Hacking Team RCS 9 System Administrator’s Guide

RCS 9 The hacking suftefer governmental interception System Administrator's Guide kl. fl Svstem Administratnr's Guide - 1wer.1.4 HT r. I.

Information ownership COPYRIGHT 2013, HT S.r.l. All rights reseryed in all countries. No part of this manual can be translated into other languages andfor adapted andf'or reproduced in other formats andf'or mechanically, electronically processed or photocopied, recorded or otherwise without prior written authorization from HackingTeam. All corporations and product names may be legal or registered trademarks, property of their respective owners. Specifically Internet Explorer? is a Microsoft Corporation registered trademark. Albeit text and images being selected with the utmost care, HackingTeam reseryes the right to change andf'or update the information hereto to correct typos andfor errors without any prior notice or additional liability. Any reference to nam es, data and addresses of companies not in the HackingTeam is purely coincidental and, unless otherwise indicated, included as examples to better clarify product use. NOTE: requests for additional copies of this manual or product technical information should be addressed to: HT S.r.l. yia della Moscoya, 13 20121 Milano (MI) Italy Tel.: 39 02 29 060 603 Fax: 39 02 63 118 946 e-mail: info@hackingteam.com

Contents Glossary Guideintroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 1 New guide features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 2 Supplied documentation 3 Printconcepts for notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 4 Printconcepts for format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 4 Product and guide addressees 5 Software author identification data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 5 RC5 {Remote Control SystemAll?in?One architecture components .. 7? Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 7? All-In-One architecture layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 1' All?in?One RC5 architecture components 7? Distributed architecture components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 9 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 9 Distributed architecture layout 9 Distributed architecture components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 9 What you should know about RC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 10 Operations -.10 Data flow and protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 10 Data logging continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Redirecting login to Collector ..11 Digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Decoding data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..11 Differences between RC5 8.0 and RC5 16 versions -.11 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Installation introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Package content .. 13 Package content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 13 Installation package content or web..13 USB key with user license .-13 U58 hardware keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Minimum system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Ports to be opened on the firewall -.14 System administrator procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 15 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..15 Procedures .. 15 Install RC5 and setup components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ., 15 System littlminish'ator's Guide yer.1.4 5E P9013 RC5 C?l 2CI13EI l-lT5.r.l. - peg.

Maintain and update the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Monitoring the system -16 RCS installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What you should know about RC5 installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 18 Login privileges .. 18 Admin user and System administrator user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 18 RC5 server installation in All?in?One architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 18 Introduction -.18 Installation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..18 Installation sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Installation -19 Checking seryice start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..21 Checking installation logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . __21 Check IR addresses __21 Uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 21 RC5 server installation in distributed architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . __22 Introduction -.22 Installation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 Installation sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 22 Master Node installation __23 Collector and Network Controller installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Checking seryice start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..28 Checking Collector redirecting __28 Checking installation Iogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . __28 Check IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . __29 Uninstall -29 List of started RC5 seryices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 RC5 Console installation -30 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Installation sequence -30 Adobe AIR installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 RC5 Console installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 RC5 Console uni nstall -82 Creating the Administrator user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 OCR module installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 Introduction -83 Installation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 OCR module operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 System Administrator'sGuide yer.1.4 5EP-2013 RC5 9 201383 HT5.r.l. - pag. II

Space occupied by tagged text in the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 OCR module work load .34 of excessive load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 OCR module installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Checking correct OCR module operations -.35 Uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Files installed at the end of installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 36 Optional and additional component installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Anonymizer installation and settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Introduction -.38 Installation requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Anonymizer data .39 8ootcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ?38 IP address check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Editing settings -.4O Uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 What you should know about Network Injector Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Introduction -.40 Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 See Appliance Control Center functionsNetwork connections ..41 Standard connection layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Connection layout as an intra?switch segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ._41 Data sniffing yia TAP, SPAN port .. 42 Network Injector Appliance installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..42 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..42 Package content -.42 Installation sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Rear panel description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Network connections ..44 Operating system installation and settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Changing the IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Uninstall What you should know about Tactical Network Injector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tactical Control Center functions Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Standard connection layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 System Administrator's Guide yer.1.4 RC8 2818 El HT S.r.l. - pag.

Access point emulation connection diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Tactical Control Center installation ..49 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Package content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 49 Installation sequence -49 Operating system installation and settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Changing the IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 Uninstall -53 First Network Injector with RC5 seryer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 53 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..53 a Network Injector with RC5 seryer .53 Checking Network Injector status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Identifying when Network Injector is .. 54 Viewing Network Injector logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Additional component installation in distributed architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 Introduction -55 Additional component installation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 Installation sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 55 Additional Shard data base installation .55 Additional Collector installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Checking seryice start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Checking Collector redirecting .. 5O Checking installation Iogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Check IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Uninstall -51 Routine maintenance and software updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 What you should know about RC5 maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 Receiying updates .. 53 Updating machine behayior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 Routine maintenance procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 53 Introduction -53 Check and delete log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 53 Checking ayailable backup disk space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 53 Linux operating system updates .53 RC5 seryer update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Update requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Update methods -54 RC5 seryerjs} update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 RC5 Console update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 System Administrator's Guide yer.1.4 5E P-ECI13 RC5 201343 -pag. iy

Update requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 RCS Console update ?64 Anonymizer update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Update requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Anonymizer update .135 Network Injector Appliance update . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ._65 Full Network Injector Appliance update E-S Partial update with infection in progress . . . . . . . . . . . . . . . . . . . . . . . . . . __66 Partial update without infection in progress . . . . . . . . . . . . . . . . . . . 66 Tactical Network Injector update Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Full Tactical Network Injector update . . . . . . . . . . . . . . . . . . . . . . Partial update Editing Master Node and Collector settings . . . . . . . . . . . . . . . . . . . . . . . . . . JO What you should know about settings . . . . . . . . . . . . . . . . . . . . . . 7?1 Whatyou can edit .71 When to edit settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7?1 Order used to edit settings . . . . . . . . . . . . . . . . . . . . . . . . . . 7?1 Mail seryer settings Setup utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PCS utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7?1 Utility command syntax .72 Other options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Editing Master Node settings . . . . . . . . . . . . . . . . . . . . . . . . . . Editing the Collector configuration Settings check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7?4 Example of settings check output . . . . . . . . . . . . . . . . . . . . . . 7?4 Troubleshooting _.75 Potential faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 Potential installation faults . . . . . . . . . . . . . . . . . . . . . . . . . . .76 Possible seryer problems .76 Potential backup problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77? System logs Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Log analysis utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Log file example PCS log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 Quick log display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System administratorsGuide yer.1.4 RES 9 2013i? - peg.

Log file content .78 Component status check procedure .79 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Installed license check .79 Command .79 Master Node status check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 79 Command .79 What to check .79 Checking Worker service status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 What to check ..80 Check agent status via Collector .. 80 Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 What to check ..80 Network Injector start check -.80 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..80 Service restart procedures .. 80 Introduction -.80 Restarting service ..81 Purpose ..81 Command .-81 Restarting IviongoDB service ..81 Purpose ..81 Command .-81 Restarting Collector service ..81 Purpose ..81 Command .-81 Restarting Worker service ..82 Purpose ..82 Command .-82 Restarting Network Injector service ..82 Purpose ..82 Command .-82 Restarting Anonvmizer service .. 82 Purpose ..82 Command .-82 Hardvvare component service procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..83 Introduction ..83 Ha rdvvare kev replacement ..83 Master Node replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..83 Shard replacement ..83 Svstem administrator's Guide ver.1.4 8E P-2013 RC8 9 -pag. vi

Replacing the CollectorfNetvvork Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 84 Replacing an Anonvmizer .84 Replacing a Network Injector Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 84 Replacing a Tactical Injector Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 84 RC5 Console for the System administrator -85 Starting the RC5 Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 What the login page looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Open RC5 Console -86 Homepage description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 8? Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 What it looks like Wizards in the homepage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 88 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 What it looks like -88 Archive Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..88 Shared interface elements and actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 What the RC5 Console looks like .80 Actions alvvavs available on the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..82 Change interface language or password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..82 Converting the RC5 Console date?time to the actual time zone .82 Table actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 Front end management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..84 Function scope .84 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84 To learn more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 86 Adding an Anonvmizer to the configuration -.86 Editing Anonvmizer settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 File Manager data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Back end management Function scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 To learn more .88 Significant Shard database data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 What vou should knovv about backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 88 Management responsibilities -88 Backup methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 88 Metadata tvpe backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 Full tvpe backup .88 Operation tvpe backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 88 Target tvpe backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 Svstem Administrator'sGuide ver.1.4 RC5. 8 2CI13EI - peg. vii

Incremental backup .99 Backup restore for severe reasons .100 Backup data restore .. 100 Backup management .100 Function scope .100 What the function looks like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 100 Significant backup process data .102 Connector management .103 Function scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 What the function looks like .103 To learn more -104 Significant connection rule data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1051r Managing the Network Injector ..10S Purpose .105 What you can .105 What the function looks like .106 To learn more -10? Updating Network Injector control software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10? Network Injector data .108 System monitoring {Monitor} -109 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 What the function looks like .109 To learn more -110 Deleting a component to be monitored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ._110 System monitoring data {Monitor} ._111 System component monitoring data .111 License monitoring data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ._111 System iitclministrator'sGuide yer.1.4 SEP-2013 RES 9 2013i? - pag.

List of diagrams Figure 1: All?In?One RC5 architecture: logical layout Figure 1: Distributed RCSarchitecture: logical layout 9 Figure 1: Appliance: physical layout Figure 2: Network Injector Appliance with TAP: physical layout ..42 Figure 1: Tactical Network Injector: standard connection layout Figure 2:Tactical Network Injector: access pointernulation diagram System Administrator's Guide yer.1.4 SE RES 201MB -pag. IX

lossa ry The terms and their definitions used in this manual are provided below. A Accounting Console section that manages RC8 access. acquisition sequence Group of complex events. actions and acquisition modules that make up the advanced agent con?guration. Administrator The person who enables user access to the system. creates work groups and de?nes operations. targets and the type ofdata to be collected. Agent Software probes installed on devices to monitor. They are designed to collect evidence and communicate it to the Collector. alert rules Rules that create alerts when new evidence is stored or agents communicate back for the ?rst time. Alerting Console section that manages new evidence alerts. alerting group Group ofusers who receive notifications via mail whenever a system alarm is trig- gered {for example. when the database exceeds available free space limits}. Nor- mally this group is not linked to an operation. Analyst Person in charge of analyzing the data collected during operations. Anonymizer {optional} Protects the server against external attacks and permits anonymity during investigations. Transfers agent data to Collectors. System Adininish'ator Guide ver.1.4 I Fair} HT 3. - pa g.

Riff} - Glossary Audit Console section that reports all users' and system actions. Used to monitor abuse of RCS. back end Environment designed to and save collected information. In distributed archi- tecture. it includes Master Node and Shard databases. ERAS {Broadband Remote Access Server} routes traf?c toffrom DSLAM to the ISP network and provides authentication to the ISP subscribers. BSSID {Basic Service Set lDenti?er} Access Point and its client identifier. Collector Receives data sent by agents directly or through the Anonymizer chain. console Computer on which the RCS Console is installed. It directly accesses the RCS Server or Master Node. Dashboard Console section used by the Analyst. Used to have a quick overview of the status of the most important operations. targets and agents. DSLAM {Digital Subscriber Line Access Multiplexer} network device. often located in the tel- ephone exchanges of the telecommunications operators. It connects multiple cus- tomer digital subscriber line interfaces to a high-speed digital communications channel using multiplexing techniques. System Adminish'ator Guide SE Fill-1'5 I F9113 - pa g. Xi

C-ZI - Glossary entity Group ofintelligence information linked to the target and people and places involved in the investigation. ESSID {Extended Service Set lDenti?er} Known as SSID. identi?es the network. evidence Collected data evidence. The format depends on the type of evidence image}. evidence alerts Alerts. usually in the form of emails. sent to when new evidence matches the set rule. factory A template for agent con?guration and compiling. front end Environment designed to communicate with agents to collect information and set their con?gurations. In distributed architecture. it includes the Collector and Network Controller. injection rules Settings that de?ne how to identify HTTP traf?c. what resource should be injected and what method is to be used for the injection. Monitor Console section that monitors components and license status. System .L'ulministrator s-?Eiuide ver.1.4 I F333 '33 Eli-133$ HT - peg. xii

Ruff} C-ZI - Eilossarv Network Controller Component that checks Network Injector and Anonymizer status and sends them new configurations and software updates. Network Injector Hardware component that monitors the target's network traffic and injects an agent into selected Web resources. It comes in two versions. Appliance or Tactical: the former is for deployment at the ISP. the latter for use on the field. Network Injector Appliance Rackable version of the Network Injector. for installation at ISP. See: Tactical Net- work Injector. 0 operation Investigation aimed at one or more targets. whose devices will be recipients for agents. RC3 em ote Control System I the product documented hereto. RC3 Console Software designed to interact with the RCS Server. RC3 3erver One or more computers. based on the installation architecture. were essential RCS components are installed: Shard databases. Network Controllers and Collector. 33H {Secure a network protocol for secure data communication. remote shell serv- ices or command execution. Sag-stem Adminish'ator Guide ver.1.4 I Eff

G) - Glossary System Console section that manages the system. System administrator The person who installs the servers and consoles. updates software and restores data in case offaults. Tactical Network Injector The portable version ofNetwork Injector. for tactical use. See: Network Injector Appliance. TAP {Test Access Port} a hardware device installed in a network that passively monitors the transmitted data flow. target The physical person under investigation. Technician The person assigned by the Administrator to create and manage agents. UPS {Virtual Private Server} a remote server where the Anonymizer is installed. Com- monly available for rent. WPA {Wi Fi Protected Access} WiFi network protection. WPA 2 {Wi Fi Protected Access} WiFi network protection. System ritdminish'ator Guide ver.1.4 SE Pill-1'5 I Eff} '33 2'2'13123 HT - pa g. xiv

Guide introduction resentatio Manual goals This manual is a guide for the System Administrator to: . correctly install the RC5 system and its components . set up components using the administration console . understand and resolve any system problems Information on how to consult the manual is provided below. Content This section includes the following topics: Newguidefeatures 2 Supplied documentation 3 Print concepts for notes 4 Print conceptsforformat Product and guideaddressees 5 Software authoridentification data 5 System administrator's Guide yer.1.4 - RES 9 - 201MB HT - pag. 1

RC5 9 - New guide features New guide features List of release notes and updates to this online help. Release Code Software Description date version. 30 gap- System 9 Updated Network Injector installation, update and tember Administrator's management documentation, see Optional and 2013 Guide additional component instaiiation on page 3? L4 SE p-2013 "Routine maintenance and software updates on page 62 "Managing the Network injector" on page 105 . Updated connector documentation, see "Connector management? on page 103 . Updated documentation due to improvements to the user interface. 3 July System 34 No documentation update. 2013 Administrator's Guide 15 March System 33 Changed Tactical Network Injector update methods. 2013 Administrator's See "Tacticai Network injector update" on page Guide 1.3 MAR-2013 Changed Network Injector Appliance update methods. See "Network injector Appiiance update" on page 65 . Added description of third party software connection rules. See "Connector management" on page 103 . The OCR module can index file type eyidence content (all formats). See instaiiation" on page 33. Added description of the RES Translate module available with the purchase of a user license and can be installed with support service assistance. System Administrator's Guide yer.1.4 BER-2013 RC3 9 2013 - pag. 2

RES 9 - Supplied documentation Reieose Code Software Description dote version. 15 System 8.2 Added utility to restart Windows services, see "Service October Administrator's restart procedures "on page 30. 2012 Added BareTaiI for Windows, log code viewer. See 1.2 OCT-2012 "System logs" on page Added incremental backup management and mandatory metadata backup job. See "What you should know about backup" on page 98?. E-mail delivery authentication support for alerts. See "Editing Master Node settings" on page 22 . Optional OCR module See module installation" on page 33 Added fast database management wizard. See "Wizards in the homepage" on page 83 Sale Tactical Control Center application on Tactical Network Injector. 301mg System 3_1 File Manager to delete file packets in the folder 2012 Administrator's CARCSECoIIectorEpublic. See "Front end management Guide on page 94 . 1.1JUN-2012 16 April System 8.0 First publication 2012 Administrator's Guide 1.0 APR-2012 Supplied documentation The following manuals are supplied with RES software: Manuai Addressees Code Distribution Jforrnot System Administrator's Guide System System Administrator's {this manual} administrator Guide PDF 1.4 SE P-2013 Administrator's Guide Administrators Administrator's Guide PDF 1.4 SE P-2013 Technician's Guide Technicians Technician's Guide PDF 1.5 SE P2013 System Administrator's Guide ver.1.4 SEP-2013 RC3 9 2013 - pag. 3

RC5 9 - Print concepts for notes Manuai Addressees Code Distribution format Anal st's Guide Anai st?s Guide Ana 1" PD 1.4 SE P-ZGIB Print concepts for notes Notes foreseen in this document are listed below (Microsoft Manual of Style): I 'u I WARNING: indicates a riskvr situation which, if not avoided, could cause user injurvr or equipment damages. MUTION: indicates a risky situation which, if not avoided, can cause data to be iast. IMPORTANT: offers the indications required to complete the task. While notes can be neglected and do not in?uence task completion, important indications should not be neglected. NOTE: neutral and positive information that emphasize or add information to the main text. They provide information that can only be applied in special cases. Tip: suggestion for the application of techniques and procedures described in the text according to special needs. It may suggest an alternative method and is not essential to text comprehension. Service caii: the operation may oniv he compieted with the heip of technicai service. Print concepts for format A key to print concepts is provided below: Exampie Styie Description See "User data? itaiic this indicates a chapter, section, sub-section, paragraph, table or illustration heading in this manual or other publication of reference. indicates text that must be speci?ed by the user according to a Select one of the certain syntax. In the example is a date and could be "140?2011?. indicates the object specified in the text that appears in the adjacent listed image. servers System Administrator's Guide ver.1.4 RC8 9 20136:] - pag. i1

RC5 9 - Product and guide addressees Exampie Styie Description Click Add. bold indicates text on the operator interface, a graphic element select the File table, tab) or screen button display). menu, Saye data. Press ENTER UPPER indicates the name of keyboard keys. CASE See: Network - suggests you compare the definition of a word in the glossary or Injector content with another word or content. Appliance. Product and guide addressees Following is the list of professionals that interact with RCS. Addressee Activity System Follows the HackingTeam's instructions provided during the Expert administrator contract phase. Installs and updates RCS seryers, Network network Injectors and RC5 Consoles. Schedules and manages backups. technician Restores backups if servers are replaced. . ., WARNING: the system administrator must have the a required necessary skills. The HackingTeam is not liable for equipment malfunctions or damages clue to unprofessional installation. Administrator Creates authorized accounts and groups. Creates operations and investigation target. Monitors system and license status. manager Technician Creates and sets up agents. Sets Network Injector rules Tapping speciaiist technician Analyst Analyzes and exports eyidence. Operative Software author identification data HT S.r.l. yia della Moscoya, 13 20121 Milano (MI) Italy Tel.: 39 D2 29 060 603 Fax: 39 02 63 118 946 e?mail: info@hackingteam.com System Administrator's Guide 1wer.1.4 SEP-2013 RC3 9 2013 - pag. 5

RCS (Remote Control System) resentatio Introduction RCS {Remote Control System} is a solution that supports investigations by actively and passively tapping data and information from the devices targeted by the investigations. In fact, RCS anonymously creates, sets and installs softvvare agents that collect data and information, sending the results to the central database to be and saved. Content This section includes the follovving topics: All-in-One architecture components Ir' Distributed architecture components 9 What you should knowabout RCS Differences between RCS 3.0 and RC5 15 versions _.11 System administrators Guide ver.1.4 SEP?l?li? - RC3 C?i - 20131:] HT - pag. 6

RC5 9 architecture components All-in-One architecture components Introduction RC5 is installed at the operating center and proprietarv authoritv's tapping rooms. It can come with special devices (hardware and software) installed at remote organizations such as Internet providers or remote servers. RC5 can be installed in All-in-Une or Distributed architecture. All-ln-One architecture layout All-in-Dne architecture includes RCS installed on a single server. The logical architecture lavout is provided below: Target Agent 2 agent 3 Network Injector _2 1? 47 Status Status Settings Settings Chain External Network Internal Network 47 Network Controller Collector HES Console I?v'laster Node RC5 Console I RC5 Console RC5 Server Figure I: All-in ?ne RC5 architecture: logical layout All-in-One RC5 architecture components Architecture components are provided below: Svstem Administrator's Guide ver.1.4 RC8 9 20139:] - pag.

RC5 - rill-in-C'ne RC5 architecture components Component Function installation Agent Software bugs tap and communicate the . target investigation target's data and information to devices an Anonymizer or, if not installed, directly to - doto Collectors. sources Anonymizing {optional} geographically distributed chain Anonymizer groups that guarantee Collector Sewer} Ananvmizer anonymity and redirect collected data to protect servers from remote attacks. It transfers agent data to servers. Several Anonymizers can be set up in a chain to increase the level of protection. Each chain leads to one Collector. collector RC5 server component that collects agent data 955 35mg, either directly or through the Anonymizer chain. Firewall Optional but highly recommended, it protects RES serve, the trusted environment were data is processed and saved from the untrusted environment where data is collected. RC5 console Setup, monitoring and analysis console used by . RC5 operating center workers. server - internal network Master Nude Heart of the RC5 server, it manages data flows, 9155 server component status and includes the first Shard database. It includes the Worker service to decode data before saving it in the database. Network {optional} RC5 server component, sends RCS SENS, cantmuer settings to Network Injector, Anonymizer chains and constantly acquires their status. Network {optional} Fixed hardware component . mjectgr {Appliance} or notebook {Tactical}, it runs Wkedm sniffing and injection operations on the target's Wireyess HTTP connections. LAN (homes, hotel} Target Investigation targets. Each device owned by the target is a data source and can be monitored by an agent. System administratorstEiuicle ver.1.4 RC3 ECIIBEI HT S.r.l. - pag. 8

RC3 9 - Distributed architecture components Distributed architecture components Introduction In special cases, RCS can also be installed in distributed architecture. Distributed architecture layout Software components are installed on several servers in distributed architecture. The architecture layout is provided below: ?1 Target 1 Agent 1 Agent 2 Target 2 Agent 1 Target 3 Agent 1 a a a Network Injector Anonymizerj I 47 Enunimlmr It] I Anonymizer Status Settings Anonvmlaer it I: Status Status I I Settings Settings Chain Chain External Network 47 47 Internal Network [Meta-ark Controller] I: Collector Collector I Untrusted ill] RC5 Console RC5 Console Master Node RC5 Console I ?mm RC5 Server Figure 1: Distributed RC5 architecture: iagieui iuyvout Distributed architecture components Following are the difference in components in distributed architecture compared to All-in-One architecture: Svstem Administrator's Guide ver.1.4 RC8 9 20133:] - pag. 9

RCS 9 - What 1vou should know about RCS Component Function Installation collector One per each Anonvmizing Chain, it collects data one or more communicated by the last Anonvmizer in the chain. It requires sewers in from 5? 5mg"? end environment Network One per architecture, it is included in first Collector one server Controller '?5tall3tl0n- front end envi- ronment Shard 1: Additional RC5 distributed database partitions. Shard is one or more included in Master Node. It includes Worker service to decode servers in book data and enter it in the database. end environment What you should know about RCS Operations RCS svstem components must be suitava installed at both the operating center and, eventuallv, an Internet service provider. Tvpicallv divided in front and environments for all data collection, tapping and monitoring, and back end environment for data collection and backup. Data flow and protection The RCS server clearlv separates activities in untrusted environment from those in tmsted environment. The barrier limit is provided by a resident firewall. Tapping data is collected in untrusted environment, eventuallv redirected to protect the addressee's identitv (you) and sent to an information collector (Collector). Remote device status and settings are checked by a speci?c component (Network Controller). In trusted environment, evidence is managed, set and monitored (Master Node). Lastlv, RC5 Console is a client that directlv connects to Master Node. It can be installed on anv computer to be used by the various RC5 users. See "Distributed architecture components? on previous page . Data logging continuity Agents send collected data to the Collector. f communications fail, connectivitv is down or the Collector does not work, agents can save a set amount of data until connectivity is restored. Data that exceed the admitted limit are lost. If the Collector cannot communicate with Master Node (disservice or maintenance in progress), received data is locallv saved on the Collector until Master Mode is restored. Once restored, data is automaticallv sent. System Administrator's Guide ver.1.4 SE RC3 9 20136:) - pag. 10

RCS 9 - Redirecting login to Collector Redirecting login to Collector The Collectors real function can be hidden, for direct access to data collection service, bv redirecting to an unsuspicious page Google, e-commerce site and so on). Redirecting is through a customizable HTML page. See "Files installed at the end of installation? on page 35 Digital certificates Master Node uses digital certificates that guarantee communication securitv between Master Node, Collector, Network Controller and RCS Consoles. Some agents (Android, Svmbian) require specific certificates that must be created and saved in folder ll,RCS?l,DB?l,config?l,certs. See "Files installed at the end of installation? on page 35 Decoding data Worker service is installed with each Shard and decodes data before it is saved in the database. For distributed databases, each Shard has its own Worker that receives data from Master Node, decades it and saves it in the database. The work load is automaticallv evenly distributed among all Shards in the same cluster. Differences between RCS 8.0 and RCS 7.6 versions Differences with the RCS 16 version are described below Glossary RES v. 7.6 RES 3.0 and higher Activitv Operation Agent Module Anonvmizer chain Anonvmizing chain Backdoor Agent Backdoor Class Factorv Collection Node (ASP) Collector Injection Proxv Appliance (IPA) Network Injector Appliance Log Repositorv Master Mode and additional Shard Mobile Collection Node (RSSM) Collector Anonvmizer Svstem Administrator's Guide ver.1.4 SE RCS 9 2013? - pag. 11

Installation introduction Presentation Introduction RC5 installation is run at first installation or subsequent updates. Installation files are available on the CD included in the package or can be downloaded from the HackingTeam support portal. Installation requirements All hardware must already be installed and running according to the system requirements communicated by HackingTeam upon order confirmation. See "Minimum system requirements? on page 14 NOTE: Network Injector or Anonymizer installation is optional and will be documented in the following chapters. Content This section includes the following topics: Package content .. 13 Minimum system requirements .. 14 Ports to be opened on the ?rewall "14 System administrator procedures .. 15 System Administrator's Guide yer.1.4 - RC3 9 - 2013? - pag. 12

RC5 9 - Package content Package content Package content RC5 is supplied in a package that includes: . an installation CD a a USB key with user license 1' two USB hardware kevs (main and backup) Service caii: USS keys are suppiied with an it) code that must be communicated to . support service for software repiacements and updates. Installation package content (CD or web) The installation package in the CD or downloaded from the HackingTeam support portal contains the following files where is the CD root: Folder Included ?ies Description Reiease notes ?95?ch RCS_x.x_Admin_v.v_ RC3 instaiiation and user manuals. Each manuai is LanguagePDF addressed to a specific user roie. x.x:RC$ version. Language-PUP . vv: manuai version. In Language: manuai ianguage. LanguagePDF LanguagePDF x?setup AdoberAlRinstallerexe Adobe AIR instaiiationfiie x?setup RCS-version.exe RC5 serverf's) instaiiation fiie x?setup RCSconsole-version.air RES Consoie instaiiation fiie x?setup RCS-ocr-version.exe OCR moduie instaiiation file (optionai) USB key with user license The package contains a USB key with the user license for the supplied RCS version. The ?le is required for installation and software updates. It can be copied from the USB key to any other support device. System Adminisaator's Guide ver.1.4 SE RC8 9 2013? - pag. 13

RC3 9 - USE. hardware keys USB hardware keys Two hardware keys are included in the package: a main one, already linked to the license in the USB license key, and a backup, ready to be activated in the event the main key fails. IMPORTANT: the hardware key must always be connected to the server {to Master Node in distributed architecture} to allow all RC5 services to run. All services are immediately aborted when the key is disconnected! Minimum system requirements Hardware must be configured as instructed by support service in the contract phase. The computers on which RC5 is installed require the following characteristics: Machine Component Requirement Front end and back and sewer Operating Microsoft Windows Server 2008 R2 system Stondord (Engiish) Computer for RC5 Console Operating sys- tem Browser Operating system UPS for Anonymizer Network Injector {Appliance or Tactical} Operating sys- tern Parts to be opened on the firewall Microsoft Windows orAppie Mac OS X. Firefox 11 9 Chrome Linux CentOS 6 Provided by HockingTeom If a firewall is installed between RC5 server components, the following TCP ports must be opened to allow services to communicate: Port to be opened AgentlAnonymizer Collector 80 Collector Master Node 443 Collector remote all Master Node Collector 80 System Administrator's Guide ver.1.4 SE RC8 9 201333 - pag. 14

RC5 9 - Svstem administrator procedures Port to be opened Network Controller remote 443 Console Master Node 443, 444 System administrator procedures Introduction Typical System administrator procedures are listed below with references to the pertinent chapters. Procedures Install RC5 and setup components The server, Console, Shard, additional Collector and optional Anonymizer and Network Injector component Installation procedure is described below: Step Action 1 Prepare the Installation environment. See "installation introduction? on page 12 . 2 Install the RC5 server (in All-In-One or distributed architecture). See installation? on page 17 . 3 Install the RC5 Consoles. See Console Installation on page 30?. 4 (optional) Install an OCR module. See module installation? on page 33 call: to install other RC5 modules, contact Hacking Team technicians. 5 (optional) Install the Shard databases and additional Collectors. See "Additional component installation in distributed architecture" on page 55 . 5 (optional) Install and setup up Anonymizers. See "Anonymizer installation and settings" on page 38 7 (optional) Install Network Injectors. See "What you should know about Network injector Appliance" on page 40. See "What you should know about Tactical Network injector" on page 47 . Svstem Administrator's Guide ver.1.4 SE RC8 9 20136:} - pag. 15

RC5 9 - Maintain and update the system Maintain and update the system References to the chapters on how to maintain performance and update the system are listed below: . See "Routine maintenance and software updates" on page 62 . . See "Editing Master Mode and Collector settings" on page .70. 1. See "Troubleshooting" on page .75 . Monitoring the system References to chapters on how to monitor the system are given below: .- See Console for the System administrator" on page 85 System Administrator's Guide 1u.urer.1.4 SE RC3 9 201313?) - pag. 16

RCS installation resentatio Introduction RC5 installation requires intervention on various local and remote servers. Content This section includes the following topics: What you should know about RC5 installation ._13 RCS server installation in All-in-One architecture RCS server installation in distributed architecture 22 List of started RC5 services .29 Tolearn more RCS Consoleinstallation OCR moduleinstallation .33 Files installed at the end ofinstallation 35 Svstein Administrator's Guide ver.1.4 33E - RES - 20131:] - pag. 17'

RC5 - Whatyou should know about RC5 installation What you should know about RCS installation Login privileges RCS was designed to guarantee maximum server and collected data security. To achieve this goal, four distinct roles were defined that usually refer to the professionals who can login to the system: a System administrator: exclusively in charge of hardware and software installation and backups in "k Administrator: in charge of all system login, investigations and investigation goals I. Technician: in charge of setting up and installing tapping agents . ?11 Analyst: in charge of data analysis Tip: several roles can be assigned to the same user, for example, an Administrator can also have Technician privileges. Admin user and System administrator user A special user is created during installation with the name "admin" and all privileges (system administrator, administrator, technician and analyst) to be used for all RCS Console settings and login functions. This user must only be used for this purpose. After completing installation, we recommend you create one or more users with the required privileges according to your organization. IMPORTANT: we usually refer to the admin user in this manual as the System Administrator, even if shelhe has all privileges. RCS server installation in All-in-One architecture Introduction RCS server installation in All-in-Une architecture installs all server components on the same computer. The RC5 Console will be installed with a separate procedure. See Console installation on page 30 Installation requirements The following is required before installing RCS serverls): the name or IP address of the serverls) where RC5 is to be installed I. the license ?le, found on the USB key supplied in the delivered package or other support if downloaded from Internet. a the USB hardware key, supplied in the package. System Administrator's Guide yer.1.4 SE RC8 9 2013? - pag. 18

RC5 9 - Installation sequence . for ?rewall, open the ports for correct service operations. See "Ports to be opened on the firewall" on page 14 . Installation sequence The complete installation procedure for All-in-Dne architecture is described below: Step Action Machine 1 Prepare that indicated in instoiiotion requirements. - 2 Install RES. server 3 Make sure services have started. server 4 Check the installation log. server 5 "1513? RC5 server or other computer 5 Setup the backup folder on the remote unit. sewer Installation To install the server in All-in-Dne architecture: Steps Result 1. Insert the hardware kev. - 2. Insert the CD with the installation package. Run ?le RC5?version.exe in folder x?selup the ?rst wizard window appears. 3. Click Next. Welcome to the RC5 Setup Wizard This wizard wil guide you through insialaton It Is recommerded that you dose all other bl: 'ur: This I.I1'ill iL possible LU updcu: ?le: w?'lout havirg to reboot your computer. Elirk West to rontinle. Svstem Administrator's Guide ver.1.4 SE RC3 9 20133:} - pag. 19

RCS 9 - Installation Steps Result 4. Select All-in-Dne. 5. Click Next. ES. Enter die server name c-r IP address where die software is being installed and diatwill be indicated at RC5 Cansc-le login Click Next. IMPORTANT: the name andfor IP address must he uniucucal. FE Setup TIDE Method El F'leaee se er: Ere inelalla?en type you went: Nl in one deployments. C) Distn'huted :lepleyrnenls. ]Hecl<ingTeern[ 2C5 MI he ccmpurnents will be inslaled er a single machne. Easy semp For small The irelzllejen ia FIle mammizablc. Each mmpenert an be inabled en diFFerent mael'ine be amieue maximum aalability. Suggested For big {Hark Merl-b I [Tent-Pl RC: Setup Culigl?im seltinge: Candidate Please enter con?uura?nn E- Cerlj?ate Name Ihost'arre ur 1P add'ess]: CM: Main?ESer?uer ]Han:l<ingTeam[ 1C5 <Elack Next}:- I Cancel System Administrator's Guide ver.1.4 SE RC3 9 20133:} - pag. 20

RC5 9 - Checking service start Steps Resuit 8. Select 1he license ?le. Wt: 9. Click NEIL C?iinl?im seltinus: Ijaeme Please enter mn?guro?an settings. License ?le: Licerae: Browse .. ]HackingT-aarn[ 2C5 {Hark Next} I [-i?nt?Fl Enter the system administrator's passuvord. 11. Click Next: installation is launched. NOTE: if the server name or IP address needs to be changed after installation due to faults see "Editing Master Node settings" on page .72 . Checking service start Make sure all RES services are up and running. If services are not running, manuallv start them. See "List of started RES services" on page 29 Checking installation logs If errors occur during installation, check logs and send them to support service if necessary. See "System logs" on page Check IP addresses To check addresses, open RES Console, svstem section, Frontend the server address appears on the screen "Anonymizer installation and settings" on page 38 Uninstall RES can be uninstalled from the Windows Control Panel. I CAUTION: sairear data is iost when the RC3 server is uninstaiied. For correct operations, backup data. See "Backup management" on page 100 Svstem Administrator's Guide ver.1.4 SE RC3 9 20133:} - pag. 21

RC5 9 - RC5 server installation in distributed architecture RCS server installation in distributed architecture Introduction Installation in distributed architecture typically installs all components on two or more servers: one server for the front end environment to collect data and manage remote devices and one server for the back end environment to process and save data. Service coii: distributed architecture is scoiobie. Check with the HockingTeom support service. 0 NOTE: RC5 Console will be installed with a separate procedure on either the same server or other remote computer. Installation requirements The following is required before installing RC5 serverls): the name or IP address of the server(s) where RC5 is to be installed at the license file, found on the U53 key supplied in the delivered package or other support if downloaded from Internet. I. the U53 hardware key, supplied in the package. . for ?rewall, open the ports for correct service operations. See "Ports to be opened on the firewall? on page 14 . Installation sequence The installation sequence in distributed architecture is described below: Step Action Machine 1 Prepare that indicated in instoiiotion - requirements. 2 "15m" Nade- server in back end environment 3 Check installation logs. Make sure Master Node services have 4 started. 5 Check installation logs. i" ECTOF some server or other computer 8 "1513? RC5 conmle- server in back end environment or other computer 9 Setup the backup folder on the remote unit. sewer in back end environment System Adminish'ator's Guide ver.1.4 5E RC5 9 20136:] l-lT5.r.l. - pag. 22

RC5 9 - Master Node installation Master Node installation To install Master Mode on the server in back end environment: Steps Result 1. Insert the hardware key. - 2. Insert the CD with the installation package. Setup El Run ?le RCS?uersionexe in folder x?seIJJp: the ?rst wizard window appears. 10' the R35 Setup leard 3. Click Next. I This wizard wil guide you through 2h: It is reocrnmercled mat you close all ether appliations he?ora slarhng Rel-In. This will make it possih e to update relevant system ?les w?'lout hayirp 1o reboot ycur computer. Clidt Next to con?nLe. 4- Se'e? ?strihmd- 5. Click Next. Installation type . Deployment Method Please se er: tre Ins1allatlon type you want: C) Alt?m?one MI L?ne ccmpornents will be instaled or a single machne. Easy semp For small deployments. Eli: Dietn'huted The is luly ontornizable. Each componert an be inslaled on different machne to ac?ueue maximum Suggested for big deployments. QCS snack Next? I Cancel System Administrator's Guide ver.1.4 SE RC3 9 20133:} - pag. 23

Steps E3. Select Master Node. Click Next. 8. Enter the server name or IP address where the software is being installed and thatwill be indicated at RC5 Console login RCSMasterNode]. IMPORTANT: the name andfor IP address must he 9. Click Next. RCS 9 - Master Node installation Result TIDE Compenedta adedjon Baekend: IE blaster Mode The Aspiration Sewer :ind line primary rod: For :he Dumb-nee. Shard Z'Iistrilzubed single shard oFthe E'alaloese Itneeds at least one Mast? node be be sonnet-ted to. Frontend: I: Collector 3enrioe resporsible for the data oolleeljo'l From the agents. It has ho be exposed on nternet Iwit'1 a prlie IF address. El Network: Controller Serviu: respor'eilde I'Ior lJ'lt.? Lununurliedljme Nlerlr Miter: and ZrljeLLiorI Proxies. 2C5 {Fir-uric Merl-b I [Tent-Pl res Setup El Culigl?im settings: Cautitieete Please enter eon?uura?nn set?nqs. ]Han:l<ingTeam[ 1C5 Cerlj?tate Name Ihost'arre ur 1P Edd'es?' CM: Main?ESer?uer <Elaek Next}:- Cancel System Administrator's Guide ver.1.4 SE RC3 9 20133:} - peg. 24

RC5 9 - Collector and Network Controller installation Steps Result 10. Select the license ?le. Setup 11. Click Next. Coriinl?im settinus: cheme Please enter ozrl?gurotjan settings. License ?le: Licerne: C?Usew?Ipommenta?RCElicenoeJic Elrovtse .. ]Hacl<ingT-aarn[ 2C5 {Flack Merl-b I [Tent-Pl 12. Enter the system administrator's password. 13. Click Next: when installation has completed, services are started and are - ready to receive data and communicate with the RC5 Console. NOTE: if the server name or IP address needs to be changed after installation due to faults see "Editing Master Node settings" on page 3?2 . Collector and Network Controller installation To install Collectorls) and Network Controller(s) in front end environment: Steps Result 1. Insert the hardware key. System Administrator's Guide ver.1.4 SE RC3 9 20133:} - pag. 25

RC5 9 - Collector and Network Controller installation Steps Result 2. Insert the CD with the installation package. Setup El Run ?le RCS-uersionexe in folder x?selup: the ?rst wizard window appears. wacome to the RC5 Wizard 3. Click Next. I This wizard wil guide you through :he insialaton It Is reccmmerded mat you dose all cd'ler 'ur: sLarIJrIg This I.Ivill iL possible Lu UleoLl: ?le: w?'lout heyirg to reboot your mmputer. Click West to mnlinle. 4-ustrihmed- 5. Click Next. lnst?lalion [ype Deployment Me?'lod Please se er: inslalla?on type you want: All?in?one All H1: ccmpomenta will be inalnled or a single machne. Easy setup For email deployments. Distributed The installajon is ?lly ontornizable. Each componert an be inslaled on different mach'ne to ac'1ieue maximum salability. Suggested For his deployments. ]Han:l<ingTeam[ 1C5 <Elack Next}:- I Cancel System Administrator's Guide uer.1.4 SE RC3 9 20133:} - pag. 25

RC5 9 - Collector and Network Controller installation Steps Result E3. Select Collector and Network Controller. H53 Setup El Compcnosts sclodjon Click Next. type Backend: Hooter Node The Aspiration Server and ?ne primary rod: For :he Database. Shard Distributed single shard oFthe E'alabase Itneed: at least one Matte: node 13: be rennet-ted to. Frontentl: Collector 3enrioe resporsible for the date oollecljo'l From the agents. It has ho be exposed on Iwits public IF address. Network Controller Service respor'siH: I'ur lJ'llr.? nicer: and Proxies. ]HackingTearn[ 2C5 {Flack Merl-b I [-i?nt?Fl 8. Enter the system administrator password ?dc: Setup El indicated in Master Node installation. rim-glam am.? 9. Click Next: in stallaljon is launched. Please Emrm??ura?mse?f?ms- Account for he 'adm n' user: Password: on ]Han:l<ingTeam[ 1C5 <Eladt Next}:- I Cancel System Administrator's Guide ver.1.4 SE RC3 9 20133:} - peg. 27

RC5 9 - Checking service start Steps Result 10. Enter Ihe Master Node server name or the FE Setup El address RCSMaete rhlocle]. swims 11. Click Install: when installa?on has Mm? Cmrm?gm?macwnga' completed, services start and attempt to communicate wilh Master Node. 'lhe server in back end environmentis protected and any remote login is redirected odor-ens of two Master Node: Hoetnane: NasherZEserverl ]HackingTearn[ 2C5 {Flack Tnsl?l I [Tent-Pl Checking service start Make sure all RC5 services are up and running. If services are not running, manually start them. See "List of started RES services" on the facing page Checking Collector redirecting To check whether Collector installation was successfully completed: If Then on the server OPEN 3 a a?erlooalhost . Result: the browser must be redirected to Google. on another computer OPEN 3 Enter If front end serverName or IP address . . Result: the browser must be redirected to Google. E. Tip: you can edit redirecting or create a custom page. To do this, edit page decoy. html. See "Files installed at the end of installation? on page 35 Checking installation logs If errors occur during installation, check logs and send them to support service if necessary. See "System logs" on page System Administrator's Guide ver.1.4 SE RC3 9 20133:} - pag. 23

RCS 9 - Check IP addre?es Check IP addresses To check all addresses, start the RC5 Console, System section, Frontend: Collector addresses appear on the screen. See "Anonymizer installation and settings" on page 38 Uninstall RC5 can be uninstalled from the Windows Control Panel. I saved data is iost when Master Mode is aninstaiied. For correct operations, . backup data. See "Backup management" on page 100 . NOTE: data will not be lost when other servers are uninstalled. List of started RCS services RCS services appear at the end of the various installation phases. Making sure they have correctlv started is one of the procedures required to ensure installation is complete. Services are listed loel ow: Architecture Services Server in environment All-in-Une back end RCSMaster Router RCSMasterShard RCSMasterWorker RCSMasterDb RCSCollector Mongodb Distributed RCSCollector front end back end oniy with Master Node RCSMasterRouter RCSMasterSha rd RCSMasterWorker RCSMasterDlo Mongodb back end with additionai Shards System Administrator's Guide ver.1.4 SE RC3 9 2013? - peg. 29

RC5 9 - To learn more NOTE: Network Controller does not appear amongst services since it is a RC5Collector service setting. To learn more To restart anv stopped services see "Service restart procedures on page 80. RC5 Console installation Introduction RC5 Console is a client designed to interact with Master Node. It is typically installed on control room computers (for inspectors and and used by all personnel involved in RC5 installation. NOTE: for All-in-Dne architecture you can also install an RC5 Console on the RC5 server. Requirements Before installing RC5 Console you must: If you are installing" Then you RC5 A"_in_nne 1- have the RC5 server installed 1- prepare the server name or IP address I. prepare the system administrator's password. Distributed RC5 1- have the RC5 server(s) installed 1- prepare the Master Node name or IP address I. prepare the Master Node 5vstem administrator's password Installation sequence The full RC5 Console installation sequence is the following: Step Action 1 Install Adobe AIR. 2 Install RC5 Console. Adobe AIR installation To install Adobe AIR: 5vstem Administrator's Guide ver.1.4 5E RC5 9 2013? I-lT5.r.l. - pag. 30

RC3 9 - RC3 Console installation Steps Result 1. Install Adobe AIR: no icon appears on the Ir? installazme dI Adobe Alli desktop at the end ofinstallation. Adobe? lm postaziont- program madi installazione Il programme di installazione installera Adobe AIR, un sottwa'e di per applicazioni desl-stop connesse all Web. Leggete actettate il {nontratto Ell licenza prime Eli tenth-mare. ADOBE Contratto di Iicenza software per Pl: 1. ESCLUSIDNI DI GAMNZIA, VINEDLAHTE LILTERIDRI TERMINI DI GAMHZIA . IL EDFWARE FURNITI 10" CON I SJUI l'UHJ'dl Lil-{1 l: Ll: pug UH. L11 ll'l NUN I-acendo EllE sul pulsante corfermo Ell aver lette accettato i termini del presente contratto. Accetto ?nnulla RCS Console installation To install RC5 Console: Steps Result 1. Run 1he ?le RCSconsole-version.air Installaziene applicazione 2.Cl' kl st . a applicazione nel computer? Editor-s: SEDNDSIZIUTD Applicazione: RESConsole Installa Annulla L'installazione di applicaeioni :Iu-fi 'app'esentare un riscl'lio per la sicu rema 1veestra del vostr: computer. Installate solo :Ippliczlzielni cl: F-znti :ItFidzlbili. Isle-?tt? edit-are: TranncJ-zil'liln l'n=Iritnrr? rli npplirnriu?ne. Act-ese-cr nl sistemn: ?ush-1t: xru'i-qtrn 51.r5teI?I a Internet, mettendo a FlSEl?llD il 1metro computer. System Adminish'ator's Guide 1?er.1.?l SE RC8 9 20136:] - pag. 31

RC3 9 - RC3 Console uninstall Steps Result 3. 3et any preferences. 4. Click Continue: RC3 Console will be installed on the computer. 5. 'lhe RC3 Console login window appears at the end ofinstallation. 6. Enter your credentials and the server namele' addre?. Click NOTE: the 3ystem administrator logs in with name "admin" and the password selected during installation. RCS Console uninstall El Installazione applicazione RC3 Console Descrizione FLCEI- Clurlbulie. Tl I: FLEE- . Preferen ze di installazione Aggiungi collegamento al desktop Fania applicazione dopo l'installazizlne Percorso di instalhzione: Cir-Program Files Continua Annulla i3: .. Hula RCS Console can be uninstalled at any time, for exam pl e, to use the computer in another way or to remove RC3 Console from the All-in-One server and install it on a separate computer. Database data and user preferences are not in?uenced in any way. Creating the Administrator user An RC5 Console Administrator user must be created during RC5 installation. The Administrator is in charge of creating all other users and managing operations and targets.$ee "Product and guide oddressees" on page 5 . To create an Administrator user: System Adminish'ator's Guide 1tier.1.?l 3E RC3 9 20136:] -lT3.r.l. - pag. 32

RC5 9 - OCR module installation Step Action 1 From RES Console, in the Accounting section, click New user . 2 Enter the required data, selecting the Administrator role and click Save: the new user appears in the main work area with icon . from now on the user with the indicated credential can log into RCS Console and run the foreseen functions. OCR module installation Introduction The OCR module is an optional module that indexes all content in addition to traditional documents, also images, audio, video) for full-text search. 0 NOTE: it supports onlv ASCII characters and left to right reading. Installation requirements For all-in-one architecture, install the module on Master Node. For distributed architecture, install the first OCR module on Shard to avoid increasing the Master Node work load. OCR module operations OCR module operations are described below: Phase Description 1 Screenshot evidence images, awaiting conversion, are saved in a separate queue from evidence awaiting analvsis. 2 The OCR module read the image queue and converts it into text. This operation can last from one to 5-10 seconds according to the number of words to be acquired. 3 Each image text is saved in the database and tagged as full-text. 4 Storage times and tags for the single image are saved in the module log. 5 The text is made available to the Analyst in the page with the list of evidence for a search in the Info field and in the detailed evidence page. Svstem Adminish'ator's Guide ver.1.4 SE RC8 9 20138:] - pag. 33

RCS 9 - Space occupied by tagged textin the database Space occupied by tagged text in the database Each piece of screenshot evidence occupies more space in the database because it is always accompanied by its tagged text. The increase in space cannot be predicted since it depends on both the number of screenshots acquired from the agent and the number of words in each screenshot. OCR module work load The OCR module occupies a lot ofthe CPU when converting a screenshot, but is run with a lower priority than other processes. Thus the CPU load will only have an effect when the system shows the converted image text during evidence analysis. For distributed architecture, it can be installed on Shard and not on the Master Node, already full of processes. of excessive load Check how long it takes for the text to be displayed in the single evidence detail and check the times recorded in the log when acquiring images. If these are deemed excessive and another server is free that housing another shard database or Master Node] install another OCR module. This way the work load will be divided amongst all installed modules. OCR module installation To install an OCR module in back end environment: Steps Result 1. Insert the CD with the installation package. Run ?le RCS?ocr?version.exe in folder x:\se 111p: the ?rstwizard window appears. We'mme to the Wham 2. Next. i This wizard n'il guide you mrough the inslallaljon o?r echose. Itis recomrrerded that 1?'ou cose all o?'ler appIL?atims befcre slarlinp Setup T'1is make it possible 133 update rele-?ant system ?les witnth havin b3 reboot voJr rompu?er. Ciel: Irslall slartthe insallat'nn. System Adminislrator's Guide ver.1.4 SE RC8 9 20136:} - pag. 34

RC5 9 - Checking correct OCR module operations Steps Result 3. Follow the steps below unth installation has completed: the module will begin converting images the ?rst time a screenshot type ofevidence is received. Checking correct OCR module operations To check whether image conversion to text is too slow, check how long it takes for the - button to appear in the evidence details page. Uninstall The OCR module can be uninstalled from the Windows Control Panel. NOTE: uninstalling an OCR module does not com promise converted and tagged text. Files installed at the end of installation Various folders appear at the end of installation, organized according to the type of architecture and installed optional components: Folder Included ?les backup The folder contains files with data saved in the databases. See "Backup management? on page 100 IM PD RTANT: This folder's content should not be touched. To save backup data on remote disks, use the Windows Disk Management function and install the disk as a NTFS folder, selecting it as the target. Path: C:\RCS\DB\backup bin The folder contains the utilities rcs-db-config) used to set RC5 utilities. See "Setup utilities" on page ?1 Path: lector?rbin Svstem Administrator's Guide ver.1.4 SE RC3 9 2013? - pag. 35

RESE- Folder included ?les certs The folder contains the certi?cates used lav the various services to access Master Node. They are updated when RES settings are edited. See "Editing Master Node settings" on page .72 Path: B?lconfig?lcerts con?g The folder contains: . decoy. page to redirect or customize undesired remote login landing on the server. It can be customized. See "Routine maintenance procedures" on page 63 .- License file copied from the USB kev. .- Export.zip: ?le containing the style sheets to be customized for evidence export. Path: lector?xc onfig log RES component log file. See "System logs"on page 7? Path: lector?ll og System Administrator's Guide ver.1.4 SE RC3 9 20133:} - pag. 35

Optional and additional component installation resentatio Introduction RCS installation may include the installation of other optional and additional components: . Network Injector . Anonymizer . Shard database . Collector Content This section includes the following topics: Anonymizer installation and settings . . . . . . . . . . . . 33 What you should know about Network Injector Appliance .40 Network Injector Appliance installation . . . . . . . . . . . 42 What you should know about Tactical Network Injector . . . . . . . Tactical Control Center installation ..49 First Network Injector with RC5 server . . . . . . . 53 Checking Network Injector status . . . . . . . . . . . . 54 Additional component installation in distributed architecture ..55 riystem Administrator (Eiuitle earls} 33E - Fair} - - peg. 37"

RC5 -Anonvmizer installation and settings Anonymizer installation and settings Introduction Installing Anonvmizers in a chain is optional and is used to redirect data from a group of agents. The Anonvmizer is installed on a server connected to Internet which cannot be reconnected to the rest of the infrastructure like, for example, a (Virtual Private Server), rented for this purpose. Once installed and set up, the Anonvmizer communicates its status to the Network Controller even; 30 seconds. Installation requirement A UPS must be rented with the minimum system requirements defined in the contract phase to install anonvmizers. See "Minimum system requirements? on page 14 Installation use SSH protocol for all installation, setup and data exchange operations to the remote unit. To install the Anonvmizer on a private server: Step Action 1 2 From RES Console, in the System section, click Frontend, New Anonvmizer. Enter the required data and click Save. Result: the Anonvmizer appears in the Anonvmizer list with icon . In the Monitor section, a monitoring object appears for the added Anonvmizer. Select the Anonvmizer and drag it to the Collector or another Anonymizer to create a chain. 9 Result: the Anonvmizer appears in the Anonymizer list with icon . Click Download installer. Result: the roeanon_inetall. zip installer ?le is generated and saved on the console desktop. Connect to the server and copy ?le roe anon_i as tall. zip to a folder on the server. Svstem Adminisaator's Guide ver.1.4 SE RC8 9 2013? - pag. 38

RC5 9 - Anonvmizer data Step Action 5 Connect to the server, unzip the file and launch the installer by entering: sh rcaanon?install.ah Result: the Anonvmizer is installed in server folder and listens on port 443. 7 From RC5 Console, in the System section, Frontend, select the Anonvmizer and click Mpvar configuration. Anonymizer data Selected Anonvmizer data is described below: Data Description Name User's description Description Version Software version. To view software versions for all components see the Monitor section. Address IP address of the UPS where the Anonvmizer was installed. part 443. To view the ports to be opened for firewall see "Parts to be opened on the firewall" on page 14 . Monitor f enabled, Network Controller acquires Anonvmizer status everv 30 seconds. via NC If not enabled, the Anonvmizer runs normallv but Network Controller does not check status. To be used to avoid connections with Anonvmizers in untrusted environments. Lag Last messages logged. To view log file content see "System logs? on page Boot check The Anonvmizer sends its logs to svslog that manages and saves them in a file. Files are normallv saved in the following files (based on the operating system version and svslog service settings): fvarflogfayalog IP address check To check all Anonvmizer addresses, start the RC5 Console, System section, Frontend: the addresses appear on the screen. See "Anonymizer update" on page 64 Svstem Administrator's Guide ver.1.4 SE RC3 9 20134:) - pag. 39

RCS 9 - Edi?ng Editing settings To edit Anonvmizer settings: Step Action 1 In the System section, Frontend, click on the Anonvmizer icon. 2 Edit the required data and click Save. Result: the screen is updated. 3 Check Anonvmizer status in the Monitor section. 4 Click Appler con?guration. Result: RCS connects to the Anonvmizer and copies the new settings. Uninstall To uninstall the Anonvmizer delete the private server folder and delete the Anonvmizer from the RC5 Console. See "Anonymizer update". What you should know about Network Injector Appliance Introduction Network Injector Appliance is a network server for installation in an intra-switch segment at an Internet service provider. An RCS agent can be injected in visited web pages or downloaded files lav monitoring target connections. Network Injector Appliance uses Network Injector - Network Appliance as an operating svstem and Appliance Control Center for control software. NOTE: Network Injector Appliance is supplied installed and ready for use, complete with all the foreseen applications. Operations Network Injector Appliance analvzes the target's traf?c and, in the event set rules match, injects agents. RCS queries Network Injector Appliance everv 30 seconds to receive status and logs and send injection rules. See Appliance Control Center functions. Appliance Control Center control software lets you: svstem Adminislrator's Guide ver.1.4 SE RC3 9 20136:) - pag. 4U

RC5 9 - Network connections . Enable with RC5 to receive updated identi?cation and injection rules and send logs. . Update Appliance Control Center with the latest version sent bv RC5 Console. Automaticallv identifv connected devices using the rules and infect them Network connections Network Injector Appliance requires two network connections: one to tap the target's traf?c and the other to inject agents and communicate with the RC5 server. r: Tip: after setup, Network Injector Appliance is independent. It can be left to run without '2?4 further communication with the RC5 server. Service call: given special Network lnjectorAppllance features, this manual only provides essential connection indications, letting support service provide all those strategic aspects that are defined in the start-up and deliver]; phase. Standard connection layout Tvpical layout for an Access Switch that routes data to Network Injector Appliance: 'h ACCESS Switch DSLAM Target ?b INTERNET 2' s??gg ecti on Network Injector ISP Network Controllerl Figure I: Netmrh injector Appliance: physioai ieyout Connection layout as an intra-switch segment Tvpical layout with TAP device to boost Access Switch data routing: Svstem Administrator's Guide ver.1.4 5E RC5 9 2013? l-lT5.r.l. - pag. ?11

RC5 - Data snif?ng via TAP, SPAN port Access switch osmm Target Snif?ng Injection Network If Injector J. ISPJ Network Cont roller Figure 2: Network Injector Appliance with TAP: physicef feywut Data sniffing via TAP, SPAN port A TAP device is often installed at the Internet service provider and is the most appropriate solution for traffic monitoring. Using a SPAN port has the following drawbacks: i switch CPU use mav significantlv increase due to port use I. the SPAN port on the switch may already be in use. Network Injector Appliance installation Introduction Network Injector Appliance is supplied with pre-installed and set Network Appliance operating svstem and Appliance Control Center control software. Hardware must be installed with the Internet service provider and with RC5 server. Package content The package includes a series of GBIC connectors to monitor optic fiber and R145 connections. Installation sequence Tip: prepare Network Injector Appliance at your offices before installing it at the Internet provider. The full installation sequence is provided below: Svstem Adminish'ator's Guide ver.1.4 SE RC8 9 2013? - pag. ?12

RC5 9 - Rear panel description Step Action Paragraph 1 Connect Network Injector Appliance to the network. 2 Installing Network Appliance operating system 3 Network Injector with RES server NOTE: the operating system is already installed at purchase. 4 Checking Network Injector status 5 Transfer Network Injector Appliance to the Internet service provider and change the network addresses to enable Internet access Rear panel description The rear panel is described below: "Network connections" on next page "Operating system instoi- iation and settings" on next page "First Network injector syn- chronizotion with RC5 server" on page 53 "Checking Network injector status on page 54 A list of visible components is provided below: Area Cam ponent Description 1 Snif?ng ports Up to four connections to the traffic switches on the targets to be monitored or up to two for redundant devices. NOTE: optic fiber or copper connections are admitted. 2 Mother board Standard PC outputs for monitor and keyboard connections to iaunch sysoonf or compiete updates from the instaiiation CD. See "Routine maintenance procedures" on page 63 3 Management and injection part5 Manager. Port 1: network connection with Network Controiier to receive settings and send status. The address must be set with Network Port 2: network connection for traffic injection. System Administrator's Guide ver.1.4 SE RC3 9 20133:} - pag. 43

RCS 9 - Network connections Network connections Tip: prepare Network Injector Appliance first connecting it to its network and setting i parameters to then be transferred to the Internet provider. The network connection procedure is described below: Steps Layout 1. Connect the target?s traf?c switch to the snif?ng ports[1]. 0 IMPORTANT: for redundant devicea connect both devices. 2. Connect management [port 1] and injection [port 2] ports to the Internet. 3. Connect the monitor and kevboard Operating system installation and settings Network Injector Appliance is supplied installed and readv for use, complete with all the foreseen applications. It can also be installed using a restore disk. The procedure is described below: Steps Result 1. Connect the computer to the network using an Ethernet cable and insert the installation - CD. 2. Select Network Appliance for server version installation: operating system installation is launched and the computer shuts down when ?nished. IMPORTANT: the computer must remain connected to the internet during the entire installation proce?. 3. Reboot the notebook. Svstem Administrator's Guide ver.1.4 SE RC3 9 2013? - pag. 44

RES 9 - Dpera?ng system installa?c-n and set?ngs Steps Result 4. The ?rst setup winclaw appears System Configuration 5. Select 1he language. Welcome Asturianu Bahasa Indonesia Basanski Eat?Ala ?estlna Dansk Dcutscl?. Ecsti i Espanal Esperanth Euskara Flancais Gacilge Galeqo Hruatski lslenska Italianp Kurdl Lah?iski Lietuviskai Magyar Nederlands Norsk bokmal wanes-l El. Select cc-rrect lime zane. System con?guratmn Where are you? Rome I System Adminislratar's Guide 1urer.1.4 SE RCS 9 20131323} -lTS.r.l. - pag. 45

RC5 9 - Dpera?ng system installa?on and setijngs Steps Result The keyboard layoutis read. Dnly change itif necemary. 8. Enter user data: operating system seiup starts 9.11m standard login page appears at ihe end ofopera?ng system installa?on. The Appliance Control Center opera?ng system and control software are installed on ihe computer. System Con?guration Keyboard layout Eho seyour keyboard layout: Eiglisli ll?llgt?lldi? I Fliglisli {F.oul ii an ice} EnEll5h lusl Chemkee anll?h mm English - English {Colemaki English iUSi - English {Dvorak altem; Epemnm English - English {Dvorak inteme Em man English - English {Dvorak} Hm ESE. English English {Macintosh} . .I'Ilr' IType here ro resryour keyboard I Detect Keyboard Layout I Ba cl: Continue - System Configuration Who are you? You name: Your computer's name: I The 1ama it uses wl'en ii: tall-:5 toot'ier computers. a username: Iliserrame I Fhoose a password: IPa-asword Cuniilinyum passwold: IConI'iIni passwold LoginaLtonatically Require my password to log in nyhone folder Be Back I EontinueI System Adminisirator's Guide I SE I RC3 9 I 2013? - pag. 46

RCS 9 - Changing the IP addre? Changing the IP address If the Network Injector device IP address changes, reinstall Network Injector and "Instai'iation sequence" on page 42 "First Network Injector with RC5 server" on page 53 To check all addresses, open RCS Console, System section, Network Injector and view data for each Network Injector. See "Network Injector data" on page 108. Uninstall To uninstall a Network Injector Appliance, simplv delete the object in RCS Console and turn off the device. See "Managing the Network Injector" on page 105 What you should know about Tactical Network Injector Introduction Tactical Network Injector is a notebook for tactical installation on LAN or WiFi networks. Tactical Network Injector uses Network Injector - Tactical Device as an operating system and Tactical Control Center for control software. NOTE: Tactical Network Injector is supplied installed and readv for use, complete with disk and all the foreseen applications. Tactical Control Center functions Tactical Control Center lets you: 1- Enable with RCS to receive updated identi?cation and injection rules and send logs. 1- Update Tactical Control Center with the latest version sent bv RC5 Console. . Automaticallv identifv connected devices using the rules and infect them . Manuallv identifv connected devices using the rules and infect them 1- Crack protected WiFi network passwords . Simulate a WiFi network to attract target devices Network connections Tactical Network Injector requires two network connections: one to tap the target's traf?c and the other to inject agents and communicate with the RC5 server. Svstem Administrator's Guide ver.1.4 SE RC3 9 2013? - pag. 47

RC5 9 - Standard connection layout Tip: after setup, Tactical Network Injector is independent. Internet connection is required to obtain updated rules from RC5 and send logs Standard connection layout Typical WiFi layout where Tactical Network Injector is connected to the same WiFi network as target deyices. Network Eontraller Target Eat?be Figure I: Tactioai Neter injector: standard connection iayout Access point emulation connection diagram Typical layout in WiFi where Tactical Network Injector emulates the open WiFi network access point to attract target devices. System Adminish'ator's Guide yer.1.4 SE RC8 9 20136:] - peg. ?18

RC5 9 - Tactical Control Center installation [mm i INTERN ET Figure 2f Tactiaai Network injector: amass paint amaiatian diagram Tactical Control Center installation Introduction Tactical Network Injector is supplied with pre-installed and set Tactical Device operating system and Tactical Control Center control software. It must be with RCS server. IMPORTANT: installation requires the Master Node authentication files and requires the creation of Network Injector on RES Console. Be well prepared for installations far from the operating center. Package content The package includes a notebook and installation CD. Installation sequence The full installation sequence is provided below: Svstem Administrator's Guide ver.1.4 SE RC8 9 - pag. ?19

RCS 9 - Operating system installation and settings Step Ac tian 1 Installing the Tactical Deyice operating system 2 Network Injector with RCS server 3 Checking Network Injector status Paragraph "Operating system instaiiation and settings" beiow NOTE: the operating system is already installed at purchase. "First Network Injector with R65 server" on page 53 "Checking Network injector status on page 54 Operating system installation and settings Tactical Network Injector is supplied installed and ready for use, complete with all the foreseen applications. It can also be installed using a restore disk. The procedure is described below: Steps 1. Connect the computer to the network using an Ethernet cable and insert the installation CD. 2. Select Tactical Device for notebook yersion installation: operating system installation is launched and the computer shuts down when ?nid1ed. 3. Reboot the notebook; enter the to unlock the disk. The pasmhrase for ?rst bootis "?rstboot". IMPORTANT: the computer must remain connected to the internet during the entire installation process. Result System Administrator's Guide yer.1.4 SE RC3 9 20133:} - pag. 50

RES 9 - Dpera?ng system installa?c-n and set?ngs Steps Result 4. The ?rst setup winclaw appears System Configuration 5. Select 1he language. Welcome Asturianu Bahasa Indonesia Basanski Eat?Ala ?estlna Dansk Dcutscl?. Ecsti i Espanal Esperanth Euskara Flancais Gacilge Galeqo Hruatski lslenska Italianp Kurdl Lah?iski Lietuviskai Magyar Nederlands Norsk bokmal wanes-l El. Select cc-rrect lime zane. System con?guratmn Where are you? Rome I System Adminislratar's Guide 1urer.1.4 SE RCS 9 20131323} -lTS.r.l. - pag. 51

RC5 9 - Operating system installa?on and settings Steps Result The keyboard layoutis read. Dnly change it if system cgn?guration Keyboard layout Chooseyour keyboard layout: Eiglish iNige?ai anliruh l?oul ll f3.? it?d} EnEll5r' lUSl Chemkee anll?h um I English - Englistholemakl English - Englishmyorak altem; Eperanm English - Englisthyorak inteme Emma? English - Englishlm'orak} Hmese English Englisthacintosl?J . 1 Ir' IType here ro resryour keyboard I Detect Keyboard Layoutl Back Continue - 8. Enter user data: operating system setup WENT. C?nrlguratmn starts. . 7* I WARNING: Ifyou lose your password Who are you- you must re?install Tactical Network Inject?r' You name: I Your computer's name: I I 0 NT: the entered password The 1ama it uses wl'enit talkstoot'ler computers. becomes ?le (?5k Pick a username: Iliterrame I requested each time the notebook is turned on. The password is ?lm reque?ted at ?Ser login- Coniil Inyum passwold: IConfiIm Loginattonatically Fhoose a password: IPa-asword Require my password to log in n'yhone folder Back I Continue? 9. The standard login page appears at the end ofopera?ng system installa?on. The Tactical Control Center operating system and control software are installed on the computer. System Administrator's Guide SE RC3 9 2013? - pag. 52

RC5 9 - Changing the IP addre? Changing the IP address If the Network Injector device IP address changed, reinstall Network Injector and run first "instaiiation sequence" on page 49 "First Network injector with RC5 server" beiow To check all addresses, open RCS Console, Svstem section, Network Injector and view data for each Network Injector. See "Network injector data" on page 108 Uninstall To uninstall Tactical Control Center, simplv remove it from the computer. To uninstall a Tactical Network Injector, simplv delete the object in RCS Console and turn off the device. See "Managing the Network injector" on page 105 First Network Injector with RC5 server Introduction First Network Injector is required to allow the technician to create sniffing and injection rules and to include the device in Network Controller polling. Once installed and Network Injector communicates its status to Network Controller everv 30 seconds. a Network Injector with RCS server To complete Network Injector installation, Network Injector with the RC5 server. Following is the procedure for both Network Injector Appliance and Tactical Network Injector: Step Ac tian 1 Connect Network Injector to the network and from Network Manager, Connection information identifv its IP address NOTE: the IP address must be accessible from RCS server. Check bv pinging from RCS Collector. If there is a ?rewall between RCS server and the Network Injector, open port 443. 2 Open Appliance Control Center Tactical Control Center and click Config 3 From RES Console, in the System section, Network Injector, click New Injector. 4 Compile the required data entering the Network Injector IP address in the Address field and click Save See "Network injector data? on page 108 Result: the Network Injector appears in the list and the new object to be monitored is added to the Monitor section. svstem Adminislrator's Guide ver.1.4 SE RC3 9 2013? - pag. 53

RC5 9 - Checking Network Injector status Step Action 5 Check Network Injector status in the Monitor section. See "Checking Network Injector status below Checking Network Injector status Introduction Network Injector with the RC5 server to download updated control software versions, identi?cation and injection rules and send their logs. Network Injector status can be monitored from RCS Console. Speci?cally: in the Monitor section: to identify when Network Injector is and thus avail- able for data exchanges. in in the System section, Network Injector: to view the logs sent by Network Injector. Identifying when Network Injector is The procedure is described below: Step Action 1 In the Monitor section, select the Network Injector object row to be analyzed. Check the Status column: if flagged green, the Network Injector is This situation occurs when on Control Center software (Appliance or Tactical): Config was clicked, the operator manually queued for new rules or updates; 1- Start was clicked or an infection is in progress. IMPORTANT: applied rules and updates can only be received from RCS when Network Injector is Viewing Network Injector logs The procedure is described below: System Adminisirator's Guide ver.1.4 SE RC3 9 20136:) - pag. 54

RC5 9 -Addi?onal component installation in distributed architecture Step Action 1 In the System section, Network Injector, select the Network Injector to be analyzed, double-click and click Edit Result: a window opens with Network Injector data and saved logs. See "Network injector data? on page 108 0 NOTE: logs are only received and displayed if Network Injector is Additional component installation in distributed architecture Introduction Installation in distributed architecture lets you add Shard databases (larger data volumes) and Collectors (one for each Anonymizer chain). Service caii: distributed architecture design must be checked with HackingTeam support . senrice. Additional component installation requirements Before installing additional components, complete Ivlaster Node and Collector installation. See server instaiiation in distributed architecture? on page 22 . Installation sequence The complete additional component installation sequence is described below: Step Action Machine 1 Prepare that indicated in instaiiation requirements. - 2 Install additional Shard databases. semen? back and EHW 3 Check installation logs. 4 Install additional Collectors. semen? from and EHW 5 Check installation logs. 5 Check redirecting on each Collector. same server or other computer Check for the installed objects in the System, Backend and Comma. Frontend sections. System Adminish'ator's Guide ver.1.4 SE RC8 9 20138:] - pag. 55

RC5 9 - Additional Shard database installation Additional Shard database installation To install an additional Shard database in back end environment: Steps Result 1. Insert the CD with the installation package. Setup El Run ?le RCS-uersionexe in folder xisetup: the ?rst wizard window appears. wacome to the RC5 3 BtuF" Wizard 2. Click Next. I This wizard wil guide you through :he inninloton It i: reocmmerded d1atyou close all other appliations be?ora slanting Hahn. This will make it possible to update ?les w?'lout ha'u'irp to reboot your computer. Clidr. Next to continLe. 3- Se'e? Distributed- 4. Click Next. Installation Type Deployment Method Please se en: tire Installation type 1you I.mant: C) Alt?tn?une All the ccmpoments will be instaled or a single machne. Easy setup For small deployments. pigtnhuted The irsEllation is tub]:I ontomizable. Each mmponert an be instaled on different machne to amleue maximum scalability. Suggested for big deployments. 1C5 (30.2E1EHIZI.) snack Next? I Ccnocl System Administrator's Guide uer.1.4 SE RC3 9 20133:} - pag. 55

RCS 9 - Additional Shard database installation Steps Result 5. Select Shard. REE Setup El E3. Click Next. type Components scledjon Backend: Hooter Mode The Aspiration Server and the primary rod: For :he Database. IE Shard Distributed single shard oFthe E'atabase Itneeds at least one Mast? node to be sonnet-ted to. Frontentl: Ij Collector 3enrioe resporsible for the data oollecljo'l From the agents. It has ho be exposed on Iwits a public IF address. Network Controller Service I'ur lJ'llr.? nicer: and ZrljeLLiurI Proxies. ]Hacl<ingToarn[ 2C5 {Flack Merl-b I [Tent-Pl Enter the system administrator's password. FL: Setup E- 8. Click Next: when installation has completed, Codigu?im settings: Min mu services are started and are re adyr to Please Em?m??uura?mset?ms- receive data and communicate 1u'urith the PCS Console. Account for the 'adm n' user: Password: Io ]Han:l<ingTeam[ 1C5 <Elack Next}:- I Cancel System Administrator's Guide ver.1.4 SE RCS 9 20133:} -lTS.r.l. - pag. 57

RC5 9 - Additional Collector installation Steps Result 9. Enter the Master Node server name or IP El address RCSMasterNode]. Mm? swim I 10. Click Install: when installation has New?: completed, services start and attempt to communicate with Master Node. 'lhe server in back end environmentis protected and any:r remote login is redirected ndcrons oftno Master Node: Heat-lane: NasherZEser-Jerl ]Hacl<ingT-aarn[ 2C5 {Flack Tnsl?l I [Tam-Pl NOTE: if the server name or IP address needs to be changed after installation due to faults see "Editing Master Node settings" on page ?2 . Additional Collector installation To install several Collectors in front end environment: Steps Result Run ?le RCS?version.exe in folder x?setllp: the ?rst wizard window appears. 10' the R35 Setup leard 2. Click Next. I THE Iwizard I?vii guide you through 2hr: It i: reocmmerded H1atyou dose all other appliaticns he?ora 5.47:er Rel-In. This will malte- il' possihle to update- relevant system ?les w??mut haviro to reboot vcur osmouter. Click Next to Svstem Administrator's Guide ver.1.4 SE RC3 9 20133:} - pag. 53

RC5 9 - Additional Collector installation Steps Result 3-Selectestrimd- 4. Click Next. Type Deployment Mali-red F'leaee ee er: Ere installation type you want: CDNI in one MI lire ccmpornenta will be insialed or a single machne. Easy eemp For small deployments. If?) Dietn?huted The ia mammizable. Each oemponort an be installed on diFFerent mactine to emieue maximum ealability. Suggeetecl For big deployments. ]Hacl<ingT-earn[ 2C5 {Fir-uric Next} I flannel 5. Select Collector. rte Setup E- Comocne1ta selerion E3. Click Next. ll'?lilldim type i El Hester Mode The molm?on Server and ?re mil-Ian.l rode For :he Database. El 5mm Distributed single shard otthe Ea?base Itneecla at least one Haste necle tc be :onnectecl to. Fr unlund- El Collector ?eruire for the date: rdlertim From the agents. It has: to he ewoeerl on nternet wit'1 a public IF address. Network Controller ?eruire reennrnihle- tor the rommunirT-rtimn with and 'njert'nn Prairies. ]Han:kingTeam[ 1C5 <Elack Next}:- I Cancel System Administrator's Guide ver.1.4 SE RC3 9 20133:} - pag. 59

RC5 9 - Checking service start Steps Result Enter ?le system administrator passuvord indicated in Master Node installa?on. 8. Click Next: installa?on islaunched. 9. Enter die Master Node server name or IP address RCSMasterNocle]. Click Install: when installaljon has completed, services start and attempt to communicate wi?i Master Node.1he server in back end environmentis protected and anyr remote login is redirected Checking service start FE Setup C?iinlstim settings: Min Please enter onn?guro?sn settings. .liocnunt for Erie 'adm n' user: Password: ]HackingTearn[ 2C5 {Flack Merl-b I [-i?nt?Fl E- FL: Setup (Jodiglstim settings Please enter cm?uura?an set?nss. Adcress at he Master Node: Hush-lane: Waster=E5erverI ]Han:kingTeam[ 1C5 <Elack Insial Cancel Make sure all RCS services are up and running. If services are not running, manuallv start them. See "List ofstorted RCS services" on page 29 Checking Collector redirecting To check whether Collector installation was successfully completed: SvstemAdminisIIator's Guide ver.1.4 sEP-zms 2013s} -pag. 60

RC5 9 - Checking installation logs if Then on the Eeruer . open a browser I a?erlocalhoat . Result: the browser must be redirected to Google. on another computer a front and serverName or IP address . .- Result: the browser must be redirected to Google. E. Tip: you can edit redirecting or create a custom page. To do this, edit page decoy. html. See "Fiies instaiied at the end of instaiiation? on page 35 Checking installation logs If errors occur during installation, check logs and send them to support seryice if necessary. See "System iogs" on page Check IP addresses To check all addresses, start the RC5 Console, System section, Frontend: Collector addresses appear on the screen. See "Anonymizer installation and settings" on page 38 Uninstall RC5 can be uninstalled from the Windows Control Panel. I CAUTION: data is iost when a Shard database is uninstaiied. For correct operations, backup data. See "Backup management" on page 100 . L?f NOTE: data will not be lost when a Collector is uninstalled. System Administrator's Guide yer.1.4 SE RC3 9 201320 - pag. 61

6 Routine maintenance and software updates Presentation Introduction Routine maintenance includes RCS updates and operations scheduled or indicated by support service for system performance upkeep. I. WARNING: lack of maintenance may cause unforeseeable system behavior. I: Content This section includes the following topics: What you should know about RC5 maintenance .153 Routine maintenance procedures .. 63 RC5 seryer update I54 RC5 Console update .154 Anonymizer update ..64 Network Injector Appliance update -155 Tactical Network Injector update .15? System Administrator's Guide SEP-2013 - RC8 9 - 20136:] - pag. 62

RC3 9 - Whatyou would know about RC3 maintenance What you should know about RCS maintenance Receiving updates Support service publishes the update package on the support portal for every RCS software release. The package can be linked to a new license file that may be required during the update procedure. Download the package and complete the update procedures. Updating machine behavior During updates, normal system service may not be guaranteed. All data normally received and managed by the updating machine are kept for the required period of time and automatically retrieved as soon as the system resumes normal operations. Routine maintenance procedures Introduction Procedure recommended to keep system performance high are provided below. I. WARNING: lack of maintenance may cause unforeseeable system behavior. I Check and delete log files Purpose: check the amount of log files and delete the older ones to avoid occupying excessive disk space. Suggested frequency: depends on the amount of agents being monitored. Checking disk space once a month may be sufficient. Checking available backup disk space Purpose: routinely check the backup disk based on the quantity and frequency of backups set in the RC5 Console System section. Recommended frequency: depends on backup frequency and size. Linux operating system updates Purpose: keep Linux operating systems installed on the VPS that host Anonymizers and Network Injectors constantly updated. System Administrator's Guide ver.1.4 SE RC8 9 2013? - pag. 63

RCS 9 - RCS server update RC5 server update Update requirements I CAUTION: fully backup before proceeding with on update.$ee "Backup managem ent" on page 100 Update methods Once the installer is launched, it identifies machine components and suggests automatic update. The procedure is thus identical in bath All-in-One and distributed architecture. RCS server(s) update IMPORTANT: the hardware kevr must always be inserted in the server. To update RCS, repeat the following steps for each server: Step Action 1 Run the res ?Version . exe installation file: the list of installed components that will be autom aticallv updated appears. Click Next. 3 Select the new license file from the installation package. Click Next. RC5 Console update Update requirements No data is saved in RCS Console. The software can thus be updated without any special precaution. RCS Console update The console is automatically updated by the server, if necessarv, after each lagin. As an alternative, repeat the installation procedure using the ?les in the new installation package. See Console installation on page 30 Anonymizer update Update requirements No data is saved in Anonymizers. The software can thus be updated without an; special precaution. System Administrator's Guide ver.1.4 SE RC3 9 20136:) - pag. 64

RC5 9 -Anonymizer update Anonymizer update Repeat the installation procedure using the files in the new installation package. IMPORTANT: keep the Linux operating system updated See nonymizer installation and settings on page 38? Network Injector Appliance update Introduction There are three ways to update Network Injector Appliance: . fully, including the operating system, see "Full Network Injector Appliance update" below .- partially, saying data, with an infection in progress see "Partial update with infection in progress on the facing page . I partially, saying data, without an infection in progress see "Partial update without infec- tion in progress" on the facing page Full Network Injector Appliance update I updating deletes all data an the machine. If you have the updated .iso file, run the following procedure to install the operating system update: Step Ac tion 1 Insert the installation CD with the new operating system yersion and boot from CD: disk content will be deleted and looth the operating system and Network Injector ?les will be re-installed. This procedures takes about 20 minutes. IMPORTANT: select Network Appliance for server 1llrersion installation. 2 Reboot the server: the procedure must be confirmed. I the entire hard disk will be deleted. Result: Network Injector Appliance is installed. System Administrator's Guide SE RC3 9 2013? - pag. 65

RC5 9 - Partial update with infection in progress Partial update with infection in progress These are the phases in updating Appliance Control Center software when an infection is in progress: IMPORTANT: to update, first Network Injector and RC5 server. See "First Network injector with RC5 server" on page 53 Phase Description 1 From RES Console, in the System, Network Injector section, select the Network Injector to be updated and click Upgrade. 2 Since an infection is in progress, Network Injector immediately receives the update and automatically installs it. When the update is completed, the infection is restarted with the updated software. Partial update without infection in progress These are the phases in updating Appliance Control Center software when an infection is not in progress: Step Action 1. From RC5 Console, in the System, Network Injector section, select the Network Injector to be updated and click Upgrade. 2. Dpen Appliance Control Center 3. In the Network Injector tab, click Con?g: APP-?ants central Cents-r is enabled. Iog?ystem Het'iic-rk interface: etht} [cab-Le connect-2c] sniffing interfar Use Lt": I -- romaric srarrnp IIi'tlaiLiI'g ILII oliouand SLop System Administrator's Guide uer.1.4 SE 20133:) - pag. 66

RC5 9 - Tactical Network Injector update Step Action 4. During RC5 queries Network Injector every 30 seconds A message appears at the end of the ?rst Appliance Central can tar interval requesting consentto install. ?E't'urk'r'jtim L593!!th New updateavallable NOTE: ifthe update is not in stalled, it Prhliira will be automatically installed at the Uiette NU I I next infection start or an installation authoriza??n request at next up to datesaftware Updatelsavallable. Star: Appliance Control Center rebootwill appear. 5. Install the update. 6. the update is completed, Appliance Control Center reboots Tactical Network Injector update Introduction There are two ways to update Tactical Network Injector: 1- fully, including the operating system, see "Full Tacticai Network Injector update below. 1- partially see "Partiai update on the facing page . Full Tactical Network Injector update I CAUTION: updating deietes data on the machine. If you have the updated .iso file, run the following procedure to install the operating system update: Step Action 1 Insert the installation CD with the new operating system version and boot from CD: disk content will be deleted and both the operating system and Network Injector ?les will be re-installed. This procedures takes about 20 minutes. IMPORTANT: select Tactical Device notebook version installation. 2 Reboot the server: the procedure must be con?rmed. I CAUTION: the entire hard disk be deieted. Result: Network Injector Appliance is installed. System Administrator's Guide ver.1.4 SE RC3 9 20136:) - pag. 67

RC5 9 - Partial update Step Action Partial update These are the Tactical Control Center update phases: Step Action 1. From RC5 Console, in the System, Network Injector section, select the Network Injector to be updated and click Upgrade 2. Open Tactical Control Center 'I-Icticll. :cntrul Cente- 3. In the Network Injector tab, click Con?g: is enabled. I :13 rig-stern :lj- 1- k-ir'u-Jiu -- Ls: J'Eb-il' nn?Lnd.1rn.. trap I "Hi Lilli: IF Uiot'rsEt wen?: l'de-JJ' 1? rr 2 I: {In 'I-Icticll. :cntrul Cente- 4. During RC5 queries Network Injector esters:r 30 seconds A many-5mm llC:-' 1- me ssage ap pears at th en of the ?rst will,? in te er E'E?Il'll Ll: I it'np I 0 NOTE: if th up date is ot in stalled, mm, mm,? .F mm a; was?, .., an in stallatjon auth orization req uest a Man updata will ap pear th ne xt tim Tactical Control Center is booted. l'de-JJ' ill rr 2 I: {In System Administrator's Guide uer.1.4 SE 2013c} - pag. 68

RC8 9 - Partial update Step Action 5. Install the update. I5. When the update is completed, Tactical Control Center rehc-c-ta. System ?dministrator's Guide uer.1.4 SE RC3 9 20139:) - pag. 69

7 Editing Master Node and Collector settings resentatio Introduction Component settings can be edited after installation if needed. Content This section includes the following topics: What you should know about settings Setup utilities Editing Master Nodesettings Editing the Collector configuration Settings check riigstem Administrator Guide ~3er.1.4 - RES - - peg. 7?0

RCS 9 - What you should know about settings What you should know about settings What you can edit The following Master Node Collector installation data can be edited: 0 the Master Node namellP address System administrator's password as backup folder The outgoing mail server to send alert e-mails When to edit settings The name/'IP address or password may need to be changed when servers are replaced or simply due to incorrect data entry during installation. IMPORTANT: specifying a different backup folder, for example on a remote device, is highly recommended to protect backup data. Order used to edit settings Since the server where Master Mode is installed is the system "master", the following order must be followed to change the installation: 1. Change the Master Node namellP address or password 2. Inform the Collector of the new Master Node name/'lP address or password Mail server settings The RCS system can be set to send e-mail when the first pieces of evidence is received from a target. E-mail addressees must have Analyst privileges and belong to the alerting group set for that operation. To do this, set the sender settings of the outgoing mail server and, especially, the required authentication level. See "Setup utilities? below Setup utilities RC5 utilities Setup is run through some utilities in the Windows command prompt in folder B\bin or C:\RCS\Collector\bin (based on the type of installation). Component setup utilities include: System Administrator's Guide ver.1.4 SE RC8 9 2013? - pag. 71

RC5 9 - Utilityr command syntax for Master Node: rcs?db-con?g for Collector: rcs?collector-config NOTE: The RCS settings procedure in All-in-Dne architecture is identical to the RC5 one in distributed architecture. Utility command syntax Utility command syntax is the following: roa?db?oonfig -X roa?colleotor?config ?x Where: 0 selected option 0 entered value Other options For prompt diagnostics, support service can request additional commands be launched. For the correct syntax, enter: roa?db?oonfig ??help ros?oolleotor?oonfig ??help Service coii: only use the other options if indicated by support service. Tip: syntax is the short version of syntax roe?db?oonfig is the same as "rca?db?config Editing Master Node settings From folder or C:\RCS\Collector\bin (based on the type of installation) enter the follovving commands: To theh?a?erNode roa?db?config ?n Name ?g name/'IP address or rca?db?oonfig ?n IPaddress ?g Result certi?cates are updated and appear in folder B\config\certs. Collector settings must also be edited. See "Editing the Coiiector configuration? on next page System Adminish'ator's Guide ver.1.4 SE RC8 9 2013 - pag. 72

RC5 9 - Editing the Collector con?guration To the gygtem admin_ ros?db?oonfig Password istrator's password Result certi?cates are updated and appear in folder llilti?er B?config?rcerts. Collector settings must also be edited. See "Editing the Collector configuration? below roe?db?oonfig Folder NOTE: "Folder" can be a path for the 131(35de folder or an absolute path. IM PD RTANT: anv backup files in the previouslv set folder will be copied to the new one. Result: all subsequent backup ?les are saved in the new folder. Tip: a remote device can be installed in an NTFS folder using Windows Disk Manager: this wav, a remote disk can be used for backup. outgning mail ros?db?oonfig ?server HostName: PortNumer server settings for to set the outgoing main server name and port to be used. alert all5 roe?db?oonfig ?from senderEmail to set the alert e-mail sender's e-m ail ros?db?oonfig ?ueer UserName To set the e-mail sender's user name. ros?db?oonfig ?pass Password To set his password. roe?db?oonfig ?auth Anthem tioation?ype To set the type of authentication to be used ("plain", "login" or "cram_ mdS"). Editing the Collector configuration From folder or C:ERCS\CoIIectorEbin (based on the type of installation) enter the following commands: Svstem Administrator's Guide ver.1.4 SE RC3 9 2013C) - pag. 73

RC3 9 - Settings check communicate the new Master Node nameflP address Settings check ros?oolleotor?config ?d Name ?u admin Password ?t Dl' ros?colleotor?oonfig admin ?p Password ?t IM PDRTANT: "Password" must match the one used to login to Master Node. Result: certificates are restored in folder \RCSEDBXcon?gEcerts. ?d IPaddress Previous and current settings can be checked using RC5 utilities. To check previous and current settings, launch the relevant utilities vvithout anv option: ros?db?oonfig ros?oolleotor?oonfig Example of settings check output An example of a check is given below: Current configuration: abs. com: 25", Svstem Administrator's Guide ver.1.4 SE RC3 9 2013? - pag. 74

Troubleshooting resentatio Introduction RC5 is a system where the greatest focus must be on collected data transmission, decoding and saying. RC5 design focuses on preyenting any data loss and quickly managing potential errors that may occur. Content This section includes the following topics: Potential faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 System logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Component status check procedure 1'9 Service restart procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Hardware component service procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 33 System Administrator'sGuide yer.1.4 - RES - 2013 i! - peg. ?5

RC3 C?i - Potential faults Potential faults Potential installation faults Following is a list of potential faults that may occur during installation and references to recommended actions: installation does not make sure the hardware key is correctly inserted. progress RC5 console cannot . Make sure you logged in with the System administrator's name, connect to the sewer password and name of the server where Master Node was installed. 0F - connect from the browser with or . The browser inspects the certificate and returns some addresses to find out what went wrong. Possible server problems Following is a list of potential faults that may occur during product use and references to recommended actions: If And Then cannot connect the hardware key is correctly . check Master Node servlce status to Master Node bUt Node . reauest hardware key replace? does not start me? data "a longer from RC5 Console the Collector is check Collector status. arrives from running and correctly agents communicates The Master The Collector is running . check whether an update ls la Mode is not progress available - check the Collector log flle images are not the OCR module is installed check how slow lri the module log and converted into lristall another OCR module dls? text trlbuted The collector is - restart RCScollector servlce. not available System administrator's Guide ver.1.4 3E P510131 C?i 2013a! - peg. 76

RCS 9 - Potential backup problems if And Then data is queued the most recent data does not WE'le worker SIRIUS for in the Master appear on RC5 Node andfor the other Shards. Node Network can- Connect to the machine where Network troller indicates injector or Anonymizer is instaiied and an error check the iog fiie. Potential backup problems Following is a list of potential faults that may occur during backup and references to recommended actions: if And Then backup status is error check available disk space and manually restart backup. To learn more To check component status see "Component status check procedure" on page ?9 To restart services See "Service restart procedures on page 80 System logs Introduction Each RCS component generates daily logs that help to analyze possible fault or error causes. Analyzing file content lets you reyiew RCS operations step by step and understand any error cause service starts but immediately stops, seryice started but with incorrect deploy.htm page redirect]. Log analysis utility The reasons that can lead to log analysis are provided below: Component Analysis reason Master Nude Check problems with RC5 Console. Collector Check data reception from agents. OCR module Check for any slowed indexing in exported content. Translate module Check for any slowed content translation. Network controller In the event of doubts on Network Injector or Anonymizer status. System Administrator's Guide yer.1.4 SE RC3 9 2013? - pag. 77

RC3 9 - Log ?le example Component Analysis reason Network Injector Check completed operations. Anonymizer Check incoming data flow from agents. Log file example The log file name has the following syntax: component W?mm? dd. log rca?dbdb 2013?03?04.log) RC5 log files Log files generate by components in full installation are provided below: Component Folder Master Node EVOE Collectur C:\RCS\Collector\log OCR module EVOE Translate module B\ og Network Controller C:\RC5\C0ll9Ct0r\l03 Network Injector [Varllong?lSlOE Anonymizer lVarll'DE . WARNING: the lack of log files indicates incomplete installation. Quick log display BareTail, an application that lets you immediately view the content of several log files, is included in the RC5 installation. To run BareTail, enter: rcs?db?log Log file content Each record is identi?ed by one of the following levels of severity: Severity level Descriptlon Fatal RC5 is not running and requires service no settings, no certificates). System Administrator's Guide ver.1.4 SE RC3 9 2013? - pag. 73

RC3 9 - Component status check procedure Severity level Description Error There is a component error but RCS can guarantee main service coverage Master Node not running). Debug (onlv appears if enabled upon support service indication, increases and provides more details on log records to resolve problem Infa information note. Component status check procedure Introduction Tvpical procedures on how to check hardware and software status are provided below. Installed license check Check all licenses installed in RC5, including updates. Command In folder enter rcs?db-license Master Node status check Make sure Iv'Iaster Node is routiner communicating data to databases via Worker services. Command In folder enter rcs?db-evidence-queue. Result: an example is provided below . cu Fl ElEl'Z'l 4? :9 ll'E'l a? E: P3 I'l'Z'll: :2 :l3 rid tu?l 2E1 '1 FE: 1131 1'1 ell . EEI l-il. E: What to check If the logs and size values begin to significantlv increase, this mav be due to Worker service that is not running. Check status on each Worker service. Checking Worker service status Make sure that Worker service is correctlv running to decode and save data in databases. svstem ?dminish'ator's Guide ver.1.4 SE RC8 9 - pag. ?9

RC3 9 - What to check What to check In folder check log logs Check agent status via Collector Make sure agents are routinely communicating their status to RCS yia Network Controller and that they are sending their data to Collector. Agent data may be lost in the eyent of a persistent Collector fault. Command In folder C:\RCS\Collector\bin enter rcs?collector?status Result: the Collector status report appears ll. I'll". 7'1 2' 7' -Z IEILE What to check The Lost time must be as recent as possible, compatible with the set methods for each agent: a recent Lost time indicates that agents correctly communication with Collector. If Lost time is not recent, wait for any other to check whether it is updated. Alternatiyely, check Collector logs to see whether there are attempts: in this case inform support seryice. The logs yalue must be minimum since it is the data sayed by the Collector awaiting to be sent to Master Node. If the yalue is high, this means that Master Node is not running or is not connected. Check Master Node seryice status. The number of logs will decrease as soon as the connection is resumed. Network Injector start check Network Injector logs are normally saved in folder ,iyarflogisyslog. To learn more To yiew logs see "System i095? on page 77 Service restart procedures Introduction Typical procedures on how to restart services are provided below. System .?ldminish'ator's lGuide yer.1.4 SE RC8 9 2013i?) - peg. 80

RES - Restarting REED-B service Restarting service Purpose In the event of faults, service can be restarted using this utilitv instead of using the Windows Service Management function. Command The commands to start, stop and restart the service are given below in order: a rss?db?servise start I s?ll?sHLTise st 1 a 3?1 restaLt Restarting MongoDB service Purpose In the event of faults, MongoDB service can be restarted using this utilitv instead of using the Windows Service Management function. Command The commands to start, stop and restart the service are given below in order: . rss?mongo?servise start 33Ill} I 3* El mil-11g C.- El Restarting Collector service Purpose In the event of faults, Collector service can be restarted using this utilitv instead of using the Windows Service Management function. Command The commands to start, stop and restart the service are given below in order: a rss?sollestor?servise start I rss?sellester?servise seep . rcs?solleetor?servis; restart .11 Svstem administrator's Guide ver.1.4 SE RES 9 20139:] - pag. 81

RC3 9 - Restar?ng Worker service Restarting Worker service Purpose In the event of faults, Worker service can be restarted using this utility instead of using the Windows Service Management function. Command The commands to start, stop and restart the service are given below in order: a rcs?worker?service start 0 rcs?worker?service stop rcs?worker?service restart Restarting Network Injector service use 55H protocol Jfor all installation, setup and data exchange operations to the I- remote unit. Purpose In the event of faults you can directly work on Network Injector and restart service. Command To restart the service with the same settings or new ones, open Appliance Control Center, reset if necessary and reboot the service by clicking Restart. Restarting Anonymizer service use SSH protocol Jfor all installation, setup and data exchange operations to the I- . remote unit. Purpose In the event of faults signaled on RC5 Console you can directlv work on the VP5 server and restart service. Command To restart the service, enter the following command: restart To stop the service, enter the following command: fetc/init.d/rosanon stop System Adminislrator's Guide ver.1.4 SE RC8 9 20136:} - pag. 82

RC5 9 - Hardware component service procedures IMPORTANT: command syntax refers to the Linus.r Cent?S 6 operating system version. Hardware component service procedures Introduction Typical hardware component service procedures to be used in the event of hardware faults are provided below. Hardware key replacement If the main hardware key stops working, it must be immediater replaced with the backup key, contained in the supplied package. Contact support service for a license file compatible with the backup key. Instructions on how to replace and activate a new key are given below: Phase Who Does what 1 the elteht lnforms Hacking Team of the fault. 2 HeektheTeem sends a new license file linked to the backup hardware key. 3 the elteht replace the main key with the backup key and start the procedure to assign the new license file. 4 the elteht sends the faulty key to HackingTeam. 5 HeektheTeem replace the faulty key with a new backup key and send it to the Master Node replacement The recommended procedure is described below: Step Action 1 Restore a server, repeating all installation operations. See server installation in All-in-One architecture" on page 18 or server installation in distributed architecture on page 22 Select the most recent backup (full or metadata). If the most recent backup is metadata, full backup can be restored later. In fact, the backup is not destructive and supplements the information it has with that present, See "What you should know about backup" on page 98 Shard replacement The recommended procedure is described below: System Administrator's Guide ver.1.4 SE RC3 9 2013? - peg. 33

RCS 9 - Replacing the CollectorfNetwork Controller Step Action 1 Repeat the entire installation procedure. See server installation in distributed architecture on page 22 2 Restore the last full backup. See "Backup management" on page 100 Replacing the Collector/Network Controller Repeat the entire installation procedure. See server installation in distributed architecture" on page 22 Replacing an Anonymizer Repeat the entire installation procedure. See nonymizer installation and settings" on page 38 Replacing a Network Injector Appliance Repeat the entire installation procedure. See "Network injector Appliance installation on page 42 Replacing a Tactical Injector Appliance Repeat the entire installation procedure. See "Tactical Control Center installation on page 49 System Administrator's Guide ver.1.4 SE P2013 RC3 9 20133:} - pag. 84

9 RCS Console for the System administrator resentatio System administrator?s role The System Administrator's role is to: complete installation with Anonymizer, Network Injector and Backup settings . check Shard data base space . check Collector, Anonymizer, Network Injector and other system component operations . update system components . manage backup . resolve any problems Enabled functions To complete hisr?her assigned activities, the System administrator has access to the following functions: . System . Monitor Content This section includes the following topics: Startingthe RCS Console Homepage description Wizards in the homepage Sharedinterface elements and actions Front end management File Manager data .93 Back end management What you should know about backup Backup management Connectormanagement Managing the Network Injector Network Injectordata System monitoringlMonitor] System monitoring data {Monitor.100 103 105 .103 109 111 System Administrator's (Eiuitle yer.1,4 - RES - b31352] - peg. 85

RCS 9 - Starting the RC5 Console Starting the RC5 Console When started, RCS Console asks you to enter your credentials previously set by the Administrator. What the login page looks like This is what the login page looks like: 3" run.? Console 9J1 UH:er inner f?'T Area Description 1 Title bar with command buttons: ii Close RCS Console. El Expand window button. El Shrink window button. 2 Login dialog window. Open RC5 Con sole To open RCS Console functions: Step Action 1 In Username and Password, enter the credentials as assigned by the Administrator. 2 In Server, enter the name of the machine or seryer address to connect to. System Adminisoator's Guide yer.1.4 SE RC8 9 20138:] - pag. 86

RC5 9 - Homepage description Step Action 3 6 Click the homepage appears with the menus enabled according to your account privileges. See "Homepage description?beiow . Homepage description - click? To View the homepage: Introduction The homepage is displayed when the RC5 Console is started, and is the same for all users. Enabled menus depend on the privileges assigned to the account. What it looks like This is what the homepage looks like, with recently opened items saved. For details on shared elements and actions: ?lm tut-1:6: ?crtla'mcr El ?pv.1r'rr< Tolig'h?uro Tinsl'l'ntr: .- 1.. Tl leaml Globu- '1 Recentl'bems IE- a - {3 a :i"ml Iu'mrnur Ii "x .- xx . I ?lti'w- Area Description 1 Title bar with command buttons. 2 RC5 menu with functions enabled for the user. 3 Search box to search operations, targets, agents and entities, by name or description. System Administrator's Guide 1?er.1.4 SE RC3 9 20136:} - pag. 8?

RC5 9 - Wizards in the homepage Areo Description 4 Links to the last five elements opened (operation in the Operations section, operation in the Intelligence section, target, agent and entity). Wizard buttons. Logged in user with possibility of changing the language and password. Download area with ability to View progress during export or compiling. noun-sin Current date and time with possibility of changing the time zone. Wizards in the homepage - click?? To View the homepage: Introduction For users with certain privileges, RCS Console displays buttons that run wizards. What it looks like This is how the homepage is displayed with enabled wizards: El Timid-nth: Go to '1 Recentl'bems -?a::?1u:l:m:i1:lc:l -- - :3 -- .. ?lti'w- awn-rm it'd-r. ?7 'J13'l: System Administrator's Guide 1tier.1.?fl SE RC8 9 20136:} - pag. 88

Button RC5 9 - Archive Wizard Function 5' Investigation WI rl Archive Wizard Open the wizard to quickly create an agent. NOTE: the button is only enabled for users with Administrator and Technician privileges. Open the wizard to quickly save operation and target data. NOTE: the button is only enabled for users with Administrator and System Administrator privileges. This wizard lets you quickly manage open operation or target data to save and delete them from the database. Data is saved in a backup and can be restored at any time. Following are explanations of the various options: Option Description Archive all data into a backup Remove all data from the live system Mark the item as closed Delete the item from the system Saves all selected operation or target data in a full type backup file. The backup appears in a programmed backup list and can be restored at any time. Deletes all selected operation or target evidence from the database. The operation or target remain open and running Only the database is reduced in size. CAUTION: if this option is combined with immediate backup, give the I . backup a name that clearly indicates that the corresponding evidence was deleted from the system. Close the selected operation or target. CAUTION: the operation or target is closed and cannot be reopened. . I . Agents no longer send data but evidence already received can still be viewed. Deletes all selected operation or target data. Operation data, targets, agents and all evidence is deleted from databases. I CAUTION: deleting an operationftarget is irreversible and all data . linked to that operationftarget is lost. System Administrator's Guide ver.1.4 SE RC3 9 2013? - pag. 89

RC5 9 - Shared interface elements and actions Shared interface elements and actions Each program page uses shared elements and allows similar actions to be run. For easier manual comprehension, elements and actions shared by some functions are described in this chapter. What the RC5 Console looks like This is what a typical RC5 Console page looks like. A target page is displayed in this example: .1 GED Ful- "2..ou up-ruun-u l' Indium n_ . syn-u HI I a I ?L-mzhx-Hdrn ban Lawn. 5. Ir an: Area Description 1 Title bar with command buttons: *1 Logout from RC5. Page refresh button. El Expand window button. l;l Shrink window button. 2 4. Return to homepage button . RCS menu with functions enabled for the user. System Adminish'ator's Guide yer.1.4 SE RC8 9 2013 - pag. 90

RC5 9 - What the RC5 Console looks like Area Description 3 Operation scroll bar. Descriptions are provided below: icon Description Back to higher level. Show the operation page (Operations section). Show the target page. Show the factorv page. 5' Show the agent page. Show the operation page (Intelligence section). Show the entity page. 4 Buttons to displav all elements regardless of their group membership. Descriptions are provided below: icon Description Show all operations. Show all targets. 5' Show all agents. Show all entities. 5 Window toolbar. 5 Search buttons and box: Object Description Search box. Enter part of the name to displav a list of elements that contain the entered letters. Displav elements in a table. Displav elements as icons. 7 Logged in user with possibilitv of changing the language and password. Svstem Adminish'ator's Guide ver.1.4 SE RC8 9 2013 - pag. 91

RC5 C?i - rlic?ons always available on the interface A reo Description 3 Download area with ability to view progress during export or compiling. Files are downloaded to the desktop in RC5 Download folder. . top bar: percent generation on server . bottom bar: percent download from server to RC5 Console. 9 Current date and time with possibility of changing the time zone. Actions always available on the interface Change interface language or password To change the interface language or password: Step Action 1 Click to display a dialog window with the user's data. 2 Change the language or password and click Save to confirm and exit. Converting the RC5 Console date-time to the actual time zone To convert all dates?times to the actual time zone: Step Action 1 Click to display a dialog window with the current date-time: UTC time: Greenwich mean time Local Time: date?time where the RC5 server is installed Console time: date-time of the console used and which can be converted. 2 Change the time zone and click Save to confirm and exit: all displayed dates?times are converted as requested. Table actions The RC5 Console displays various data in tables. Tables let you: . sort data by column in increasingfdecreasing order . filter data by column System administrator's Guide ver.1.4 5E RC5 C?i 2CI13EI - peg. 92

Action RC5 9 -Table actions Description Sort by column Filter a text Filter based on an option Click on the column heading to sort that column in increasing or decreasing order. Event Wiriqu ea. exnc Sword?sh INSTANCE Sword?sh 3 EVIDENCE Enter part of the text you are searching for: only elements that contain the entered text appear. 3 Info The example shows elements with descriptions like: 0 "myboss" "bossanova" Select an option: the elements that match the selected option appear. IE Acquired Last Hours . Last Week From iTu Action User lleI Filter based on several Select one or more options: the elements that match all selected options Change the column size options appear. El Tm?: I Untagged I Low I Medlum a High ll Critical Select the edge of the column and drag it. System Administrator's Guide tier.1.4 SE RC8 9 20136:} - pag. 93

RC5 9 - Front end management Front and management To monoge the front end: a System section, Frontend Function scope When RC5 is running, this function lets you monitor the Anonymizers and Collectors, change the Anonymizer and chains settings and update the During installation, this function lets you create a new Anonymizer "object" that acts as the logical connection between the RC5 Console and the software component to he installed on a UPS. NOTE: the function is only enabled if the user has Frontend management authorization. the function looks like This is what the page looks like: ITI "n I -: .- :J?l 'mnlord Hirer-I 1.1- run-rm 15, El 3 th- I Ed: Dem: :Imnoml'mlc' Lcmd: 'uurm no 2 Ir.- 9 I -.I.. in Ha El 9' lull Iw' ll." saunaDrumlialrr lrlil' I I In Fl "rt-r I Ham: 11: a. awry: HER Area Description 1 RES menu. 2 System menu. System Administrator's Guide SE RC3 9 2013? - pag. 94

RCS 9 - What the function looks like Area Description 3 Window toolbar. Descriptions are provided below: icon Description ll? trim-[s xx Create a new Anonvmizer. Edit Anonvmizer data. After editing, click Applv con?guration. Show last logs. Tip: double-click an Anonvmizer to checkiedit data. Delete an Anonvmizer. This does not delete the Anonvmizer installed on the It generates the installer for the first Anonymizer installation and saves it on the desktop. Copy the file via SSH to the remote UPS and run it. Update the Anonvmizer software version from remote. Simulate agent behavior. It connects to each Anonvmizer in the chain up to the gatewav Collector, and returns connection results. Update settings on all Anonvmizers. This command is used after adding, deleting or changing the Anonvmizer chain in use. It shows packets autom aticallv created on the Collector bv Exploit, WAP Push and (IR Code vectors made available for the target device. Files that are no longer used can be deleted. CAUTION: deieting jiies too eoriy couid compromise i infection by vectors. NOTE: any files manuallv copied to the folder do not appean 4 Anonvmizers set but not vet included in a chain. Svstem Adminish'ator's Guide ver.1.4 SE RCS 9 2013 - pag. 95

RC5 9 -To learn more Area Description 5 Anonymizer chains on the system with the IP address of the last element. Possible conditions: 5? :Anonymizer not in chain. :Anonymizer in chain and running. :Anonymizer not monitored by the Network Controller. *9 0 . :Anonymizer with faults. a Collector running. 0 Collector not running. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page :90. To install, edit or cancel an Anonymizer see "Anonymizer installation and settings" on page 38. Adding an Anonymizer to the configuration To add an Anonymizer see "Anonymizer installation and settings? on page 33.8 Editing Anonymizer settings To edit Anonymizer settings see nonymizer installation and settings? on page 38 . File Manager data Descriptions are provided below: Field Description Time Vector installation date-time on the device. Name File name created by the installer. Factory; Factory that generated the installer. System Administrator's Guide uer.1.4 SE RC8 9 20138:} - pag. 96

RC5 9 - Back end management Fieid Description User User who created the installer. Back end management To manage buck and: a System section, Backend Function scope When RC5 is running, this function lets you check database status and available disk space. NOTE: the function is only enabled if the user has Backend management authorization. What the function looks like This is what the page looks like: .4 1 51.5mm [Butt-15d: El 5 mum-m - .alml-mmqm'nll LEE: EEHB -: le I I 1. men-mm 1 no; Area Description 1 RES menu. 2 System menu. System Administrator's Guide 1..-rer.1.4 SE RC3 9 20133:} - pag. 9?

RC5 9 -To learn more Area Description 3 Window toolbar. Descriptions are provided below: icon Description Zip the database. 4 Shard database structures with their status, occupied and available disk space. 0 NOTE: database 0 is the one included in MasterNode. 5 RES status bar. To learn more For interface element descriptions See "Shared interface elements and actions? on page :90. For further information on backups see "What you should know about backup" below . Significant Shard database data Selected Shard database data is described below: Field Description Data Size Occupied space. on Disk Total Shard device space. serverNarne:port Shard server port What you should know about backup Management responsibilities The System administrator must protect logged data and set frequency for the various tvpes of backups. Backup methods RCS saves all data in databases in the specified folder when editing RCS settings. See "Editing Master Node settings? on page 72 A backup can save one or more types of data. Backup types are: Svstem Adminish'ator's Guide ver.1.4 SE RCS 9 2013 - pag. 98

RCS 9 - Metadata type backup . metadata 1- full 1- operation . target Metadata type backup The metadata backup type is fast and saves the entire system configuration, allowing normal system operations to be quickly restored in the event of problems. This type of backup does not include collected evidence. Daily backup is recommended. . WARNING: agents installed on various devices may be lost without a recent metadata backup. NOTE: the job that runs weekly metadata backup is set by default and enabled whenever the system is rebooted. The default job cannot be deleted. Full type backup Full backup contains all evidence, therefore this could take a long time. Since it can be restored after a metadata backup, it is recommended once a month. Operation type backup The operation backup saves all open and closed operations. Since it can be restored after a metadata backup, it is recommended once a month. Target type backup The target backup saves all opened and closed target data. Since it can be restored after a metadata backup, it is recommended once a month. Incremental backup Full, operation and target backups can also be incremental. This way the system saves data generated from the date-time of the last backup. The first incremental backup is always complete (full, operation or target). Only subsequent backups are incremental. NOTE: if the incremental option is removed and reapplied to a job, the next backup of that job will be complete. E. Tip: name thejob so it is later recognized as an incremental backup " ncrem_ N?t? lastWeek"). We suggest you run a complete backup (full, operation or target) once a month and an incremental backup once a week. System Administrator's Guide ver.1.4 SE RC3 9 2013? - pag. 99

RC3 9 - Backup restore for severe reasons Backup restore for severe reasons CAUTION: restoring or backup shouid oniy be considered in severe situations such as I- repiucing or database. A backup must be restored whenever a server is replaced. Backup data restore IMPORTANT: backup restore is never destructive. For this reason, restore should not be used to restore accidentally changed elements. Some examples are provided below: if after the iost backup Then restore an alamant was deleted restores the deleted element. an element was Edited leaves the element changed. a ?aw alamant was added leaves the element changed. IMPORTANT: backup does not restore information on operations that were erroneously closed {deleted}. or IMPORTANT: to restore an incremental backup, restore them all starting with the oldest. Backup management To onoge backups: - Syste 52 cti on, ack up Function scope When RC5 is running, this function lets you check the last backup status, create new backup processes or immediater run a backup process. During RC5 maintenance, this function lets you fix damaged data restoring them with a backup. 0 NOTE: the function is only enabled if the user has System Backup?Restore authorization. 1What the function looks like This is what the page looks like: System Administrator's Guide ver.1.4 RC8 9 2013 - pag. 100

RC5 9 - What the function lookalike .1 H- h'wr DELI a 1 Iwwm 'erHM bump Minn-rd. Ina-rum IrrMW-s: 9 CI 3-: fr mkm?x I'nlkz. Hill: I IJI ITFJI . >I-r I- - . PHI-1M Eran-Jud" 3: fl: I II-un-th'h': . "LI-Llan'l KI :l :wrr: .- Area Descriptim 1 RES menu. 2 System menu. System Administrator's Guide RC3 9 2013 - peg. 101

RC5 9 - Signi?cant backup procem data Area Description 3 Backup process toolbar. Descriptions are provided below: icon Description Add a backup process. 5-i- Edit a backup process, for example, to disable it or change its frequency. IMPORTANT: do not use this function to change the type of data processed. It is better to disable the process and create a new one with a matching name. Delete a backup process. Does not delete the backup files generated by the process. Run backup even if disabled. ?x View the list of completed backups. I Keys are described below: {9 restore data from the selected backup file. CAUTION: restoring data is a deiicate operation. Make sure a you have fuin understood RC5 ?restore mechanisms.$ee "What you shouid know about backup on page 93 delete the selected backup. 4 List of programmed backup processes (enabled and non) with last backup status. 5 RC5 status bar. Significant backup process data The selected backup process data is described below: System Administrator's Guide uer.1.4 RC8 9 2013 - pag. 102

RCS 9 - Connector management Fieid Description Enabled Enablesidisables the backup process. Use to temporarily disable the process, for example, when replacing the backup deyice. t; Tip: to quickly enableidisable a process, flag the box in the En column in the N?mi list. What Data to be included in backup. metadata: the entire system con?guration: database, Collector, Network Injector, Anonymizer, agent. This is the bare minimum required to restore the system in the eyent of disaster. All information required to collect agent information is contained in this type of backup. full: full backup of the system configuration and tapping data (operation and target). It may take a while to execute. operation: backup of the indicated operation, data included. target: backup of the indicated target, data included when Backup frequency. UTC: time zone. Name Name to be assigned to the backup. Connector management To monoge connectors: a System section, Connectors Function scope This function lets you create connection rules with third party software. The evidence receiyed by RC5 will be sorted according to these rules. IMPORTANT: this function requires a user license. NOTE: the function is only enabled if the user has Connector management authorization. What the function looks like This is what the page looks like: System Administrator's Guide 11.rer.1.-fl RCS 9 2013 - pag. 103

RC5 9 -To learn more ?Elm.- II a 1 1w; :cnuclml II. El MIHLI Lug I- 3.. 4m I -.I l'u. II a :'hul -.I I I I 4- .. Lu. Area Description 1 RC5 menu. 2 System menu. 3 Window toolbar. Descriptions are provided below: icon Description Add a connection rule. EdIt the selected connectIon rule. Delete the selected connection rule. 4 List of connection rules. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface eiements and actions? on page :90. Significant connection rule data Selected rule data is described below: System Administrator's Guide uer.1.4 RC8 9 2013 - pag. 104

RCS 9 - Managing the Network Injector Fieid Description Path Name of the operation or target evidence is sent to. If not specified, all operations and evidence will be sent to third party software. Tvpe Evidence storage tvpe: . Local: evidence is sent to a local folder 1. Remote: evidence is sent to an RCS installation with Archive license 0 The RCS svstem with Archive license receives central svstem data and is enabled to run all analvsis functions as if it directly received information from target devices; however, it cannot create agents or receive new data directlv from the Collector. [Format] Evidence format. .- JSDN, XML for Local tvpe . RC5 for Remote tvpe Keep the If selected, a copy of the evidence is kept in the RC5 database. ?meme I CAUTION: if not selected, this evidence can no longer be viewed in RC5, . nor can alerts be received. Destination Local folder path where evidence is sent or RCS Archive server IP address. Managing the Network Injector To monoge Network injec- a System section, Network Injector tors: Purpose During installation, this function lets you create a new Network Injector "object" that creates the logical connection between the RC5 Console and single hardware device. NOTE: the function is only enabled if the user has Injector management authorization. What you can do With this function you can: svstem Administrator's Guide ver.1.4 RC3 9 2013 - pag. 105

RC5 9 - What the function looks like I. create a new Network Injector I update Appliance Control Center or Tactical Control Center software View logs and check Network Injector status What the function looks like This is what the page looks likeSyd.2: ra-r'l: mime: IJI '3 Il' In.? .ulmlMII ll MMI quunw - -- - -. Ta:- I I Area Description 1 RC5 menu. 2 System menu. System Administrator's Guicle uer.1.4 sEP-2o13 9 2013 - pag. 106

RC5 9 -To learn more Area Description 3 Network Injector toolbar. Descriptions are provided below: Action Function ?3 Add a new Network Injector IA- Edit Network Injector data and View logs. Update Appliance Control Center or Tactical Control Center software. If Network Injector is Appliance type, it will be automatically updated at the next provided an infection process is running. If, on the other hand, it is Tactical type, the operator will select whether or not the application is updated.$ee "Network injector Appliance update" on page 65 "Tactical Network Injector update" on page 6? Delete the selected Network Injector. Network Injector list. Injection rule toolbar. List of selected Network Injector rules RCS status bar. . To learn more For interface element descriptions See "snared interface elements and actions" on page 90. To learn more about Network Injector Appliance installation see "Network injector Appliance installation? on page 42 To learn more about Tactical Network Injector installation see "Tactical Control Center installation? on page 49 see "Network injector Appliance installation? on page 42 To learn more on Network Injector data see "Network injector data? on next page Updating Network Injector control software To update Network Injector: System Administrator's Guide RC8 9 2013 - pag. 10?

Step Action RC5 9 - Network Injector data 1 0 Select the Network Injector 0 Click Upgrade: update data appears. 0 Click OK: RC5 receives the request to send the update to Network Injector. IMPORTANT: Network Injector onlyr receives the software when it with the RES server.$ee "Checking Network Injector status on page 54 Network Injector data Network Injector data is described below: Data Description Name User's descriptions. Description Version Software version. To view the software versions of all the components see "System monitoring {Monitor}? on the facing page . Address Device IP address. port 443. To view the ports to be opened for firewallsee "Parts to be opened on the firewall? on page 14 Monitor If enabled, Network Controller acquires the Network Injector status every 30 via NC seconds. If not enabled, Network Injector continues snif?ng and injection operations, but the Network Controller does not check its status. Used when connections to Network Injector are down for any reason once installed at ISP, or for tactical use. Lug Last messages logged. NOTE: Tactical Network Injector log updates depend on the frequencv with which the operator enables To view log file content see "System logs? on page 77 . update the list. w: delete viewed logs. svstem Administrator's Guide ver.1.4 RC8 9 2013 - pag. 108

RC5 9 - System monitoring [Monitor] System monitoring (Monitor) To 111 onitor the system: - Monitor section Purpose This function lets you: a monitor system status in both hardware and software terms i delete elements to be monitored since uninstalled 0 monitor license used com pared to those purchased Service caii: Contact your HackingTeam Account Manager if additionai iicenses are . required. What the function looks like This is what the page looks like: rm 03D run an mu.? w-wn H110 w? Imam a El . Eu?ru-u-I. Jain: an: 1.3..- Hm u rue I :wwt mm 1.1- mman: I'9.3Lumrm bpr- a l' Ics - - IkmL-u-chm 4.41 um. q- onu- ulnum .- '3 I. WW w- El Area Description 1 RC5 menu. Monitor indicates the current number of system alarms triggered. System Administrator's Guide yer.1.4 RC8 9 2013 - pag. 109

RC5 9 -To learn more Area Description 2 Window toolbar. Descriptions are provided below: icon Description Deletes the component to be monitored. 3 List of RCS components and their status: 0 Alarm (generates an e-m ail sent to the alerting group) . "i . . Component running 4 License status. 5 RC5 status bar. To learn more For interface element descriptions See "Shared interface elements and actions" on page :90. For a description of the data in this window see "System monitoring data (Monitor}? on the facing page. Deleting a component to be monitored To delete an uninstalled component: Step Action 1 Select the component. 2 Click Delete: RCS will no longer read the status of that component. Only subsequent installations of new components automatically updates the list. NOTE: erroneously deleting a component that is still installed is not destructiye. Component status will reappear the next time the page is refreshed. System Administrator's Guide yer.1.4 RC8 9 2013 - pag. 110

RC5 - System monitoring data {Monitor} System monitoring data (Monitor) System component monitoring data System monitoring data is described below: Data Description Type Monitored component type and name: Name ?a Network Controller "ii Anonymizer - Database 9 Collector Address Component's IP address. Last can- Last date-tim e. tact status Component status at last 0 Alarm: the component is not running, contact the alerting group for immediate seryice. Warning: the component signals a risky situation, contact the system administrator for necessary checks. Component running. CPU 915 CPU use by the single process. CPU ?36 CPU use by server. Total Disk Free 94?: free disk space. License monitoring data License monitoring data is described below: For restricted licenses, the format is "xiy" where is the amount of licenses currently used by the system and the maximum amount of licenses. CAUTION: if the iicenses are in use, any new agents be put in queue untilr a iicense I is freed or new ones purchased. System Administrator's Guide yer.1.4 RC8 9 20136:] - pag. 111

RC5 9 - License monitoring data Data Description License type Users Agents Desktop Mobile Distributed seryer Collectors An onymizers Type of license currently in use for agents. reusable: an agent's license can be reused after it is uninstalled. oneshot: an agent's license is only valid for one installation. NOTE: the license can only be updated if the user has License modification authorization. Amount of users currently used by the system and maximum admitted quantity. Amount of agents currently used by the system and maximum admitted quantity. Amount of desktop and mobile agents currently used by the system and maximum admitted quantities respectively. Amount of database currently used by the system and maximum admitted quantity. Amount of Collectors currently used by the system and maximum admitted quantity. Amount of Anonymizers currently used by the system and maximum admitted quantity. System Administrator's Guide RC3 9 2013 - pag. 112

]Hact<i?gTeam[ HT 5.r.l. yia della Moscova, 13 RES 9 System Administrator's Guide 20121 Milano (MI) System Administrator's Guide 1.4 SE P-2013 Italy COPYRIGHT 2013 tel.: 39 02 29 060 603 info@hackingteam.com fax:+ 39 02 63 113 946