are uninstalled. See "What you should know about operations? on previous page . Operation management To manage a Dpe rations section operations: Purpose This function lets you: i create a new operation 0 assign the operation to a user group Administrator's Guide ver.1.4 SE P-2013 RC5 9 2013 - pag. 31

RC5 9 - Next steps NOTE: the function is only enabled if the user has Operation management authorization. Next steps One or more targets must be linked to the operation. See "Operation page" on page 35 . What the function looks like This is what the page looks like: .- ?p-o-eruls :5 I: i m. 3:21: :n HI: Dcl:: an: like :1 a. :mx?k'n: Emma Area Description 1 RES menu. 2 Scroll bar. ?9 Mn El Mam-J Hw? Fr ll Ifl??' .'r'1'rr a HIEEI 3 I Lu. THEIR. run-m1 UM lmku'lx Four. Administrator's Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 32

RC5 9 -To learn more Area Description 3 Window toolbar. Descriptions are provided below: icon Description Add an operation. EdIt the selected operatl on. Delete the selected operation. Close the operation. 4 List of created operations: Open operation. If targets were set and agents correctlv installed, collected evidence is received. a Closed operation. All targets are closed and agents uninstalled. All its targets and evidence can still be viewed. 5 Selected operation data. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 12 . For a description of the data in this window see "Operation data? on page 35 . For more information on operations see "What you should know about operations" on page 30. Creating an operation To create a new operation: Step Action 1 Click New Operation: data entry fields appear. Administrator's Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 33

RC5 9 - Editing operation data Step Action 2 Select the group (or groups) to be assigned to the operation. NOTE: the user who is creating the operation must belong to at least one of the linked groups. 3 Enter the required data and click Save: the new operation appears in the main work area in Open status. Editing operation data To edit operation data: Step Action 1 Select an operation and click Edit: its data appears. 2 Edit data and click Save. Closing an operation To close an operation and begin uninstalling agents on all targets: Step Action 1 Select an operation and click Close. 2 Confirm close: all targets are closed and agent uninstall is requested. Data is left available on the database. I marrow: ciosing on operation is irreversibie see "What you shouid know about operations on page 30 Deleting an operation To delete an operation: Step Action 1 Select an operation and click Delete. Administrator's Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 34

RC5 9 - Operation data Step Action 2 Confirm the action by clicking OK: operation data, targets, agents and all evidence is deleted from databases. I a'eieting an action is irreversibie and data iinkea' to that operation is iost. Operation data Selected operation data is described below: Data Description Name Operation name. Description User's description Contact Descriptive field used to define, for example, the name of a contact person (Judge, Attornev, etc.]. Status Operation status and close command: OPEN: the operation is open. If targets were set and agents correctlv installed, the RC5 receives the collected evidence. CLOSED: the operation is closed and can not be re-opened. Agents no longer send data but evidence already received can still be viewed. I CAUTION: closing an operation is irreversible.$ee "What you shoaid know . about operations" on page 30 Groups Groups that can see the operation. See "Group management" on page 26 Operation page To View on operation: a Purpose Operation section, double-click an operation This function lets you: 1- create one or more targets to be monitored during an operation . manage target activationfdeactivation. 1lilihat the function looks like This is what the page looks like: Administrator's Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 35

RC5 9 - What the function looks like Elna-mun: l?jclaz'm doc-In a l- ?9mm ?an hi am a El . .-- -.-.-.- ?we :npmv-y l: {9 I'm. In". -Iu i . un 'Iw mr Area Description 1 RC5 menu. 2 Scroll bar. 3 Window toolbar. Descriptions are provided below: Icon Function Add a target. NOTE: the function is only enabled if the user has Target management authorization. EdIt the selected target. Delete the selected target. Close the target. Move the target to another operation. 4 Target list: 0 Open target Closed target Administrator's Guide 1?serif-1 SE P-2013 RC8 9 2013 - pag. 36

RC5 9 - To learn more Area Description 5 Selected target data. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 12 . For more information on operations see "What you should lmow about operations" on page 30. For a description of the data in this window see "Operation page data" on next page . Creating a target To create a new target: Step Action 1 Click New Target: data entry fields appear. 2 Enter the required data and click Save: the new target appears in the main work area in Open status, meaning it is readyr to be used by a Technician. Closing a target To close a target and begin uninstalling its agents: Step Action 1 Select a target and click Close. 2 Confirm close: the target is closed and agent uninstallation is autom launched. Data is left available on the database. I CAUTION: closing a target is irreversibie see What you should lrnow about targets" on page 30 Editing target data To edit target data: Administrator's Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 37

RC5 9 - Deleting a target Step Action 1 Select a target and click Edit: its data appears. 2 Edit data and click Save. Deleting a target To delete a target: Step Action 1 Select a target and click Delete. 2 Confirm the action by clicking OK: target data, its agents and all evidence is deleted from databases. CAUTION: deieting or target is irreversibie and data iinked to that target be iost. Operation page data Selected target data is described below: Date Description Name Target name. Description User's description status Defines the target's status: 6 Open. If the Technician correctlv installs agents, RCS receives the collected evidence. 6} Closed, it can no longer be opened. Administrator's Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 38

Monitoring users resentatio Introduction Monitoring RC5 users guarantees correct investigations and the observance of rules and indications issued bv anv authoritv that requested the investigations. Content This section includes the following topics: What you should know about user monitoring {Audit} User monitoring {Audit} _.41 Usermonitoring data{Audit] administratorsGuide ver.1.4 - RES 9 - 2013ng HT S.r.l. - peg. 39

RC3 9 - What you should know about user monitoring [Audit] What you should know about user monitoring (Audit) What is user monitoring The Audit is a list of actions taken by all Administrator, Technician and Analyst users in RC5. Its purpose is to guarantee correct investigations and the observance of rules and indications issued by any authority that requested the investigations. This way, the Administrator can monitor system access by enabled users and trace special actions over time such as, for example, target creation. How signaled actions are read The Audit records all actions run on the system by each single user in a table. Four pieces of information are always included in each action: action date-time, 1- user that perform ed the action, . action type, description of the action The other ?elds are only populated according to the type of action. For example, if a user logs into the system, the Audit records the user's name in Actor and the "login" action type in Action. If a Technician creates agents, an action appears in the list for each agent with the name of the user, the "target.create" type of action, the operation name, target name and agent's name. NOTE: audit records are not localized and only available in English. Selecting specific actions using filters The function normally displays actions performed in the last 24 hours. The filter on the Date column is thus the onlyfilter that is always set by default but can be changed as needed. For this reason, the corresponding combo box is always selected. A ?lter can be set for all other columns to refine the search. If the combo box next to the heading is selected, the filter on that column is active. Each heading thus allows you to select which data should be displayed. Only the Description column lets you enter part of the text to be searched, for example, if "log" is entered, all actions whose descriptions contain the text "log" will be displayed. For example: "User logged in" "Log file created" Exportable data RC5 lets you export recorded actions for Administrators, Technicians and The ?le will be downloaded to the RC5 Download folder on the desktop. Administrator's Guide ver.1.4 SE P-2013 RC5 9 2013 - pag. 40

RC5 9 - User monitoring [Audit] User monitoring (Audit) To monitor users: an Audit section Purpose This function lets you monitor Administrator, Technician and Analyst actions in RC5. For exam pl e, you can monitor correct operation progress, target actiyationldeactiyation schedules and the Technician's correct application of the types of agents authorized for a speci?c operation. What you can do You can select only the actions run in a certain period and apply filters to search, for example, for detailed information on specific operations or users. In the event of need, actions can always be exported in CSV form at files. IMPORTANT: if the page is kept open, it must be refreshed to 1ri'iew the most recent actions. See "Homepage description" on page 10 NOTE: the function is only enabled if the user has System auditing authorization. What the function looks like This is what the page looks like: '1 icamcol?'?tom' 1.- :o'at an: .'Luollt .'r'Ofll: Eh Funu'u: Emu. mu- l_ mu hula: IU uw: cam U?llul ML 2'3'2'35'32'3'9"? :Zl'l'war-r f?n' sci-:cm-a-a-c- U: '5 :lu pun"301' lil a; 5 Administrator's Guide 1tier.1.dfl SE P-2013 RC3 9 2013 - pag. 41

RC5 9 -To learn more Area Description 1 RC5 menu. 2 Window toolbar. Descriptions are provided below: icon Description Export displayed actions to a CSV format file (can be imported in Excel). ?g Rem are all filters applied to table data. 3 List of actions run by RCS users. 4 RC5 status bar. To learn more For interface element descriptions See "Shared interface eiements and actions" on page 12 . For a description of the data in this window see "User monitoring data (Audit}" For more information on the audit see "What you shouid know about user monitoring (.4 uait)" on page 40 . Selecting actions in a time range To only View actions in a certain time range: Step Action 1 Click on the Date column heading. 2 Click on the required time range. NOTE: the date filter is always on, set on actions in the last 24 hours. Only the criteria can be changed. Selecting actions based on proposed data To increase result accuracy: Administrator's Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 42

RC3 9 - Removing one or more ?lters Step Action 1 Click on one or more column headings: a search ?eld appears where you can enter data. 2 Enter the word to be searched and press Enter. Information in the column will be filtered and ordered according to the entered search word. Removing one or more filters To remove a filter and display all data: if you wont to a single ?lter unselect the combo box in the column heading. all filters simultaneously 5 le NDTE: the date filter is always on, set on actions in the last 24 hours. Only the time criteria can be changed. Exporting displayed actions To export displayed actions: Step Action 1 Click Export: data entry fields appear. 2 Enter the name of the file to be exported and click OK a progress bar indicates operation progress. To check progress, click on the bar. User monitoring data (Audit) Audit table columns are described below: Column Description Date Action date-time. Actor Name of the logged in user that caused the action. Action Type of action run by the logged in user. The action is displayed as individual. action. For example "user.update" means that a user was updated. This makes selecting the same types of actions easier. Administrator's Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 43

RC5 9 - User monitoring data [Audit] Column Description User User concerned by the action, for example, created by an Administrator. It should not be confused with the name in Actor which is the user who caused the action. Group Group concerned by the action, for example, the group linked to an operation. Operation Operation concerned by the action, for example, the operation closed by an Administrator. Target Target concerned by the action, for example, the target closed by an Administrator. Agent Agent concerned by the action, for example, agent created by a Technician. Description Brief description of the action. NOTE: all actions are displa?fEd in EngliSh' Administrator's Guide SE P-2013 RC3 9 2013 - pag. 44

System monitoring resentatio Introduction System monitoring guarantees constant control of component status and license usage. Content This section includes the following topics: System monitoring {Monitor} _.45 System monitoring datalMonitor] administratorsGuide uer.1.4 - RES 9 - 201MB HT S.r.l. - pag. 45

RC5 9 - System monitoring [Monitor] System monitoring (Monitor) To 111 onitor the system: - Monitor section Purpose This function lets you: a monitor system status in both hardware and software terms a monitor license used compared to those purchased 0 define the alerting group and alert e-mail addressee in the eyent of system alarms Service caii: Contact your HackingTeam Account Manager if additionai iicenses are . required. What the function looks like This is what the page looks like: rm 03D run an mu.? w-wn H110 w? Imam a El . Eu?ru-u-I. Jain: an: 1.3..- Hm u rue I :wwt mm 1.1- mman: I'9.3Lumrm bpr- a l' Ics - - IkmL-u-chm 4.41 um. q- onu- ulnum .- '3 I. WW w- El Area Description 1 RC5 menu. Monitor indicates the current number of system alarms triggered. Administrator's Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 46

RC5 9 -To learn more Area Description 2 Window toolbar. Descriptions are provided below: icon Description De?nes the alerting group. 5 NOTE: the function is only enabled if the user has User and group management authorization. (p Loads a new license file. NOTE: the function is only enabled if the user has License modi?cation authorization. 3 List of RCS components and their status: 0 Alarm (generates an e-m ail sent to the alerting group) . . Component running 4 License status. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 12 . For a description of the data in this window see "System monitoring data (Monitor)? on next page Define the alerting group or temporarilyr enablep'disable it To select the alerting group: Step Ac tion 1 Click Set System Alert. Administrator's Guide SE P-2013 RC8 9 2013 - pag. 4?

RC5 9 - System monitoring data [Monitor] Step Action 2 0 To turn off e-m ail noti?cations, select None . 0i" 0 To turn on group e-mail notifications, select Select a group to be alerted Via email and the alerting group from the drop down menu. Each time a system alarm is triggered, the selected group will receive an e-mail with its descrip- tion. 3 Click 53%. Tip: to more simply and quickly group and manage users intended to receive RCS alarms, create an "alerting" group without linking it to an operation but containing all the users to be alerted in the event of alarm.$ee ?User management" on page 20 System monitoring data (Monitor) System component monitoring data System monitoring data is described below: Doro Description Type Monitored component type and name: Name Network Controller 1" Anonymizer I- Database "Hr Collector Address Component's IP address. Last mm Last date-tim e. tact Administrator's Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 48

RC5 9 - License monitoring data Data Description status Component status at last 0 Alarm: the component is not running, contact the alerting group for immediate seryice. Warning: the component signals a risky situation, contact the system administrator for necessary checks. Component running. CPU 91?: CPU use by the single process. CPU 9f: CPU use by seryer. Total Disk Free 94?: free disk space. License monitoring data License monitoring data is described below: For restricted licenses, the format is "xly" where is the amount of licenses currently used by the system and the maximum amount of licenses. if all the licenses are in use, any new agents will be put in queue until a license ls freed or new ones purchased. Data Description License type Users Agents Desktop Mobile Distributed seryer Collectors Type of license currently in use for agents. reusable: an agent's license can be reused after it is uninstalled. oneshot: an agent's license is only yalid for one installation. NOTE: the license can only be updated if the user has License modification authorization. Amount of users currently used by the system and maximum admitted quantity. Amount of agents currently used by the system and maximum admitted quantity. Amount of desktop and mobile agents currently used by the system and maximum admitted quantities respectiyely. Amount of database currently used by the system and maximum admitted quantity. Amount of Collectors currently used by the system and maximum admitted quantity. Administrator's Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 49

RC8 9 - Lieenee menitoring data Data Description Ananvmizers Ameth ef Aneuymizers currently used by the system and maximum admitted qua ntity. administrator's Guide uer.1.4 23E P-ECI13 RC5 5-1 201333 -pag. 50

]Hacki?gTeam[ HT 5.r.l. via della Moscova, 13 RES 9 Administrator's Guide 20121 Milano (M Administrator's Guide 1.4 SEP-2013 Italy COPYRIGHT 2013 tel.: 39 02 29 060 603 info@hackingteam.com fax:+ 39 02 63 113 946