Hacking Team RCS 9 Analyst’s Guide

]Haci<ngTeam[ RCS 9 The hacking suite for governmental interception Analyst's Guide Analyst?s Guide - 1Jeri-fl $2131.23 HT

Information ownership COPYRIGHT 2013, HT S.r.l. All rights reseryed in all countries. No part of this manual can be translated into other languages andfor adapted andf'or reproduced in other formats andf'or mechanically, electronically processed or photocopied, recorded or otherwise without prior written authorization from HackingTeam. All corporations and product names may be legal or registered trademarks, property of their respective owners. Specifically Internet Explorer? is a Microsoft Corporation registered trademark. Albeit text and images being selected with the utmost care, HackingTeam reseryes the right to change andf'or update the information hereto to correct typos andfor errors without any prior notice or additional liability. Any reference to nam es, data and addresses of companies not in the HackingTeam is purely coincidental and, unless otherwise indicated, included as examples to better clarify product use. NOTE: requests for additional copies of this manual or product technical information should be addressed to: HT S.r.l. yia della Moscoya, 13 20121 Milano (MI) Italy Tel.: 39 02 29 060 603 Fax: 39 02 63 118 946 e-mail: info@hackingteam.com

Contents Glossary ._vii Guideintroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 1 New guide features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 2 Supplied documentation 2 Printconcepts for notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 3 Printconcepts for format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 3 Product and guide addressees 4 Software author identification data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 5 RC5 {Remote Control SystemDifferences between PCS 80 and PCS 16 versions 7? Glossarv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 7? RC5 Console for the Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 8 Starting the PCS Console .. 9 What the login page looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 9 Open RCS Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 9 Homepage description .. 10 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 What it looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 10 Shared interface elements and actions .11 What the PCS Console looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 11 Actions alwavs available on the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Change interface language or password 13 Converting the PCS Console date?time to the actual time zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 13 Table actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Analvst's procedures ..15 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..15 To retrieve importa nt evidence and be alerted -15 Analvzing, selecting and exporting evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 To process information obtained on people and places involved in the investigation . . . . . .16 Operation and target What you should know about operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 What is an operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 What vou should know about targets .. 18 What is a target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Operation management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 18 Purpose -18 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 litn'alvst's Guide ver.1.4 SE P-ECI13 RC8 2CI13EI -pag.

To learn more .. 19 ?v?ievving operation targets -20 Operation data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Operation page .20 Purpose -20 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 To learn more ..21 Operation page data .22 Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 23 Target page .24 Purpose -24 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 To learn more ..25 Exporting target evidence .. 25 Target page data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..26 Icon vievv .26 Table vievv .26 Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Agent page .29 Purpose -29 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 To learn more ..30 Agent event log data .30 Command page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..31 Purpose .31 What the function looks like .31 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Agent log data .32 Evidence analvsis .33 What vou should knovv about evidence .34 Analvsis process .34 Evidence accumulated in the device. -34 Filtering evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Translating evidence .35 Delete evidence .-35 .tgz file description vvith exported evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Evidence analvsis {Evidence} .36 Purpose -36 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 To learn more ..39 Analvst'sciuitle ver.1.4 R65 9 2013i? HT5.r.l. - peg. ll

Preparing evidence for analvsis and export, tagging bv relevance . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 39 Preparing evidence for analvsis and export, tagging for the report 39 Preparing evidence for analvsis and export adding personal notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Analvzing evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Viewing counters divided bv tvpe Exporting displaved evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..41 Evidence data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 41 Evidence details ..43 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..43 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..43 To learn more _.44 Image tvpe evidence actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..45 Audio tvpe evidence actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..45 Evidence export data 46 List of tvpes of evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 46 Exploring and retrieving evidence from online devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 What vou should know about retrieving evidence 49 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..49 File 5vstern cornponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..49 Retrieve evidence from devices {File Svstern} 49 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..49 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 To learn more _.51 Exploring file svstern content and downloading files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..51 Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 52 What vou should know about intelligence 53 Intelligence section license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..53 What vou should knovv about entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..53 Introduction _.53 People involved in the investigation: Target entities and Person entities . . . . . . . . . . . . . . . . . . ..53 The places involved in an investigation: Position entitv and Virtual entitv . . . . . . . . . . . . . . . . . ..54 Managing entities ..54 Target entitv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 54 Person entitv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 54 Position entitv ._55 Virtual entitv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 55 See "What vou should knovv about linksIntroduction _.55 Knovv links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..55 Peer links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 ver.1.4 5EP-2013 RES 9 2013 El HT5.r.l. - peg.

Managing Peerand Knowlinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 Identity links .55 Managing Identity links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 Linktime Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 55 What you should know about how intelligence works .55 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 55 Intelligence process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 52 Automatic Know link creation criteria Automatic Peer link creation criteria with Target and Person entities . . . . . . . . . . . . . . . . . .. 5? Automatic Peer link creation criteria with Position entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Automatic Peer link creation criteria with Virtual entities .. 58 Automatic Identity link creation criteria with Target and Person entities . . . . . . . . . . . . . . .. 58 Intelligence operation management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 Purpose ?59 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..50 Viewing operation entities ..50 Entity management: icon and table Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..50 What the function looks like ..50 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..52 Viewing entity details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Entity management: link View -.52 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..53 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 To learn more .55 Viewing entity details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 Merging two entities .55 Creating a link between two entities .55 Dynamically displaying eVidence on links between entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Entity management: Position View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 5? Purpose What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..20 Viewing entity details .-20 Creating a link between two entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..20 Dynamically displaying target moVements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 21 Target entity details Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..21 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..21 Analyst's Guide yer.1.4 23E RES.- 9 201390 -pag. lV

To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Adding the target photo .73 Adding target identification data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Viewing frequently contacted people . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Viewing most frequently Visited websites .74 Connecting the Target entity with a frequently contacted person . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 7A Connecting the target to a frequently Visited website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 74 View the last acquired position .75 Viewing frequently Visited places . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Adding a Position entity Visited by the target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Target entity details -76 Most contacted people table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 Most Visited websites table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 Person entity details .. 77 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..77 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 To learn more .78 Adding a person's picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 Adding a person's identification data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 78 Adding a Position entity Visited by the entity -79 Position entity details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..79 What the function looks like .79 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 Adding a picture of the site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..8D Virtual entity details ..81 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..81 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..81 To learn more ..82 Adding an image of the web address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 82 Adding web addresses to the entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 82 Monitoring the target?s activities from the Dashboard . .83 What you should know about the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 8A Dashboard Corn ponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84 Evidence alert process .84 Monitoring eyidence {Dashboard.85 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..85 What the function looks like .85 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 86 Adding an element to the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..86 Analyst's Guide yer.1.4 RES 9 2618 83' HT 8.r.l. - pag.

?v'ievving evidence indicated in the Dashboard 8? Alert -33 What vou should knovv about alerts ._89 What are alerts .89 Alert rules ..89 Alert rule application field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..89 Alert process .90 Alerting ..9O Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90 What the function looks like ..91 To learn more ..92 Adding a rule to be alerted .92 Editing an alert rule .92 Adding a rule to automaticallv tag certain evidence or certain intelligence links between entities _.93 ?v?ievving events matching the logged alert ..93 Alert data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..93 Alert rule data ..93 Log data .95 Analvst'stiuide ver.1.4 23E P9013 C?l 201395] -pag. vi

lossa ry The terms and their definitions used in this manual are provided below. A Accounting Console section that manages RC8 access. acquisition sequence Group of complex events. actions and acquisition modules that make up the advanced agent con?guration. Administrator The person who enables user access to the system. creates work groups and de?nes operations. targets and the type ofdata to be collected. Agent Software probes installed on devices to monitor. They are designed to collect evidence and communicate it to the Collector. alert rules Rules that create alerts when new evidence is stored or agents communicate back for the ?rst time. Alerting Console section that manages new evidence alerts. alerting group Group ofusers who receive notifications via mail whenever a system alarm is trig- gered {for example. when the database exceeds available free space limits}. Nor- mally this group is not linked to an operation. Analyst Person in charge of analyzing the data collected during operations. Anonymizer {optional} Protects the server against external attacks and permits anonymity during investigations. Transfers agent data to Collectors. Analyst s-?Eiuitle ver.1.4 I F5333 HT - peg. vii

Riff} - Glossary Audit Console section that reports all users' and system actions. Used to monitor abuse of RCS. back end Environment designed to and save collected information. In distributed archi- tecture. it includes Master Node and Shard databases. ERAS {Broadband Remote Access Server} routes traf?c toffrom DSLAM to the ISP network and provides authentication to the ISP subscribers. BSSID {Basic Service Set lDenti?er} Access Point and its client identifier. Collector Receives data sent by agents directly or through the Anonymizer chain. console Computer on which the RCS Console is installed. It directly accesses the RCS Server or Master Node. Dashboard Console section used by the Analyst. Used to have a quick overview of the status of the most important operations. targets and agents. DSLAM {Digital Subscriber Line Access Multiplexer} network device. often located in the tel- ephone exchanges of the telecommunications operators. It connects multiple cus- tomer digital subscriber line interfaces to a high-speed digital communications channel using multiplexing techniques. Guide ver.1.4 I Riff} Lit-131.

C-ZI - Glossary entity Group ofintelligence information linked to the target and people and places involved in the investigation. ESSID {Extended Service Set lDenti?er} Known as SSID. identi?es the network. evidence Collected data evidence. The format depends on the type of evidence image}. evidence alerts Alerts. usually in the form of emails. sent to when new evidence matches the set rule. factory A template for agent con?guration and compiling. front end Environment designed to communicate with agents to collect information and set their con?gurations. In distributed architecture. it includes the Collector and Network Controller. injection rules Settings that define how to identify HTTP traf?c. what resource should be injected and what method is to be used for the injection. Monitor Console section that monitors components and license status. Guide SE Felt-1'5 I Eff}? Ell-13:2: - peg. ix

Ruff} C-ZI - Eilossarv Network Controller Component that checks Network Injector and Anonymizer status and sends them new configurations and software updates. Network Injector Hardware component that monitors the target's network traffic and injects an agent into selected Web resources. It comes in two versions. Appliance or Tactical: the former is for deployment at the ISP. the latter for use on the field. Network Injector Appliance Rackable version of the Network Injector. for installation at ISP. See: Tactical Net- work Injector. 0 operation Investigation aimed at one or more targets. whose devices will be recipients for agents. RC3 em ote Control System I the product documented hereto. RC3 Console Software designed to interact with the RCS Server. RC3 3erver One or more computers. based on the installation architecture. were essential RCS components are installed: Shard databases. Network Controllers and Collector. 33H {Secure a network protocol for secure data communication. remote shell serv- ices or command execution. Guide ver.1.4 I Riff} Lit-131.2: HT - pa 3.

Ruff} C-ZI - Glossary System Console section that manages the system. System administrator The person who installs the servers and consoles. updates software and restores data in case offaults. Tactical Network Injector The portable version ofNetwork Injector. for tactical use. See: Network Injector Appliance. TAP {Test Access Port} a hardware device installed in a network that passively monitors the transmitted data ?ow. target The physical person under investigation. Technician The person assigned by the Administrator to create and manage agents. UPS {Virtual Private Server} a remote server where the Anonymizer is installed. Com- monly available for rent. WPA {Wi Fi Protected Access} WiFi network protection. WPA 2 {Wi Fi Protected Access} WiFi network protection. Guide SE Fill-1'5 I Ruff}? - peg. Xi

Guide introduction resentatio Manual goals This manual is a guide for the Analyst on hovv to use the RC5 Console to: . monitor the target . explore target devices . analvze and export evidence Information on hovv to consult the manual is provided helovv. Content This section includes the following topics: Newguidefeatures 2 Supplied documentation 2 Print concepts for notes 3 Print conceptsforformat 3 Product and guideaddressees 4 Software authoridentification data 5 ritnalvst's Guide ver.1.4 - RES - NEED HT S.r.l. - pag. 1

RC5 9 - New guide features New guide features List of release notes and updates to this online help. Reiease Code Software Description a'ate version. 30 sep. Analvst's 9 Updated documentation in the Intelligence section, see tember Guide on page 52 . 2013 1.4 SE P- Updated the Analvst's procedures,see naiyst's procedures" 2013 on page 15 . Updated alert rule documentation, see "Aiert" on page 33. Updated documentation due to improvements to the user interface. Improved the contents. 3 JUIV Analyst's 34 No documentation update. 2013 Guide 15 March Analyst's 33 Added the Intelligence section see "intel'iigence" on page 52 . 2013 Added content export from all file type evidence formats. See 1.3 "Evidence detaiis? on page 43 A user license can be purchased to view evidence content in 2013 the interface language.$ee "Evidence anaiysis Evidence)? on page 36 and see "Evidence detaiis? on page 43 . 15 Analyst's 32 Added filter settings savings on evidence and simpli?ed the October Guide Info filter on evidence. Added delete evidence.$ee "Evidence 2012 12 OCT- anal'ysis Evidence)? on page 36 . 2012 If installed, the texts extracted from a screenshot tvpe evidence can be viewed. See "Evidence detaiis? on page 43 . 301mm Analyst's 3_1 Different folder retrieve from disk. See "Retrieve evidence 2012 Guide from devices (Fiie System)" on page 49 . 1.1 JUN 2012 16 April Analyst's 8.0 First publication 2012 Guide 1.0 AP R- 2012 Supplied documentation The following manuals are supplied with RES software: Analyst's Guide ver.1.4 RC3 9 20131:) - pag. 2

RC5 9 - Print concepts for notes Manaai Addressees Code Distribution for- mat svstem Administrator's System System Administrator?s Guide administrator Guide 1.4 SEP-2013 Administrator's Guide Administrators Administrator?s Guide PDF 1.4 SEP-ZUIB Technician's Guide Technicians Technician?s Guide PDF 1.5 SEP-ZUIB Analvst's Guide {this Anaiyst?s Guide PD manual} 1.4 see-2013 Print concepts for notes Notes foreseen in this document are listed below (Microsoft lvlanual of Style): WARNING: indicates a riskyr situation which, if not avoided, could cause user injuryr or EL equipment damages. 1: CAUTION: indicates a risky situation which, if not avoided, can cause data to be iost. IMPORTANT: offers the indications required to complete the task. While notes can be neglected and do not influence task completion, important indications should not be neglected. NOTE: neutral and positive information that emphasize or add information to the main text. The; provide information that can onlv be applied in special cases. Tip: suggestion for the application of techniques and procedures described in the text according to special needs. It may suggest an alternative method and is not essential to text comprehension. Service caii: the operation may oniy he compieted with the heip of tEChniCGi Print concepts for format A key to print concepts is provided below: Analyst's Guide ver.1.4 RESET 20135:) - pag. 3

RCS 9 - Product and guide addressees Description Exampie Styie See "User data? itaiic Select one of the listed servers Click Add. bold Select the File menu,Save data. Press ENTER UPPER CASE See: Network - Injector Appliance. this indicates a chapter, section, sub-section, paragraph, table or illustration heading in this manual or other publication of reference. indicates text that must be specified by the user according to a certain syntax. In the example is a date and could be "1407i2011?". indicates the object specified in the text that appears in the adjacent image. indicates text on the operator interface, a graphic element table, tab) or screen button display). indicates the name of keyboard keys. suggests you compare the definition of a word in the glossary or content with another word or content. Product and guide addressees Following is the list of professionals that interact with RCS. Addressee Activity System Follows the HackingTeam's instructions provided during the Expert administrator contract phase. Installs and updates RCS servers, Network network Injectors and RCS Consoles. Schedules and manages backups. technician Restores backups if servers are replaced. WARNING: the system administrator must have the required necessary skills. The HackingTeam is not liable for equipment malfunctions or damages due to unprofessional installation. Administrator Creates authorized accounts and groups. Creates operations and investigation target. Monitors system and license status. manager Technician Creates and sets up agents. Sets Network Injector rules Tapping speciaiist technician Analyst Analyzes and exports evidence. Operative Analyst's Guide 1ver.1.?fl RC3 9 20133) - pag. 4

RES - Software author identi?cation data Software author identification data HT via della Moscow, 13 20121 Milano Italy TEL: 39 02 29 060 603 Fax: 39 02 63 118 946 e-mail: inf0@hackingteam.c0m RES NEED HT S.r.l. - pag. 5

RCS (Remote Control System) resentatio Introduction RCS {Remote Control System} is a solution that supports investigations by actively and passively tapping data and information from the devices targeted by the investigations. In fact, RCS anonymously creates, sets and installs software agents that collect data and information, sending the results to the central database to be and saved. Content This section includes the follovving topics: Differences between RCS 3.0 and RC5 15 versions Ir' litnalyst's Guide ver.1.4 - RC5 - 20131? HT S.r.l. - pag. 6

RC3 C?i - [Differences between RICE- 8.CI and RICE- 1s versions Differences between RCS 8.0 and RCS 7.6 versions Differences with the RC5 16 version are described below Glossary RC5 v. 7.6 RC5 3.0 and higher Activitv Operation Agent Module Anonvr?nizer chain Backdoor Backdoor Class Collection Node Injection Proxv Appliance Log Repositorv Mobile Collection Node Anonvr?nizing chain Agent Factorv Collector Network Injector Appliance Master Node and additional Shard Collector Anonvmizer ver.1.4 RC3 NEED HT S.r.l. - pag. 7'

RCS Console for the Analyst resentatio The Analyst?s role The role of the Analvst is to: . select and analvze evidence . retrieve evidence from a device . export evidence for the authorities . organize device and ether evidence in your possession to forrnulate solutions for the inves? Uga?on Analyst enabled functions To complete hisfher activities, the Analvst has access to the following functions: . Operation . Intelligence . Dashboard . Alerting Content This section includes the follovving topics: Starting the RC5 Console .. 9 Homepagedescription Shared interface elements and actions 11 Analyst?s procedures ..15 litnalvst's Guide ver.1.4 SE Pitt-13 - RES - Sit-1311:] HT - pag. 8

RCS 9 - Starling the RC5 Console Starting the RC5 Console When started, RCS Console asks you to enter your credentials previously set by the Administrator. What the login page looks like This is what the login page looks like: an: El an Console 9J1 UH:er fit": Area Description 1 Title bar with command buttons: ii Close RCS Console. El Expand window button. El Shrink window button. 2 Login dialog window. Open RC5 Con sole To open RCS Console functions: Step Action 1 In Username and Password, enter the credentials as assigned by the Administrator. 2 In Server, enter the name of the machine or seryer address to connect to. Analyst's Guide yer.1.4 RCSQ 20136:) - pag. 9

RC5 9 - Homepage description Step Action 3 6 Click the homepage appears with the menus enabled according to your account privileges. See "Homepage description?beiow . Homepage description - click? To View the homepage: Introduction The homepage is displayed when the RC5 Console is started, and is the same for all users. Enabled menus depend on the privileges assigned to the account. What it looks like This is what the homepage looks like, with recently opened items saved. For details on shared elements and actions: ?lm tut-1:6: ?crtla'mcr El ?pv.1r'rr< Tolig'h?uro Tinsl'l'ntr: .- 1.. Tl leaml Globu- '1 Recentl'bems IE- a - {3 a :i"ml Iu'mrnur Ii "x .- xx . I ?lti'w- Area Description 1 Title bar with command buttons. 2 RC5 menu with functions enabled for the user. 3 Search box to search operations, targets, agents and entities, by name or description. Analyst?s Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 10

RC3 9 - Shared interface elements and actions Area Description 4 Links to the last five elements opened (operation in the Operations section, operation in the Intelligence section, target, agent and entity). Wizard buttons. Logged in user with possibility of changing the language and password. Download area with ability to view progress during export or compiling. Current date and time with possibility of changing the time zone. Shared interface elements and actions Each program page uses shared elements and allows similar actions to be run. For easier manual comprehension, elements and actions shared by some functions are described in this chapter. What the RC5 Console looks like This is what a typical RC5 Console page looks like. A target page is displayed in this example: '1 1 ?an Fu 5 ?L-msm II- aim-yr?: I m..ou l' plu?w Iml-hmm . uyn-n Eli- Maxis a was a ?h-fum- .J--. - I -- - ham-Hem. bani-6r?. .Jrnol-k' I: a. tom] Analyst?s Guide 1tier.1.dfl SE P-2013 RC3 9 2013 - pag. 11

RC5 9 - What the RC5 Console looks like Area Description 1 Title bar with command buttons: *1 Logout from RC5. Page refresh button. El Expand window button. l;l Shrink window button. 2 a Return to homepage button RCS menu with functions enabled for the user. 3 Operation scroll bar. Descriptions are provided below: icon Description Muriel} Ii It Back to higher level. Show the operation page (Operations section). Show the target page. Show the factorv page. Show the agent page. Show the operation page (Intelligence section). Show the entity page. 4 Buttons to displav all elements regardless of their group membership. Descriptions are provided below: icon Description a Show all operations. Show all targets. 5? Show all agents. Show all entities. 5 Window toolbar. Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 12

RC5 9 -Acl]'ons always available on the interface Areo Description 5 Search buttons and box: Object Description {bran?m it Search box. Enter part of the name to display a list of elements that contain the entered letters. Display elements in a table. Display elements as icons. Logged in user with possibility of changing the language and password. 3 Download area with ability to view progress during export or compiling. Files are downloaded to the desktop in RCS Download folder. . top bar: percent generation on server 1: bottom bar: percent download from server to RC5 Console. 9 Current date and time with possibility of changing the time zone. Actions always available on the interface Change interface language or password To change the interface language or password: Step Action 1 Click to display a dialog window with the user's data. 2 Change the language or password and click Save to con?rm and exit. Converting the RC5 Console date-time to the actual time zone To convert all dates-times to the actual time zone: Step Action 1 Click to display a dialog window with the current date-time: UTC time: Greenwich mean time (GMT) Local Time: date-time where the RC5 server is installed Console time: date-time of the console used and which can be converted. 2 Change the time zone and click Save to confirm and exit: all displayed dates-times are converted as requested. Analyst's Guide ver.1.4 SE P-2013 RC8 9 20136:] - pag. 13

Table actions RC5 9 -Table actions The RC5 Console displays various data in tables. Tables let you: 0 sort data by column in increasingldecreasing order 0 filter data by column Action Description Sort by column Filter a text Filter based on an option Click on the column heading to sort that column in increasing or decreasing order. Event ?LPath ?in. Sword?sh Sword?sh EVIDENCE Enter part of the text you are searching for: only elements that contain the entered text appear. 71 Info The example shows elements with descriptions like: "myboss" "bossanoya" Select an option: the elements that match the selected option appear. El Acquired Last 24 Hours I Last Week I From iTo 2 Analyst?s Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 14

RC5 9 - Analyst?s procedures Action Description Filter based on several Select one or more options: the elements that match all selected options options appear. Elms I Untagged I Law I I II Hiah a Critioal Change the column Select the edge of the column and drag it. size Analyst's procedures Introduction The goal of the Analyst is to provide valid evidence for the investigation in progress. Evidence is: 0 directly retrieved from the device through physical access 0 received from the installed agent To do this, the Analyst can perform the following procedures: Procedures To retrieve important evidence and be alerted To select and retrieve important evidence: Step Action 1 In the File System section, during remote tapping, explore the device hard disks searching for files to be downloaded.$ee "Retrieve evidence from devices (Fiie System)" on page 49 2 In the Dashboard section, add the operation, targets and agents to be monitored to the dashboard. See "Monitoring evidence (Dashboard)? on page 85 3 In the Alerting section, set rules to be alerted when evidence of special interest arrives and to tag evidence according to relevance. See "Alert" on page 88 . Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 15

RC5 9 - Analyzing, selecting and exporting evidence Analyzing, selecting and exporting evidence To analyze, select and export evidence: Step Action 1 In the Evidence section, analyze evidence and tag them according to relevance and whether or not they are to be exported. See "Evidence analysis Evidence)" on page 36. For evidence of special interest, move on to detailed analysis. See "Evidence details" on page 43 In the Evidence section, export useful evidence. See "Evidence analysis Evidence)" on page 36. In the File System section, export the hard disk structure See "Retrieve evidence from devices (File System)" on page 49 To process information obtained on people and places involved in the investigation To process information obtained on people and places involved in the investigation: Step Action 1 In the Intelligence section, view and manage entities in an operation. See "Entity management: icon and table views" on page 60 "Entity management: link view" on page 62 "Entity management: Position view" on page Viewing or editing entity details.$ee "Target entity details" on page 3?1 "Person entity details" on page If? "Position entity details on page .79 "Virtual entity details" on page 81 See "Evidence details? on page 43 In the Alerting section, build rules to be alerted when the system automatically creates new entities and new links and to tag links according to their relevance. See "Alerting on page 90 Analyst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 16

RICE- - Operation and target Operation and target Presentation Introduction Managing operations sets the targets to be tapped. Content This section includes the following topics: What you should know about operations ..13 What you should knowabouttargets Operation management Operation data .20 Operation page 20 Operation pagedata 22 analyst's Guide uer.1.4 SE Pit-13 RES Jill-131:1 -pag. 17'

RC3 9 - Whatvou would know about operations What you should know about operations What is an operation An operation is an investigation to be conducted. An operation contains one or more targets meaning the physical individuals to be tapped. The Technician assigns one or more agents, desktop or mobile, to the target. Thus the agent can be installed on a computer or mobile phone. What you should know about targets What is a target A target is the physical person to be investigated. The Technician assigns one or more agents, desktop or mobile, to the target. Thus the agent can be installed on a computer or mobile phone. Operation management To onoge - Dpe rations scction operations: Purpose This function lets you: it add the operation to the elements to be monitored NOTE: the function is onlv enabled if the user has Operation management authorization. What the function looks like This is what the page looks like: Analvst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 18

RC5 9 -To learn more .1 <r-wv 1 Elna-mum l?nlx'cc 2:1":m doc-In 5 l?l Humbug Irw'n I1r nah Alw- a Ilm Inc-ll" I'm. In". - aw J5 urn-In: 2-: I.- I Area Description 1 RC5 menu. 2 Scroll bar. 3 Window toolbar. Descriptions are provided below: icon Description Add the operation to the dashboard. 4 List of created operations: Open operation. If targets were set and agents correctlv installed, collected evidence is received. Fr a Closed operation. All targets are closed and agents uninstalled. All its targets and evidence can still be viewed. 5 Selected operation data. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 11 . For a description of the data in this window see "Operation data? on the facing page . For more information on operations see "What you should know about operations? on previous page. Analvst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 19

RC5 9 - 1 ul'iewing operation targets 1'll'iewing operation targets To view operation targets: Step Action 1 Double-click an operation: the target management page opens. See "Operation page" below Operation data Selected operation data is described below: Data Description Name Operation name. Description User's description Contact Descriptive field used to define, for example, the name of a contact person (Judge, Attorney, etc.). status Operation status and close command: OPEN: the operation is open. If targets were set and agents correctly installed, the RC5 receives the collected evidence. CLOSED: the operation is closed and can not be re-openecl. Agents no longer send data but evidence already received can still be viewed. Groups Groups that can see the operation. Operation page To view on operation: a Operation section, double-click an operation Purpose This function lets you: . acid the target to the elements to be monitored Analyst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 20

RC5 9 - What the function looks like the function looks like This is what the page looks like: I SHED Awuru-g ftp-outlaw: 'u-l?wr. uw? .2 Ar a :IamJu 31:: ID I ?3 .I meme: ".1111: Dunc Cot: Var. Psi-3:31:01: mun-J: EXAM. a . I. 4?13? ram-m1 Jul-Ir tru'lw?x inn. mud Area Description 1 RC5 menu. 2 Scroll bar. 3 Window toolbar. Descriptions are provided below: Icon Function Add the target to the dashboard. Open the target entity page in intel- ligence. 4 Target list: 9 Open target {a Closed target 5 Selected target data. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 11 . Guide SE P-2013 RC8 9 2013 - pag. 21

RC5 9 - Dpera?on page data For more information on operations see "What you should know about operations" on page 18. For a description of the data in this window see "Operation page data? beiow . Operation page data Selected target data is described below: Data Description Name Target name. Description User's description status Defines the target's status: 6 Open. If the Technician correctly installs agents, RCS receives the collected evidence. Closed, it can no longer be opened. Analyst?s Guide 1uer.1.4 SE P-2013 RC8 9 2013 - pag. 22

Targets resentatio Introduction A target is a physical person to be monitored. Several agents can be used, one for each device owned by the target. Content This section includes the following topics: Targetpage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ?24 Target page data _.2Ei - RICE. C?i - 201393 HTS-.LI. - pag. 23

RC5 9 - Target page Target page To open a target a Operations section, double-click an operation, double-click a target Purpose This function lets you: . export target evidence . open an installed agent 1. open agent evidence . explore the agent device What the function looks like This is what the page looks like: ?perullnni lls-hh''5d be: 3:12-6:50: 311' THEIRKris JHL: nulls aw :hl Ilm- Iwnr' [\Ilu mm 2-1in 34.11? JI-rr-r. .-I II Slur-ll" sq Lad: .- UM Liam a. 4mm! Jo?kp? Area Description 1 RES menu. 2 Scrollbar. Analvst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 24

RC5 9 -To learn more Area Description 3 Window toolbar. Descriptions are provided below: 0 mm. their data. key displays elements in a list with icon Fanc tion Adding the agent to the dashboard. A Adding the agent to alerts: an alert is generated at each E. Export target evidence in .tgz format. i} . NOTE: the function is only enabled if the user has Evidence export authorization. Eel Open the target entity page in intelligence. 4 Iconsflist of created factories and installed agents. El agent in demo mode. scout agent awaiting verification. 5 Selected factory or agent data. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions? on page 11 . For a description of the data in this window see "Target page data? on next page . Exporting target evidence To export evidence: Step Action 1 Click Export Evidence: the export window opens. Analyst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 25

RC5 E3 - Target page data Step Action 2 Click Ok: evidence is saved in the specified folder. Target page data To view page data: . Operations section, double-click an operation, double-click a target, click Icon view or Table view Page elements can be viewed as icons or a table. Icon view Icons are described below: Doro Description Desktop agent types, in Open status, for operating systems: 0 OS IE 0 Windows a Mobile agent types, in Open status, for operating systems: Android, - a: BlackBerry, 0 bian 0 Windows Mobile NOTE: icons are light grey for CLOSED agents. This is the icon for a mobile agent for Android in Closed status: . NOTE: the scout agent displays a compass next to the device icon. This icon is a Windows desktop scout agent . Table view Data is described below: Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 26

RC5 9 -Tah e view Data Description Name Factorv or agent name. Description Factorv or agent description Status Open: the agent is still active on the device and can continue to send data. Closed: the agent is no longer active. NOTE: a closed agent cannot be reopened. Data in RES can still be viewed. Tvpe Desktop or mobile tvpe. Platform (agent onlv) Operating svstem on which the agent is installed. Version (agent onlv) Agent version. A new version is created when a new configuration is created. Last (agent onlv) Date and time of the last agent ldent (agent onlv) Univocal agent identification. Instance (agent onlv) Univocal identification of the device where the agent is installed. Analvst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 27

Agents resentatio Introduction Agents acquire data from the device on which they are installed and send it to the RC5 Collectors. Their configuration and software can be updated and they can transfer files unnoticed to the target. Content This section includes the following topics: Agent page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Agent event log data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Command page -31 Agent log data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 ?tnelyst'stiiuide uer.1.4 - RC3 - - peg. 28

RC5 9 - Agent page Agent page To manage a Operations section, double-click an operation, double-clicka target, double-click an agent agents: Purpose This function lets you: .. check agent activities via the event log. .. vievv evidence collected luv the agent .. explore the file svstem and transfer files from the device where the agent is installed 1ll?lihat the function looks like This is what the page looks like: I1 a. .a GEE IZIp-rlliun: ml I- as-m-Ju I- II- 5 ?cu-.15 HE E. a: a .. sz'lls- 4-1, ,0 u' 1 e. I lam .u?I m" w- n- .. -.-.--.-. 1m:- LU km 311m .nngn: m- hum. Duo.- hut-in- . .. Area Description 1 RES menu. 2 Scrollbar. Analvst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 29

RC5 9 -To learn more Area Description 3 Window toolbar. icon Description Export agent evidence. up .. .. NOTE: the function is only enabled if the user has Evidence export authorization. Addin the a ent to the dashboard. a 3 Adding the agent to alerts: an alert is generated at each 4 Possible actions on the agent. Descriptions are provided below: icon Description Show the list of evidence collected by the agent. See "Evidence analysis Evidence)" on page 36. Show the device file system. See "Retrieve evidence from devices (Fiie System)? on page 49 . Show the agent event log (info). See "Agent event log data?beiaw Show the results of comm ands run on the device using Execute actions. See "Command page? on next page . Show the agent log. See "Agent log data" on page 32 . 610*?be 5 Agent details. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface eiements and actions" on page 11 . Agent event log data Descriptions are provided below: Analyst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 30

RC5 9 - Command page Fieid' Description Acquired Date-time of the event acquired on the device. It can be filtered. Last 24 hours is set lav default. Received Date-time of the event logged in RC5. It can be filtered. Last 24 hours is set lav default. content Status information sent by the agent. Command page To manage - Operations section, double-click an operation, double-clicka target, double-click an agent, commondresuits: double-click Commands Purpose This function lets you: 0 check the results of commands run with the Execute action set on the agent 0 check executable file results run during file transfer toifrom the agent What the function looks like This is what the page looks like: II UL qurltlons 11 t-z-rc .-J: 5-5::11 I 1 I Alqul'lh'i I- ?mmnl I- G-nm-um smegma-0c: um: I- oouunu.-I- . -. .u .ull'dw rum: mm 7mm om Dunk Ila-Al. 1.- - m?s-?m?crrn?. .-I-.- pawns-1 um IMJL Analvst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 31

RC5 9 -To learn more Areo Description 1 RC5 menu. 2 Scrollbar. 3 Window toolbar. Descriptions are provided below: icon Description Export the selected command to a .txt ?le. Delete the selected commands. NOTE: the function requires a user license and is only enabled if the user has Evidence deletion authorization. Show selected command details. 5 Command list based on set ?lters. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 11 . Agent log data Descriptions are provided below: Fieid Description Acquired date-time. It can be filtered. Last 24 hours is set by default. IP IP address used for Address Site vvhere connection was established. Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 32

Evidence analysis Presentation Introduction Evidence analvsis on the list or detailed level, select evidence to be exported to the authorities. Content This section includes the following topics: What you should know about evidence .34 Evidenceanalvsis{Evidence} Evidencedata Evidence details .43 Evidenceexport data List oftvpes ofevidence ver.1.4 - RES 9 - 2CI13EI HT 3.r.l. - pag. 33

RC5 9 - Whatyou should know about evidence What you should know about evidence Analysis process The analysis process is described below: Phase Description 1 As the system collects evidence from the agent, it displays and updates the total counter. 2 The Analyst views all evidence and tags it for easy table consultation and subsequent export. 3 The Analyst analyzes incoming evidence details. 4 At the end of the investigation or upon request, the Analyst exports evidence to a file that can be viewed in a browser. Evidence accumulated in the device. Evidence is sent by the agent to the Collector in order of creation. If a device rarely or has a limited bandwidth, evidence probably accumulates on the device and it will take a long time before the most recent data is received. The same may happen if large-sized evidence is in queue: the most recent evidence can only be sent after having sent this evidence. For this reason, we suggest you delete older evidence andfor evidence that exceeds a certain size. Evidence is deleted at the next See gent page? on page 29 . Filtering evidence Column heading filters can be used to limit the amount of evidence viewed. See "Shared interface elements and actions" on page 11 IMPORTANT: if no evidence is displayed, check the counter at the bottom right. If a value like is displayed, this means that there is a ?lter set that prevents evidence from being displayed. The selected filters can be saved with a short description to be used later. IMPORTANT: if private ?lters are set, they cannot be used by other users. Analyst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 34

RC5 9 - Translating evidence Translating evidence The RCS Translate module is available upon special license to translate evidence. In fact, it communicates with a third party translation software that returns text translated into the interface language. RCS Translate translates the following types of evidence: It clipboard . chat . file i kevlog . message a: screenshot The translation is displayed in the page with the evidence list and the single piece of evidence detail page. Delete evidence This function deletes one or more pieces of evidence no longer deemed useful. This function depends on the type of license installed. Filters can be used to select the evidence to be deleted (similar to selecting evidence to be exported). IMPORTANT: the ?lter onlyr appears when the Delete and ALT keys are pressed simultaneouslv. .tgz file description with exported evidence The exported .tgz file is a compressed ?le that can be opened with most compression programs WinZip, WinRar). Once unzipped, it looks like a folder with an HTML file. To view the ?le: Step Action 1 Open index.html with a browser: the homepage displays the list of days with collected evidence statistics per hour. 2 Click on a day: the list of evidence appears, similar to the one displayed in the Evidence function. 3 The following actions can be performed from this list: in on images: click to view the full image It on audio: click to run the mini pl aver on downloadable files: click ll to download the file Analvst's Guide ver.1.4 SE P-2013 RC8 9 20136:] - pag. 35

RC5 9 - Evidence analysisiEyidence] Tip: there are style sheets in the Style folder for customizations logos, etc.). These style sheets can be copied to the server to be used on all reports generated by the RC5 Console. Evidence analysis (Evidence) To aneiyze a Operations section, double-click an operation, double-clicka target, click Euiclence evidence: It Operations section, double-click an operation, double-clicka target, double-click an agent, click Evidence Purpose This function lets you: .- prepare evidence for analysis, tag it by level of relevance, send it to a report or add per- sonal notes 1: view evidence of interest lay filtering the list a translate eyidence content into the interface language (optional) 1: superficially analyze evidence from the list or entering in detail for more thorough anal- ysis . export eyidence What the function looks like This is what the page looks like: GED .. .u . A UpeMtI-z-ns mix a but .1211 n} o: DJuIrl'u: I you": 5 1} rI-E-ae..oloavaa Hume: 1- IITKW rwl: I'm-alw- Hort-I1 lur'rl- llra'levI Inn-ulna cw. In:- low rm? emu-n-uaamun stls- 14:: -l2I!- 34:: HHMM i amt:- . rams-u.- ram-A11- JifI'n-f? l'mun 4; IL w. - pm: mm: .u-mr, . . .-.- i-u?ll . rm 41:1? . .. . .. .. .udrln: .. Paul-u ?El?nru? .Hnlb??m I, uln.? 421,Manm .. II..U.JJ MIDI 1-- 1 mule-urn Ld-uu-u Analyst?s Guide 1..rer.1.-4l SE P-2013 RC3 9 2013 - pag. 36

RC8 9 - What the function looks like A reo Description 1 RC5 menu. 2 Scroll bar. analyst's Guide HELL-4 SE P-ECI13 RCSQ 20139:) -pag. 3?

RC5 9 - What the function looks like Area Description 3 Window toolbar. Descriptions are provided below: Icon Description El Show selected evidence details. See "Evidence details" on page 43 Show the total quantities by evidence TYPE- Export selected evidence to a .tgz ?le. Delete selected evidence. NOTE: the function is only enabled if the user has Evidence export authorization. Tip: to delete a set of evidence according to certain criteria data range) sim ultaneouslv press ALT and this button: a window appears where you can set evidence deletion criteria. For field descriptionssee "Evidence export data? on page 46 fields are similar. NOTE: the function requires a user license and is only enabled if the user has Evidence deletion authorization. Apva a level of relevance to the selected evidence. Apva a bookmark to the selected evidence. Edit selected evidence notes. Show evidence ID codes. Saves currently selected filters or loads previouslv saved filter settings. Clear all set filters. View content in the interface language. NOTE: this function requires a user license. Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 38

RC5 9 - To learn more Area Description 4 Evidence list based on set ?lters. 5 RES status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 11 . For a description of the data in this window see "Evidence data" on page 41 For a description of exportable datasee "Evidence export data" on page 46. For more information on evidencesee "What you should know about evidence? on page 34 To view a list of evidence tvpessee "List of types of evidence" on page 46 Preparing evidence for analysis and export, tagging by relevance To assign levels of relevance to evidence, helpful for display and export: Step Action 1 Select one or more pieces of evidence. 2 . Drag Relevance to the required position or . Press the corresponding kev combination. 3 Result: the single pieces of evidence are tagged with a symbol according to their level of relevance. Evidence can be filtered by this symbol and includedfexcluded from export. Preparing evidence for analysis and export, tagging for the report To includefexclude evidence in a report and filter for viewing: Step Action 1 Select one or more pieces of evidence. Analvsl?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 39

RC5 9 - Preparing evidence for analysis and export adding personal notes Step Action 2 1. Click Add Report or . press 3 Result: single pieces of evidence are bookmarked. Evidence can be filtered lav this bol and includedfexcluded from export. Preparing evidence for analysis and export adding personal notes To add personal notes to one or more pieces of evidence: Step Ac tr'on 1 Select one or more pieces of evidence. 2 . Click Edit Note or . press 3 Result: the Notes ?eld can be edited. If several pieces of evidence are selected, the entered text will be copied to all other Note fields. Analvzing evidence To quicklv or thorougth analvze evidence: Step Action 1 Analvze the evidence preview. For example, a mini player can be run for audio files to understand whether the evidence is of interest. 2 Double-click evidence: evidence details appear. See "Evidence details" on page 43 1'll'iewing counters divided bv type To view the total amount of evidence divided lav tvpe: Analvst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 4U

RC5 9 - Exporting displaved evidence Step Action 1 Click Show Summarv: the evidence tvpe svmbols appear, each with its own counter. 2 Click Hide Summarvr to hide counters. Exporting displaved evidence To select some pieces of evidence and export them: Step Action 1 First tag evidence by: level of relevance and by: whether they should be included in the report (Add report key). 2 Continue selections using the column heading filters on homogeneous groups of evidence (Included in report column). 3 Click Export Evidence: indicate which evidence to be includedfexcluded. Evidence that meets the selected criteria and has the Included report field flagged is exported.$ee "Evidence export data" on page 46 . 4 Click Save: a .tgz file is created and downloaded in folder RES Download. Evidence data Evidence data is described below for both the agent and target: Data Description Acquired Date-time evidence was acquired. It can be filtered. Last 24 hours is set by default. Received Date-time evidence was logged in RES. It can be filtered. Last 24 hours is set by default. u. Tip: this data is helpful when you suspect that the target device's data-time is not updated and thus theAcquired is not valid. Analvst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 41

Data RC5 9 - Evidence data Description Relevance Level of evidence relevance, automaticallv assigned by alert rules or manually Tvpe Info Notes Report Agent assigned in this list. The level of relevance is set using: 0 the Relevance command in the menu 0 short-cut kevs Short-cut kev list. icon Short-cat keys Description Maximum reievance intermediate reievance DU Normai reievance Minimum reievance No reievance Type of evidence to be selected. See "List of types of evidence? on page 46 Evidence information: text, images, video, audio and so on. Each piece of information is accompanied bv various ?elds ?eld content, program). It can be filtered by simva indicating the full search word or full ?eld name and search word. For example: "boss" searches for the word "boss" or "Boss" in all fields 0 while "content:boss" searches for the word "boss" or "Boss" in content fields onlv. Notes entered lav the Analyst using: 0 Edit Note menu 0 short-cut kev Bookmark, that indicates that evidence mav be includedf?excluded during export. The bookmark is set using: 0 Add Report menu 0 short-cut kev (onlv for target evidence) Name of the agent that logged the evidence. Analvst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 42

RC5 9 - Evidence details Evidence details To view evidence It Operations section, double-click an operation, douhle-clicka target, click Evidence, double- d'etoiis: click a piece of evidence in Operations section, double-click an operation, double-clicka target, double-click an agent, click Evidence, double-click a piece of evidence Purpose This function lets you analyze single evidence details. The interface changes according to the type of evidence - text, audio, image or map. NOTE: the function is onlv enabled if the user has Evidence editing authorization. What the function looks like This is what audio evidence details looks like: at UpthIc-ns a ifs-ova :u I- i-L-we'] II- .I'Illrl'u: I Junans-?1 ?I'Wlm'g- nuns: mm - -- -.-- Immune-m. Lexi: w-m: rl'u'i H: .- i lHIk o.-I HIM .. rt. ?Jr, I I Area Description 1 RES menu. 2 Scroll bar. Analyst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 43

RC5 9 -To learn more Area Description 3 Evidence action keys. icon xame ?-a-aamiwi Description Closes the details and returns to the evidence list.See "Evidence analysis Evidence)" on page 36. Show the total quantities by evidence type. Exports evidence to a .tgz file. Deletes evidence. Applies a level of relevance. NOTE: the function requires a user license and is only enabled if the user has Evidence deletion authorization. Applies a bookmark. Edits the notes. Displays the ID code. Saves currently selected filters or loads previously saved filter settings. Clear all set filters. View content in the interface language. NOTE: this function requires a user license. 4 Evidence details. Analysis keys appear according to the type of evidence (audio, im ag e, video). 5 Evidence detail data. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 11 . Analyst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 44

RC5 9 - lmage tvpe evidence acljons For more information on evidence see "What you shouid know about evidence? on page 34 . For a description of the data in this window see "Evidence data? on page 41 . Image tvpe evidence actions Actions that can be run on image evidence are described below: icon Description (screenshot and ?le type evidence only) Shows the extracted text. NOTE: if the unavailable" message appears, this means that the document has not vet been converted and indexed. If the button is not displaved, this means that this function was not installed. Contact your system administrator. (E) (screenshot tvpe evidence only) Return to image vievv. El Full screen view. 1:1 Actual image size view. 9? Expand and shrink image. 4-) (It Rotate image. Anti Reduces the image scaling effect. alias The image becomes the intelligence entitv default image (if the intelligence mod- 0 ule is installed). Audio tvpe evidence actions Actions that can be run on audio evidence are described below: icon Description Ilrl Volume adjustment. II I Start, pause and stop audio. Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 45

RC5 9 - Evidence export data icon Description Volume balance on local (target) and remote source (speaker). Evidence export data Data required to export evidence is described below. IMPORTANT: onlvr evidence that meets the specified criteria will be exported! Data Description From Time range for the evidence to be exported. To Acquired It considers the date as the evidence acquisition date on the target device. Received It considers the date as the evidence receipt date. Relevance Level of relevance for the evidence to be exported. Type Types of evidence to be exported. NOTE: when no type of evidence is selected, RC5 autom aticallv exports all types. Report If selected, only evidence with the Report field selected will be exported. Notes can be included or excluded from the export. Report Exported file name. By? default, RC5 names the file as follows: Name Evidence exported from Fiie name page Target target name - agent name - Evidence Export.tgz Agent agent name - Evidence Export.tgz List of types of evidence Available types of evidence are described below: Modaie Fiie type Accessed ?les text (desktop oniy} documents or images opened by the target. Analvst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 46

RC5 9 - List of types ofevidence Moduie File type Addressbook text contocts. Application text oppiicotions used. Calendar text coiendor. can audio coiis (phone, Skype, camera im age Webcom imoges. Chat text Chm- cnPbuaI-d text infon'notion copied to the ciipboord. Device text system information. File text fiies opened by torget. File svstem text hard disk thot con be expiored in the Fiie System function. See "Retrieve evidence from devices {Fiie System)" on page 49 text informotion provided by the ogent and defined in settings. Keymg text keys pressed on the keyboord. Messages text E'm?ii- mic audio oudio. Mouse image mouse ciick. Password text Password- pgsitign im age torget?s geogrophic position. Print im age printed poges. image imoges on the target?s screen. URL text visited websites. Analyst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. :47

7 Exploring and retrieving evidence from online devices resentatio Introduction Gradual device exploration lets vou find and download evidence of interest. Content This section includes the following topics: What you should know about retrieving evidence 49 Retrieve evidence from devices {File System] 49 limalvst ver.1.?i - Riff} 9 - 2C-1'ilri'; HT - peg. 48

RC5 9 - Whatvou should know about retrieving evidence What you should know about retrieving evidence Description The function shows the Filesvstem tree structure of the device where the agent is installed (or several devices if exploring a target Filesvstem). The Filesvstem tree structure can be graduallv explored, first reading the first level structure (Retrieve default command) and then exploring folders, followed by reading or re-reading the selected folder (Retrieve subtree command). Once the concerned file is found, it can be downloaded and saved as file evidence (Download command) 0 NOTE: a folder is read or a file is downloaded after File System components The structure of each device shows the folders to be explored and those explored: Exompie Description :13 hue-1m Device root. Hermann-a Folder not yet explored. Il??tle-ere Explored folder. Retrieve evidence from devices (File System) To manage the - Operations section, doublevclick an operation, doublevclicka target, click File System device I Operations section, douh e~c ick an operation, douh e~c icka target, douh e~click an agent, Fiie System: click File System Purpose This function lets you: i explore the Filesvstem tree structure of the device where the agent is installed (or several devices if exploring a target Filesvstem). in Select the ?le to be added to the agent's download queue at export the explored structure (file system) Analvst's Guide ver.1.4 SE P-2013 RC8 9 20136:] - pag. 49

RC5 9 - What the function looks like NOTE: the function is only enabled if the user had File system browsing on agent authorization. What the function looks like This is what the page looks likerun-,E U'Pmr?anW314 El .f a a I saw5353.?.de ?Em-0121 SUI: I'r.'rr..'rI1H1q1: w- :ur-uu ms I: Inc nu:- um]; mam: Flu mm.- Islzuu "mamma- I I nanny gran" resin-nurture gam- v: Lmll'nul 1:4:91 Ham-u arse-hem? j'lm 3: 1 1 . 1 IICIL Ii nun-mu Inna-umva a: sen: -.1s: jun.- m. an 1 arm-m Ins-cumin: I a ,1 El Area Description 1 RC5 menu. 2 Scroll bar. 3 Window toolbar. Descriptions are provided below: icon Description Export the complete structure to a .tgz file. Download the selected ?le to File type evidence. Explore the selected folder content. Request the first level disk structure. ?ilJlb'?! View the list of currently suspended Filesvstem requests awaiting next svn- chronization. Analvst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 50

RC5 9 - To learn more Area Description 4 Device hard disk structure. 5 RES status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 11 . For more information on exploring the file-svstemsee "What you should know about retrieving evidence? on page 49 Exploring file system content and downloading files To explore content and download content of interest: Step Action 1 Select a folder. 2 . Click Retrieve and set the level of depth of sub-folders . Click Save: the structure of the sub-folders up to the required level will be returned at the next rum Tip: request a few levels at a tim e, proceed graduallv. - 3 Repeat steps 1-2 on the sub-folders to be explored. 4 After identifying the file of interest, select it and click Download: the file will be downloaded as File type evidence at the next Analvst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 51

RES - In telligenc Intelligence resentatio Introduction The section lets vou represent interactions between targets at a high level, matching evidence received hv agents with other information alreadv possessed. Content This section includes the following topics: What you should know about intelligence 53 Intelligence operation management ..59 Entitv management:icon and table views Entitv management:link view Entitv management: Position view Target entitv details Target entitv details Person entitv details ?If? Position entitv details ?v?irtualentitv details ritnalvst's Guide ver.1.4 SE RES 20131:] -pag. 52

RC5 9 - Whatyou dtould know aboutintelligence What you should know about intelligence Presentation Introduction The Analyst processes the investigation information in hisfher possession in the Intelligence section. The people under investigation, other people and places involved in the investigation are represented by entities. The relations between people and between people and places are represented as links between entities. The system creates new entities and new links between entities based on the evidence received from target devices. The analyst interprets and organizes this information, adding, editing or deleting entities according to the evolution of the investigation. Intelligence section license Intelligence functions are sold under license. Without a user license the analyst can only use the Intelligence section to view and add details on targets in the operation; the system does not process information based on collected evidence. The only entities included are the Targets and they can only be viewed as icons or in tables,see "Entity management: icon and table views? on page 60. To learn more See "What you should know about entities" below If See "See "What you should know about links . on page 55 See "What you should know about how intelligence works" on page 56. What you should know about entities Introduction The entity represents a person or place involved in an investigation. Each entity is defined by detailed information that allow the system to identify relations between entities. People involved in the investigation: Target entities and Person entities The system defines two types of entities to represent the people involved in an investigation: Analyst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 53

RC5 9 -' 11e placesinvolved in an investigation: Position entity and Virtual entity I :Target type, for the people being tapped . I Person type, for the people not being tapped The places involved in an investigation: Position entity and Virtual entity The system defines two types of entities to represent the places involved in an investigation: 0 Position type, physical sites :?v'irtual type, virtual sites like web pages Managing entities The analyst manages entities so they represent the evolution of the investigation, thus: 0 it adds entities to monitor other people and places deemed of interest 0 it adds details to the entities to provide new data to the system to identify relations between entities in it eliminates entities when the people or places are deemed insigni?cant to the inves- ?ga?on Target entity The Target entity is automatically created when the target is created in the Operations section. The name and description are the same ones assigned in the Operations section. 0 NOTE: Target entities cannot be eliminated from the Intelligence section. To eliminate them, targets must be eliminated from the Operations section. NOTE: the Target name and description can be changed without any impact on the Operations section. The system adds Target entity details with information gathered from evidence photos, most frequently contacted people). The analyst can add other information in his,/her possession.$ee "Target entity detaiis? on page 71 Person entity The Person entity can be manually created by the analyst or automatically by the system. The Person entity is defined by IDs s,/he uses to communicate, by phone or internet phone number, Skype contact). 0 NOTE: the more information in the entity detail sheet, the higher the probability the system identifies links between that entity and other entities. See "Person entity detoiis" on page 77 Analyst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 54

RC5 9 - Position entity Position entity The Position entity can be manually created by the analyst or automatically by the system. The Position entity is defined by the geographic coordinates (latitude and longitude) or address of the site that it represents and a range of precision. NOTE: the range of precision must be suited to the type of place 50-100m for a building, much more for a park). See "Position entity detaiis" on page 79 Virtual entity The Virtual entity must be manually created by the Analyst. The Virtual entity is defined by one or more URL addresses for the web page they represent. See "Virtual entity details? on page 81 See "What you should know about links". Introduction A link is a relationship between entities. There can be only one link between two entities. There are three types of links: . Peer . Identity Know links Know links represent a know type relationship. Two entities haye a Know link when at least one of the two has the other in hislher address book. A Know link can be directional or bi-directional. Peer links Peer links indicate that there was a contact between the two entities. Two entities that represent people have a Peer link when there was a direct communication between the two entities phone call, chat). The relationship can be directional and bi- directional. An entity that represents a person and one that represents a place have a Peer link when the person was in that place (physical or on the web). The relationship is only directional: from the entity that represents a person to the one that represents a place. Peer links represent a stronger relationship than know links, thus they replace any Know link between the entities. Analyst?s Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 55

RES - Managing Peer and Know links Managing Peer and Know links The analvst manages links so they represent the evolution of the investigation, thus: . adds or edits links between two entities when in possession of information that prove a relationship between the two . assigns a level of relevance to links to represent the relationship's relevance in the inves? Hgahon . deletes links when in possession of information that prove the lack of relations or that the relationship is insignificant to the investigation. Identity links Identitv links represent a suggestion of an identity relationship between two entities that represent people. This tvpe of link is automaticallvr created bv the svstem when the two entities share at least one identification phone number}. ldentitvr links do not have directions. Managing Identity links The analvst must decide the reason for identitv links and how to act accordinglv: . if thew,?r are the same person, the two entities must be merged; . if thev are two different people that used the same identification, the shared identification must be deleted from one of the entities and the link eliminated. Link time value Links are the result of an automatic or manual process completed at a certain time. However, the time the linkis created, meaning when the first relationship was formed between entities, is onlv logged for Peer links automaticallv created bv the svstem. This wav, an analvsis period can be selected to see when certain relationships were created. For the other links, once thev are created {automaticallv or manuallv} thev are considered as created at the beginning bv the svstem. What you should know about how intelligence works Introduction Intelligence supports the analvst in processing the investigation evidence and data. ritnalvst's Guide ver.1.4 SE RES 201MB -pag. 56

RCS 9 - Intelligence process Intelligence process Phase Description 1 The system creates an operation in the Intelligence section when an operation is opened in the Operations section. The system creates a Target entity when a target is created in the Operations sec- tion. The system, based on the evidence collected from target devices, creates links with target entities and creates new entities. The analyst adds entities to represent people, places and web pages deemed of interest for the investigation and adds details. The system continues to update entities and their links based on new evidence and information added by the analyst. The analyst interprets and manages entities and their links to propose solutions for the investigation. NOTE: the analyst can set an alert rule to be alerted when the system creates an entity or link. See "Alerting on page 90. Automatic Know link creation criteria If the evidence indicates targets identification 00321456? address book target 00321456? for TargetfPerson entity Paul in The system have their Paul in John and son entity son entity John has identification a directional Know link from John to Paul his address book Automatic Peer link creation criteria with Target and Person entities If the evidence indicates targets 00321456? The system a Person entity with identi?cation 00321456? 10h? 30d Pal-ll a directional Peer link from John to the Person comm unicated with identi?cation entity 4. a directional Peer link from Paul to the Person entity Analyst?s Guide ver.1.4 5E P-2013 RC5 9 2013 - pag. 57 a Person entity with identification 00321456? a directional Know link from John to the Per- a directional Know link from John to the Per-

RCS 9 - Automatic Peer link creation criteria with Position entities target John communicated with Targetfpermn entity paui a dIrectIonal Peer link from John to Paul a Person entity with identi?cation 003214567i target John often communicates Wim identi?cation 00321456? .- a directional Peer link from John to the Person entity Automatic Peer link creation criteria with Position entities If the evidence indicates The system . a Position entity with the geographic coordinates for targets John and Paul were in ?"135 SFluarE Square at the same time 1. a dIrectIonal Peer link from John to the PosItI on entity 1- a directional Peer link from Paul to the Position entity target John was in the place associated with John's of?ce a direction Peer link from John toJohn's of?ce entity Position entity 1- a Position entity with the geographic coordinates for Times Square 1- a directional Peer link from John to the Position entity target John is often in Tim es Square NOTE: for the system, a target visited a place if they were there for at least 15 minutes. Two targets visited the same place at the same time if they were there at the same time for at least 15 minutes. Automatic Peer link creation criteria with Virtual entities If the evidence indicates The system target John yisited URL linked to the Virtual entity Secret places website a direction Peer link from John to Secret places website Automatic Identity link creation criteria with Target and Person entities If the system detects The system TargetfPerson entity John has 003214567i in his identification data and Targetherson entity an Identity link between John and Paul Paul has 00321456? in his Analyst?s Guide 1yer.1.dfi SE P-2013 RC5 9 2013 - pag. 58

RC5 9 - Intelligence operation management Intelligence operation management To manage - Intelligence section intelligence operations: Purpose This function lets you: 0 View intelligence operations What the function looks like This is what the page looks like: .1 El! l.l 3mm: Ina-lumen Bach?s-m1 Ful?Iln: IKJ: inn-1:1 11'? rum. JJ J. urnqn In Ex .I Help: a -u I u-H I1 Area Description 1 RC5 menu. 2 Operation list: a Open operation. E3 All operations. Shows entities in all operations. 3 Selected operation data. 4 RC5 status bar. Guide 1uer.1.4 SE P-2013 RC8 9 2013 - pag. 59

RC5 9 - To learn more To learn more For interface element descriptions See "Shared interface elements and actions" on page 11 . Viewing operation entities To view operation entities Step Action 1 Double-click an operation; the entity management page opens.$ee "Entity management: link View? on page 62 Entity management: icon and table views To manage I Intelligence section, double-click an operation and click Icon View or Table View entities: Purpose This function lets you: view operation entities manage operation entities open the target page linked to the Target entity I i ll NOTE: the only entities viewed and managed without a user license are Target entities. 6 NOTE: the function is only enabled if the user has Entity management authorization. What the function looks like This is what the page looks like: Analyst?s Guide yer.1.4 SE P-2o13 Rcsa 2:313 -pag. 60

RC5 9 - What the function looks like .1 man Inn-Imam DIM-CH1 I 1 I l- i- seashelmaxArea Description 1 RC5 menu. 2 Scroll bar. 3 Window toolbar. Descriptions are provided below: Function Creates a new entity Edits an entity Deletes an entity Exports entity data in . format EM Opens the target page linked to the entity.$ee "Target page" on page 24 Analyst?s Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 61

RC5 9 -To learn more Area Description 4 View and search box buttons: Object Description ?own?m Search box. Enter part of the name or description to display a list of entities that contain the entered letters. Displays the entities in a table. Displays entities as icons ?t Displays Target and Position entities and their links on a map. See "Entity management: Position View" on page 6? if Displays entities and their links in a graph. See "Entity management: link View" below 5 Entity list 5 Selected entity data. 7 RC5 status bar. To learn more For interface element descriptions See "Shared interface eiements and actions? on page 11 . To learn more on intelligence see "What you should know about on page 53 see "What you should know about entities? on page 53 Viewing entity details To View entity details: Step Action 1 Double-click an entity: the detail page opens. "Target entity details? on page .71 . 0 "Person entity detaiis" on page 77 . 1- "Position entity details? on page 79 . 1. "Virtual entity detaiis" on page 81 . Entity management: link View To manage - Intelligence section, double-click an operation, click Link View entities: Analyst?s Guide 1tier.1.dfl SE P-2013 RC8 9 2013 - pag. 62

RC5 9 - Purpose Purpose This function lets you: . display operation entities and their links on a graph . manage entities .- manage entity links . open the target page linked to the Target entity . open eyidence associated with a link .- dynamically yiew eyidence associated with entity links a NOTE: this function requires a user license. Without a license, the default operation entity view is the icon yiew,see "Entity management: icon and table views" on page 60. NOTE: the function is only enabled if the user has Entity management authorization. What the function looks like This is what the page looks like: Inf-all 9 arm-ml .-.1 El 3km!? a suxex a same w. u. - .-.- ..-. -. .- . -. In.- -- 4m: J.- DIME- lam. r? um, .. l. on; Lullwuulol .J Ful?ll? II :42: I'll] 9i i El . Ill? . --.H ?i ?flx up. yu- In." w'u-nual 11- (Iva .- nun?.- ?unnum- 1m as a Area Description 1 RES menu. 2 Scroll bar. Analyst?s Guide yer.1.4 SE P-2013 RC3 9 2013 - pag. 63

RC5 9 - What the function looks like Area Description 3 Window toolbar. Descriptions are provided below: Icon Function Creates a new entity Editing an entity Deletes an entity Exports entity data in . format Merges two entities Opens the target page linked to the entity.$ee "Target page? on page 24 . Opens the evidence associated with the selected link. See "Evidence analysis Evidence)" on page 36 Creates a link Edits a link Deletes a link Applies a level of relevance to a link Exports the entity graph in . raphml format. Analyst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 64

RC5 9 -To learn more Area Description 4 View and search box buttons: Object Description immune i Search box. Enter part of the name or description to display a list of entities that contain the entered letters. Displays the entities in a table. See Entity management: icon and tabie views" on page 60 Displays entities as icons See ?Entity management: icon and tabie views? on page 60 Displa 5 Target and Position entitiesIalnd their links on a map ee "Entity management: Position View? on page 67 53' Displays entities and their links in a graph. 5 Filter area 5 Entity graph and links based on set filters NOTE: the Know, Identity and manually created links are always displayed regardless of the selected period. NOTE: the entity with the most links is placed at the center of the graph. 7 Selected entity data. 8 Command that dynamically displays the quantity, direction and frequency of evidence that define the links between the entities displayed in the graph based on the set filters. 9 RC5 status bar. To learn more For interface element descriptions See "Shared interface eiements and actions? on page 11 . To learn more on intelligence see "What you shouid know about on page 53 see "What you shouid know about entities? on page 53 Viewing entity details To view entity details: Analyst?s Guide 1tier.1.dfl SE P-2013 RC8 9 2013 - pag. 65

RCS 9 - Merging two en??esin one Step Action 1 Double-click an entity: the detail page opens. "Target entity details? on page ?1 . a "Person entity detaiis" on page If? . "Position entity details" on page 19 . "Virtual entity detaiis" on page 81 . Merging two entities in one To merge two entities in one: Step Action 1 Select the two entities holding down the key on the keyboard. NOTE: only a Target entity can be merged with a Person entity or two Person entities. 2 Click Merge. Result: an entity with the name and description of the first entity is displayed in the graph with the details on both. a NOTE: if a Target entity is merged with a Person entity, the Target entity remains with the Person entity details. Creating a link between two entities To create a link between two entities: Step Action 1 Select the two entities holding down the key on the keyboard. 2 Select the direction, type and level of rel eyance of the link and click Saye. Result: the link is displayed in the graph Dynamically displaying eyidence on links between entities To dynamically display eyidence on links between entities: Step Action 1 Make sure the entities displayed on the graph and the selected time period are those required. Use the filters to set preferences. Analyst?s Guide yer.1.4SEP-2013 Rcsa 2013 -pag. 66

RC5 9 - Entity:r management: Posi?on view Step Action 2 Click Plavr to display. Result: red balls slide along links to represent collected evidence. 0 NOTE: the direction in which the ball slides indicates the direction of the evidence the red ball slides from the John entity to the Paul entitv ifJohn sent an email to Paul). 0 NOTE: the number of balls indicates the quantitv of evidence: one ball indicates that at least 10 pieces of evidence were collected, two balls between 10 and SD pieces, three balls if more than 50 pieces of evidence were collected. NOTE: if the link was created on that day, that dav is displaved on the map. 3 Click Stop to stop the display. Entity management: Position view To manage a Intelligence section, double-click an operation, click Position View entities: Purpose This function lets vou: . displav Target entities and Position entities for an operation and their links on a map. . manage Target and Position entities .- manage links between Target and Position entities . open the target page linked to the Target entitv . open evidence associated with a link .- dvnamicallv displav target entitv movements NOTE: the function requires a user license and is onlv enabled if the user has Entitvr management authorization. Analvst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 67

RC5 9 - What the function lookalike What the function looks like This is what the page looks like: .1 lrl'w-En-rc'I-I'Iw SHED A Inn-Ingma- liuhh-ui r- :msnuu i- ts? a team Pia Rt Len-1 Ann-mar. 4- . -- Human-.11: I in?: (ink 1.- 4-5.ram-Ira.- ?hM?lg . ?uwr' Wile"EraInman-1a up: eff 1. TIFT. - a El. .-. -nr 3,1 _ak?'?yf .15.: 53 5 h, I i rahKit! I .-. .. .. 0c:- mulu_ .- . Wail-:00! ?nk-Tar: :l.x 1 .. Ll Emu-u LI: a. 4mm! HIPX- Area Description 1 RES menu. 2 Scrallbar. Analyst?s Guide new 2013 -pag. 68

RC5 9 - What the function looks like Area Description 3 Window toolbar. Descriptions are provided below: icon Function Creates a new entity Editing an entity Deletes an entity Exports entity data in - format Opens the target page linked to the entity.$ee "Target page? on page 24 . Opens the evidence associated with the selected link. See "Evidence anaiysis Evidence)" on page 36 Creates a link Deletes a link Applies a level of relevance to a link 4 View and search box buttons: Object Description Iku ccl'n Dce Search box. Enter part of the name or description to display a list of entities that contain the entered letters. Displays the entities in a table. See Entity management: icon and tabie views" on page 60. Displays entities as icons See "Entity management: icon and tabie views? on page 60 . Displays Target and Position entities and their links on a map. {3 Displays entities and their links in a graph. See "Entity management: iinir view" on page 62 . 5 Filter area Analyst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 69

RCS 9 - To learn more Area Description 5 Entity map and links based on set filters NOTE: the target entity is positioned in the last position acquired in the selected period. NOTE: manually created links are always displayed regardless of the selected period. Selected entity data. 8 Command to display Target entity movements based on set filters. 9 RES status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 11 . To learn more on intelligence see "What you should know about intelligence" on page 53 see "What you should know about entities? on page 53 1ll'iewing entity details To view entity details: Step Action 1 Double-click an entity: the detail page opens. . "Target entity details" on next page . "Person entity details" on page If? . . "Position entity details" on page ?9 . Creating a link between two entities To create a link between two entities: Step Action 1 Select a Target entity and Position entity holding down the key on the keyboard. 2 Select the level of relevance and click Save. Result: the link is displayed in the graph Analyst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 70

RC5 9 - Dynamically displaying target movements Dynamically displaying target movements To manage dynamically displayed target movements: Step Action 1 Make sure the entities displayed on the graph and the selected time period are those required. Use the filters to set preferences. 2 Click Play to display. Result: the Target entities displayed on the map move according to the movements logged in evidence. 0 NOTE: if there is no evidence on the target position in the selected period, the Target entity remains on the last position acquired but its icon slowly fades until it disappears or appears in the next logged position. 3 Click Stop to stop the display. Target entity details To view entityr detail's: Intelligence section, double-click an operation, double-click a Target entity Purpose This function lets you: 1. view detailed information on the Target entity processed by the system I add detailed information on the Target entity .- create new entities connected to the Target entity NOTE: some details and some actions are only enabled with the user license. NOTE: the function is only enabled if the user has Entity management auth?rlzatl?n- 1ll?lihat the function looks like This is what the page looks like: Analyst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. i1

RC5 9 - What the function looks like .1 cr-m man . . 0- 4mm: Inn-Imam Lem-cm l- ?mum l- i- JmeyPagl -mrI lillJ'JlliILln' I um. nun-uncu- .. Lmluz-I mas: mnan _t Tum a s? - g? inl?lb91.; - l- 1 :1 nan-um5:1. 9 Jr 1., 3. :15. a. 1. 2' uld'rrw'h'nln Area Description 1 RC5 menu. 2 Scroll bar. 3 Window toolbar. Descriptions are provided below: Icon Function Edit entity data. Exports entity data in . format 3 Opens the target page linked to the entity.$ee "Target page" on page 24 . r?r 4 Photo of the target linked to the entity. It is the first image captured by the webcam by default. 5 List of target identification data identified by evidence or manually added. 5 Table with the most frequently contacted people and most frequently yisited websites based on the selected period. Double-click to open the page of evidence for that data. 3' Search period. 3 Map indicating: 0 last position acquired from the target, 0 places most frequently visited in the selected period, it manually entered places visited by the target. 9 RC5 status bar Analyst?s Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 72

RC5 9 - To learn more To learn more For interface element descriptions See "Shared interface elements and actions" on page 11 . To learn more on intelligence see "What you should know about intelligence" on pope 53 see "What you should lmow about entities? on pope 53 Adding the target photo To add the photos: Step Action 1 . Click and select a photo or in the Evidence page open webcam tvpe evidence details and select an image Result: the selected image becomes the default image. Adding target identi?cation data To add identi?cation data: Step Action 1 Click and enter data. NOTE: the Account field is the target's true identity the Name ?eld in an optional name to be linked to the identification data John). Result: the identification data is added to the list. Viewing contacted people To view frequently contacted people: Step Action 1 Select the period of interest 2 In the text box next to Most contacted, enter the number of people per type of communication means to be viewed. Analvst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. ?3

RC5 9 - 1 ul'iewing most frequently 1:.risited websites Step Action 3 Press Enter on the keyboard. Result: the information on the people most frequently contacted in the selected period appears in the table, see "Target entity details" on page .76 1'ii'iewing most frequently 1yisited websites To view the most frequently visited websites: Step Action 1 Select the period of interest 2 In the text box next to Most visited websites, enter the number of websites to be viewed. 3 Press Enter on the keyboard. Result: the information on the websites most frequently visited in the selected period appears in the table, see "Target entity details" on page 2'6 Connecting the Target entity with a frequently contacted person To connect the Target entity with a frequently contacted person: Step Action 1 In the Most Contacted table, click Add as Entity in the required row and enter data. Result: a Person entity with the selected identi?cation data is added to the list of operation entities along with a Peer link with the Target entity. NOTE: the result is the same if a Person entity is manually created with the table identi?cation data and a Peer link added between the Target and created entity. Connecting the target to a frequently visited website To connect the target to a frequently yisited website: Analyst?s Guide yer.1.4 SE P-2013 RC3 9 2013 - pag. T4

RC5 9 ?lilies-L.r the last acquired posi?on Step Action 1 In the Most 1yisited websites table, click Add as Entity in the required row and enter data. Result: a Virtual entity with the selected URL is added to the list of operation entities along with 3 Peer link with the Target entity. I I NOTE: the result is the same if a Virtual entity is manually created with the table URL address and a Peer link added between the Target and created entity. View the last acquired position To view the target's last position on the map: Step Action 1 Select the Last position combo box. Result: a blue flag indicates the corresponding position. Viewing frequently 1yisited places To view frequently visited places on the map: Step Action 1 Select the Most 1yisited places combo box. Result: the most visited positions are displayed on the map with red flags. Adding a Position entity 1H'isited by the target To manually add 3 Position entity visited by the target: Analyst?s Guide yer.1.4 SE P-2013 RC3 9 2013 - pag. 75

RC5 9 - Target entity details Step Action 1 In the map, click and enter data. Ii? Tip: add a significant Name and a Description that no.4: help to identify the relationship between the target and place. Result: a Position entity with a Peer link with the Target entity is added to the operation list of entities. NOTE: the result is the same if a Position entity is manually created and a Peer link added between the Target and the created entity. Target entity details Most contacted people table Following is a description of the data indicated in the table of people most frequently contacted by the target: Data Description first communication method icon and the person's identification data. column second col- number of target contacts with the person in the selected period. umn third col- percent of target communications with the person in the selected periodNOTE: calculations are based on the comm unlcatlon mean and considering the displayed contacts. button to create a Person entity with that identification data and to create a peer - link with the target entity. Most visited websites table Following is a description of the data indicated in the most yisited websites table: Data Description first column yisited website URL address. second col- number of target yisits to the website in the selected period. umn Analyst?s Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 76

RC5 9 - Person entity details Date Description third col- percent of target visits to the website in the selected periodNOTE: calculated considering the displayed websites. button to create a Virtual entity with that URL address and to create a Peer link - with the Target entity. Person entity details a Intelligence section, double-click on operation, double-click a Person entityr To View entity details: Purpose This function lets you: view detailed information on the Person entity add detailed information on the Person entity create Position entities connected to the Person entity II 0 0 NOTE: the function requires a user license and is only enabled if the user has Entity management authorization. What the function looks like This is what the page looks like: 9 up?. .-.1 "In akin-.1? inn-I'm. a El -.. .I Jane ?TV-ll I I ?yew-u um fang]: a. .. .. Analyst?s Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 77

RC5 9 -To learn more Area Description 1 RC5 menu. 2 Scrollbar. 3 Window toolbar. Descriptions are provided below: icon Function Edit entity data. Exports entity data in . format is 4 Photos of the person linked to the entity. 5 List of identification data for people linked to with the entity. 5 Map indicating positions connected to the entity. 7 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 11 . To learn more on intelligence see "What you should know about intelligence? on page 53 see "What you should know about entitles? on page 53 Adding a person's picture To add an image: Step Action 1 Click and select a photo Result: the selected image becomes the default image. Adding a person's identi?cation data To add identi?cation data: Analyst?s Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. l8

RC5 9 - Adding a Position entity 1urisjted by the entity Step Action 1 Click and enter data. 0 NOTE: the Account field is the person's actual identity the Name field is an optional name to be linked to the identification data John). Result: the identification data is added to the list. Adding a Position entity yisited by the entity To manually add a Position entity visited by the entity: Step Action 1 In the map, click and enter data. Tip: add a significant Name and a Description that Mini help to identify the relationship between the person and place. Result: a Position entity with a Peer link with the Person entity is added to the operation list of entities. NOTE: the result is the same if a Position entity is manually created and a Peer link added between the Person entity and the created entity. Position entity details To View entityr details: Intelligence section, double-click on operation, double-click 2: Position entity Purpose This function lets you: i view detailed information on the Position entity 1 add a photo of the place linked to the entity NOTE: the function requires a user license and is only enabled if the user has Entity management authorization. What the function looks like This is what the page looks like: Analyst?s Guide 1..rer.1.-4l SE P-2013 RC3 9 2013 - pag. T9

RC5 9 -To learn more wu- El?l-l :rmdm: Inn-Imam DIM-CH1 u::nln.- l- mom11as". ., 4} Jll'lL 4?9- f: I. I I. :14. a 1v, F, 3? "ii. '4 i q. 53mm ,2 an? q- -.I Area Description 1 RC5 menu. 2 Scroll bar. 3 Window toolbar. Descriptions are provided below: icon Function Edit entity data. E. Exports entity data in . format is 4 Photo of the place linked to the entity. 5 Map indicating the place linked to the entity. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page 11 . To learn more on intelligence see "What you should know about intelligence? on page 53 . Adding a picture of the site To add an image: Analyst?s Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 80

RC5 9 - 1 ulirmal entity details Step Action 1 Click and select an image. Result: the selected image becomes the default image. Virtual entity details To View er'rtityr detaiis: a Intelligence section, double-click an operation, double-click a Virtual entity Purpose This function lets you: . yiew detailed information on the Virtual entity 1. add detailed information on the Virtual entity NOTE: the function requires a user license and is only enabled if the user has Entity management authorization. What the function looks like This is what the page looks like: ?l?l?l Sputum: low-Imam Bach's-m1 i- awn-m1 i- ?EHern'nJ' i- a Hr .111 Discussion Forum 'ltl'J Mr 'lu.1l n: nun- Ili Inau- Areo Description 1 RES menu. 2 Scroll bar. Analyst?s Guide 1..ier.1.-4l SE P-2013 RC3 9 2013 - peg. 81

RC5 9 -To learn more Area Description 3 Window toolbar. Descriptions are provided below: icon Function Edit entity data. Exports entity data in . format up 4 Image of the address content linked to the entity. 5 List of web addresses linked to the entity. 5 Map indicating the position of the web address automatically identified by the system via IP address. 3' RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions? on page 11 . To learn more on intelligence see "What you should know about intelligence? on page 53 see "What you should know about entities? on page 53 Adding an image of the web address To add images: Step Action 1 Click and select an image. Result: the selected image becomes the default image. Adding web addresses to the entity To add web addresses to the entity: Step Action 1 Click and enter data. Result: the address is added to the list. Analyst?s Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 82

8 Monitoring the target's activities from the Dashboard resentatio Introduction The Dashboard helps vou to monitor connected agent activities and the incoming evidence flovv. Content This section includes the following topics: What you should know about the Dashboard 34 Monitoring evidence [Dashboard] 35 litnalvst ver.1.?i - Riff} 9 - 2C-1'ilri'; HT - peg. 83

RC3 9 - What 1vou should know about the Dashboard What you should know about the Dashboard Dashboard Components The Dashboard is made up of one or more elements selected by the user from: 0 operation 0 target .- agent Each element shows the total amount of evidence collected. Values are updated at each Red number: amount of evidence received at last 1- Black number: amount of evidence received since login. Example Description Operation evidence: Operation targets and the amount of evidence per target appear. a 1 1 Ed TEST Timeline Target evidence: The target's evidence and the amount of evidence per tvpe appear. Elsi: Agent evidence: The agent's evidence and the amount of evidence per tvpe appear. 1? El El?n NOTE: the lack of numbers indicates that evidence has not yet arrived since login. To view the complete list of evidence types see "List of types of evidence" on page 46 . Evidence alert process The evidence alert process is described below: Analvst?s Guide ver.1.4 SE P-2013 RC5 9 2013 - pag. 34

RC5 9 - Monitoring evidence [Dashboard] Phase Description 1 The Analyst adds the operation, target or agent elements whose evidence is to be monitored to the Dashboard. 2 The system updates counters the next time agents are if evidence is received. 3 The Analyst checks the most recent evidence, those indicated by the red number. To view details, click on the corresponding icon. 4 The system resets numbers when the user exits the current session. Monitoring evidence (Dashboard) To monitor received - Dashboard section evidence: Purpose The Dashboard lets you monitor certain operations, targets or agents and view incoming evidence. Settings are fully customizable. For example, a Dashboard can be set to only monitor some target devices. 1li?li'hat the function looks like This is what the page looks like: ITI DI ?.'Iilr i-ii-HI inm' -'-Iii Iisn't-I11 :paul dM'irrci can: r'I; tie-and: a G) I M1111 El M5 I'll'llil'?di'll'll'l?IIH ThinTusLTiIm-Ilinv lulu-NI 1 'ul -I- ?53 life rafma?e'of?a you, Analyst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 85

RC5 9 -To learn more Area Description 1 RC5 menu. 2 Window toolbar. Descriptions are provided below: icon Description - Add a new element to be monitored. Shrink or expand all Dashboard element windows. It 3 Keys used to shrink or delete elements from the dashboard. 4 Dashboard element name and description. 5 Last element date. In progress: in progress. Idle: not in progress 5 Evidence recently acquired in an operation, target or agent. 7 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions? on page 11 . For more information on the Dashboard see "What you should know about the Dashboard? on page 84 . Adding an element to the Dashboard To add a new element to the Dashboard: Step Action 1 Click Add to Dashboard: a window opens to search for elements to be added. 2 Enter part of the element name or description to be added: the list of elements that match the search appears. 3 0 Select the element from the list: the element is automatically added to the Dashboard and the search window is left open for a new search. 0 Repeat steps 2 and 3 until all required elements are added. Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 86

RC5 9 -Uiewing evidence indicated in the Dashboard Step Action 5 After adding elements, click 3? to close the search window and return to the Dashboard. Viewing evidence indicated in the Dashboard To view Dashboard evidence NOTE: click a target or operation to open the selected object's work area where the Analyst can view the required agents. Step Action 1 For the operation element: 0 double-click the target to open the target page. See "Target page? on page 24 For the target element: 0 double-click the agent: the agent page opens.$ee gent page? on page 29 . For the agent element: 0 double-click the evidence type: the evidence page appears. See "Evidence analysis Evidence)" on page 36 Analvst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 87

Alert resentatio Introduction Alerts signal when eyidence is receiyed, agents are or entities are automatically created or connected by the system, Furthermore, they let you automatically tag evidence and links for analyses and export, Content This section includes the following topics: What you should know about alerts .39 Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Alert data ._93 ?tnelyst'stiiuide yer.1.4 - RICE. - 201393 - peg. 88

RC5 9 - What 1vou should know about alerts What you should know about alerts What are alerts During the investigation phase, being "alerted" on special events that concern the target in real- time via e-mail or notification on RCS Console, can be helpful. Alerts can be received when: . new evidence arrives the agent . entities are automaticallv created and connected (intelligence) For example, if awaiting evidence from a target for a long time, an alert rule can be created to send an e-mail and record a log for each piece of evidence received. This wav, users are immediatelv notified when the target resumes activities. The rule can be disabled later and evidence can sim be viewed as it arrives. Or, if intelligence is used, it could be helpful to be "alerted" when a link is created with a certain entitv or a new entitv is created in the operation. Alert rules Alert rules set which events generate alerts. They can also be used to automaticallv assign levels of relevance to evidence or intelligence links which can be used in the analysis phase. Alert rule application field Rules that alert the arrival of evidence can be created on the following levels: 1. Operation: all evidence for all operation targets 1- Target: all evidence for all target agents 1- Agent: all agent evidence Rules that alert the automatic creation of an intelligence entity can be created on the following levels: . Operation: alerts when an entity is created for that operation Rules that alert the automatic creation of an intelligence link can be created on the following levels: 1- Operation: alerts when a link is created for anv entitv in the operation 1- Entitv: alerts when a link is created for that entity 6? NOTE: each user will be alerted according to the? SET Analvst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 89

RC5 9 - Alert process Alert process The alert process is described below: NOTE: sending an e-mail is optional. Phase Description 1 The Analyst creates rules to be alerted of the arrival of certain evidence, agent or the automatic creation of intelligence entities or links. Rules log the alerts, notify them on the RC5 Console and send them via e-m ail (optional). 2 The system taps the incoming evidence or analvzes the element it is creating and compares it with the alert rules. if the corresponds The svstem saves the evidence as evidence or adds the entity or to an alert link to the operation, generating an alert that autom aticallv applies rule the selected level of relevance. An e-m ail notification can be sent lav the system as an option. does not The system saves the evidence as evidence or adds the entity or correspond link to the operation without generating an alert. to an alert rule 3 The Analvst receives an alert e-m ail (if set lav the alert rule) and checks the alert log. From an alert, directlv open the evidence that generated it or the created entitv or the link view. 4 After checking, the Analvst deletes the alert logs. To receive eieris from the tar- I Alerting section get: Purpose This function lets you: receive alerts when a certain type of evidence is tapped, when the target device svn- chronizes with RES or when intelligence autom aticallv creates entities or entitv links. automaticallv tag evidence or intelligence link by relevance, to facilitate later analvsis. monitor all logged alerts and directlv open the event that generated them. Analvst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - peg. 90

RC5 9 - What the function looks like 1ll?ll'hat the function looks like This is what the page looks like: -I .p-nr - . All-tnn5'1: 1? Ia.? Area Description 1 RC5 menu. Alarth indicates the amount of alerts received. The counter is automatically reset after two weeks or when noti?cations are deleted. 2 Alert rule toolbar. Descriptions are provided below: icon Description Create a new alert rule. NOTE: the function is only enabled if the user has Alerts creation authorization. EdIt the selected alert rule. Delete the selected alert rule. CAUTION: crii generated noti?cations ore deie ted. I Guide yer.1.4 SE P-2013 RC8 9 2013 - pag. 91

RC5 9 -To learn more Area Description 3 Alert log toolbar. Descriptions are provided below: icon Description Delete the selected alert log. xx Delete all alert logs. 4 RCS menu. To learn more For interface element descriptions See "Shared interface elements and actions? on page 11 . For a description of the data in this window see "Alert data on next page For more information on alertssee "What you should know about alerts? on page 89 . Adding a rule to be alerted A rule must be set in order for you to be alerted: Step Action 1 Click New Alert: data entry fields appear. 2 0 Enter the required data indicating the alert method in Type. 0 Select the Enabled box to apply the rule. 3 Click Save: the new alert rule appears in the main work area. An alert is sent as soon as the system logs an event that matches the rule. Editing an alert rule To edit an alert rule Step Action 1 Select the alert rule to be edited Click Edit: the data to be edited appears. 2 0 Edit data. 0 Select the Enabled box to immediately apply the rule. Guide 1uer.1.4 SE P-2013 RC8 9 2013 - pag. 92

RES - Adding a rule to automaticallv tag certain evidence or certain intelligence links between entities Step Action 3 Click Save: the new alert rule appears in the main work area. An alert is sent as soon as the svstem logs an event that matches the rule. Adding a rule to automaticallv tag certain evidence or certain intelligence links between entities To automaticallv tag certain evidence or certain link without logging or sending alerts: Step Action 1 Click New Alert: data entrv fields appear. 2 . Setting criteria to select evidence or links . In Tvpe select None. . In Relevance set the relevance level . Select the Enabled box to apva the rule. 3 Click Save: the new alert rule appears in the main work area. As soon as the svstem receives evidence matching this rule, the evidence is tagged. Viewing events matching the logged alert To view evidence matching an alert: Step Action 1 Select the alert rule with at least one log {Logs column}: all logged alerts appear in the list. 2 Double?click on the row in the logged alert list. Result: it directlv opens: . the list of evidence that generated the alert {Evidence event}. . entitvdetails{Entitv event} - link view {Link event} Alert data Alert rule data Alert rule data is described below: ver.1.4 SE RES 2CI13EI -pag. 93

RC5 9 - Alert rule data Data Description Lugs (only in a table) Am ount of noti?cations received matching the rule. Enabled Enables or disables the alert rule. Event Type of event that triggers the alert: 1: Evidence: triggers the rule when evidence that meets the criteria below arrives. Sync: triggers the rule when the agent indicated below runs syn- chronization. Instance: triggers the rule when the agent created (instanced) by the fac- tory indicated below runs the first Entity: triggers the rule when the system automatically creates a new intelligence entity in the indicated operation. . Link: triggers the rule when the system automatically creates a link between intelligence entities in an operation or with the indicated entity. path operation, target, entity, agent and factory to be monitored. Thus it indicates the rule application field. For example, for Evidence event, if an operation is selected, all operation evidence is monitored. If an agent is selected, that agent's evidence is monitored. Evidence (only Evidence type events) Type of evidence that generates alerts. r: Tip: indicates all types of evidence. . For a description of all types see "List of types of evidence" on page 46 (only Evidence type events) Keyword that the evidence must contain to trigger the alert. For example, keyword "password" creates an alert when the evidence (audio, docum ent) contains the word "password". Tag (only Evidence or Link type events) Automatically tags evidence or the link with different levels of relevance to facilitate analysis: Icon Description Eli: lvlaximum relevance. 11 Intermediate relevance. Normal relevance. Minimum relevance. No relevance. Analyst?s Guide ver.1.4 SE P-2013 RC8 9 2013 - pag. 94

RCS 9 - Log data Data Description Type Tvpe of alert to be received when evidence arrives: . Log: alert logged and noti?ed on the RC5 Console. . Mail: e-mail and alert logged . None: no logged alert nor e-mail. Useful to automaticallv tag evidence by relevance (Tag) suppression (onlv Mail tvpe alerts) Latencv time for sending identical alert e-mails. Used to Time avoid identical e- mails after the first. For example, if the target has not communicated its evidence for a while and e-m ail alert was selected, vou may be bombarded with e-mails when the first evidence arrives. Set a 30- minute Suppression time to receive one e-m ail even; 30 minutes. NOTE: this setting onlv limits e-mail deliverv. Events are alvvavs logged. Log data Alert logs are described below: Data Description Date alert time-date. path Range of action from which the alert was generated. For example, if a target was selected in the rule Path, the name of the target and the name of the operation it belongs to will appear here. Info Quantity and type of events that generated the alert. Analvst?s Guide ver.1.4 SE P-2013 RC3 9 2013 - pag. 95

]Hacki?gTeam[ HT 5.r.l. via della Moscova, 13 RES 9 Analyst's Guide 20121 Milano (M Analyst's Guide 1.4 SE P-2013 Italy COPYRIGHT 2013 tel.: 39 02 29 060 603 info@hackingteam.com fax:+ 39 02 63 113 946