Академический Документы
Профессиональный Документы
Культура Документы
FINUSB SUITE 1
SPECIFICATIONS
FINUSB SUITE 2
SPECIFICATIONS
Copyright 2012 by Gamma Group International, UK
Date 2012-03-19
Release information
FINUSB SUITE 3
SPECIFICATIONS
1 OVERVIEW
FinSpy is designed to help Law Enforcement and Intelligence Agencies to remotely monitor computer
systems and get full access to:
FINUSB SUITE 4
SPECIFICATIONS
2 FINSPY AGENT
2.1 FinSpy Agent – User Manual ......................................................................................................... 6
FINUSB SUITE 5
SPECIFICATIONS
2.1.12.5 Self-Removal ............................................................................................................... 44
FINUSB SUITE 6
SPECIFICATIONS
FINUSB SUITE 7
SPECIFICATIONS
After a successful login the main interface will open. It shows the main interface of the FinSpy Agent.
Name Description
Data Analysis Monitors and analyzes data of a selected FinSpy Target or all FinSpy Targets.
Create Target It will open a wizard which guides easily through the creation of a FinSpy Target.
Deployment SMS A PopUP will open to send out a SMS with the Mobile Trojan as a link.
WAP Push To send out the Mobile Trojan via WAP Push message.
Configuration Basic Settings for the FinSpy Agent and FinSpy Master can be defined.
Show Logfiles Gives the possibility of viewing the FinSpy Master system logfiles.
Agent List Information about FinSpy users, their user rights, logins and current connections.
FinSpy / User Manual
FINUSB SUITE 8
SPECIFICATIONS
Online Help Connects to online help on the Gamma Group homepage via internet.
Name Description
T (Data on Target) New data available on FinSpy Target (data is ready to download)
C (Configuration Pending) The target configuration was changed but not pushed yet to the target
FINUSB SUITE 9
SPECIFICATIONS
Phone Number Displays the Mobile Number of the infected Mobile Phone
Country Country in which the FinSpy Target is located (detected by public IP)
City City where the FinSpy Target is located (detected by public IP)
OS Icon representing the Operating System running on the FinSpy Target mobile
Base Station Coordinates of the Base station the mobile phone is connected to
Last Heartbeat Time When was the last time the mobile phone was connecting to the FinSpy
Master
Model Tries to identify the exact model of the used mobile phone
Roaming Host The name of the Network which host the device while in roaming
Data link The data link of the Target (Wifi, 3G, GPRS)
FinSpy / User Manual
FINUSB SUITE 10
SPECIFICATIONS
Heartbeat Type How did the Target connect to the FinSpy Master (SMS, TCP)
GPS Source The source from where the polar coordinates were retrieved.
Clicking on a specific target opens all possible actions. Available actions depend on the status of the
FinSpy Target (offline/online).
Right-Clicking on any column header allows the user to choose which columns shall be displayed.
FinSpy / User Manual
FINUSB SUITE 11
SPECIFICATIONS
Name Description
Analyse Data Analyzes data which is already downloaded and available on the FinSpy Master
Target History Will display information about last known Target locations
Emergency To configure the FinSpy Target via SMS in case it is not online
Configuration
Remove Infection Removes the FinSpy Infection from the FinSpy Target
FinSpy / User Manual
FINUSB SUITE 12
SPECIFICATIONS
2.1.2.2 Target List – Archived
Possible actions for a FinSpy target, which is no longer infected. The recorded data is still persistent on
the FinSpy Master but the FinSpy target is not infected anymore.
Name Description
Analyse Data Analyzes data which is already downloaded and available on the FinSpy Master
Target History Will display information about last known Target locations
Remove Data Removes the recorded data from the FinSpy Master
After infection, the FinSpy Target has no associated license and all its collecting data features are
disabled. The FinSpy Master will allocate a license to the newly infected FinSpy Target, if available.
If there is no license available, the FinSpy Agent can still see the FinSpy Target in the Target List and can
only work limited with it until an existing infection is removed.
Once the license is installed on the FinSpy Target all the features become available and the user gains
full control over the FinSpy Target.
If all the licenses are used, the new infected FinSpy Targets will be shown as disabled until a new license
is available.
To free a license, an existing infection has to be removed from a licensed FinSpy Target. The infection
can be removed immediately from an online FinSpy Target or can be scheduled for removal from an
FinSpy / User Manual
FINUSB SUITE 13
SPECIFICATIONS
offline FinSpy Target. Either way the license will be freed immediately and allocated to an unlicensed
target.
FinSpy / User Manual
FINUSB SUITE 14
SPECIFICATIONS
2.1.2.3.1 Target List – Recorded Data Availability
A star (1) indicates, that there is new “Data on Master” available.
This means, new data was downloaded from the FinSpy Target to
FinSpy Master.
FINUSB SUITE 15
SPECIFICATIONS
Analyze Data
Analyse Data gives the possibility of showing all the recorded data which was transferred to the FinSpy
Master. The recorded data can be viewed, deleted or exported. “Analyze Data” will show a list of all data
recorded of the selected FinSpy Target.
All the data of the selected FinSpy Target is displayed as a list. All new entries in the list are displayed
with bold characters. This indicates that the data was not processed yet. Once the data is viewed or
exported, the data will not be displayed in bold anymore.
FinSpy / User Manual
FINUSB SUITE 16
SPECIFICATIONS
Name Description
I (Importance) An importance level can be associated to the collected evidence and can be used as
ordering criteria. To change the Importance Level, right click in the importance level
column of an evidence entry and a popup with all the available importance levels is
displayed.
Possible actions for the data entries can be shown and additional information are displayed.
Name Description
Show Opens the recorded data. In case of streaming data (video, sound) an external
player is opened.
Export The data is exported to the FinSpy Agent computer. A folder will open where the
data is saved in and the downloaded file selected.
FinSpy / User Manual
FINUSB SUITE 17
SPECIFICATIONS
Comments Opens a window where comments to the data can be stored. Every change of the
Importance Level is also logged as a comment.
Comments which are once done for a specific data cannot be edited or deleted. The Comments are
ordered by time in descending order which means, that the last introduced comment is displayed on
top.
FinSpy / User Manual
FINUSB SUITE 18
SPECIFICATIONS
There is also the possibility define the search by using filters:
Name Description
Start – End Date From which data to which date should be searched
Module Module by which the data was recorded (e.g. Webcam, Microphone, Keylogger, ... )
Advanced Options In case a specific module is selected, additional filters can be applied depending on
the module(e.g. All targets of a certain time zone)
FinSpy / User Manual
FINUSB SUITE 19
SPECIFICATIONS
1. The type of visualization. It will give two different graphs. It can be chosen between
a. Detailed view per day (default)
b. Detailed view per hour
2. The recorded data on that day. Each data is displayed with the amount of recordings for each
module per day.
FINUSB SUITE 20
SPECIFICATIONS
Detailed view per hour:
2. Amount of recording per module is shown. Additionally the options “Change Importance”,
“Export Record” and “Remove Record” can be selected.
To navigate through date and time the mouse can be used, either via mouse-wheel (up/down) or by
dragging the scrollbar.
FinSpy / User Manual
FINUSB SUITE 21
SPECIFICATIONS
The mobile target history contains information about all the target heartbeats including the time stamp
in UTC, the location information and the channel used to send the heartbeat information.
FinSpy / User Manual
FINUSB SUITE 22
SPECIFICATIONS
2.1.5 Configuration
To access the configuration of an infected FinSpy Target, the target needs to be selected and
“Configuration” clicked.
A new window opens within the FinSpy Agent. The following image illustrates the layout of the FinSpy
target configuration.
This Workspace is divided in two parts. The first part is on the left, which contains the modules and
different configuration options and the second is one the right, where module specific configuration
options can be set.
FinSpy / User Manual
FINUSB SUITE 23
SPECIFICATIONS
Configuration Options:
General
Address Book
Logging Messages
Spy Calls
SMS Messages
Tracking
Blackberry Messenger
FinSpy / User Manual
FINUSB SUITE 24
SPECIFICATIONS
2.1.5.1 Configuration – General
FINUSB SUITE 25
SPECIFICATIONS
2.1.5.1.2 Infection Self-removal
Computers which never go online may become infected by mistake and spread an infected application
through an organization. To avoid keeping offline computers infected still recording data, the FinSpy
Target can remove itself.
Scheduled Removal: Date on which the FinSpy Target removes itself from the infected computer
Time Out Removal: Time after which the FinSpy Target removes itself from the infected
computer, if communication with the FinSpy Master fails (even if there is a functional internet
connection). This renewal will be disabled once the FinSpy Target contacts the FinSpy Master for
the first time.
Mobile Target Name: FinSpy Mobile Trojan may infect different targets. To separate the FinSpy Targets
the previous Target ID of the infected media can be changed
FinSpy / User Manual
FINUSB SUITE 26
SPECIFICATIONS
2.1.5.1.4 Time Based Heartbeat Options
Time Based Heartbeat options can be defined here. This means in which regular intervals will the
heartbeat take place.
Heartbeat Interval: The FinSpy target will send “alive” packets in a defined interval to the FinSpy Master.
This is used to update the online/offline status of the FinSpy Target and control certain events.
FINUSB SUITE 27
SPECIFICATIONS
2.1.5.1.6 Heartbeat Restrictions
This defines the communication channels which shall be used to send a heartbeat.
Wifi
3G
SMS
When the Roaming status becomes active and the exception “The device has Roaming status enabled” is
checked, the phone will send a last heartbeat with the new roaming status and will stop the heart
beating until the FinSpy Target is again in a non-roaming state.
Relay IP Address(es): Pre-configured with connected FinSpy Master. This must be the external IP
or Hostname address of the FinSpy Master or of the FinSpy Relay. Several IP or hosts can be
defined. The infected computer will connect to one of the configured addresses
Relay Port(s): Pre-configured with settings retrieved by the FinSpy Master
FinSpy / User Manual
FINUSB SUITE 28
SPECIFICATIONS
2.1.5.1.8 Relay Cellular Configuration
This configuration contains the information about the Relays where the Mobile Targets make the TCP/IP
connection as well as the phone numbers where the SMS Heartbeats are sent to.
There must be at least one phone number installed. Otherwise the initial heartbeat cannot be sent. This
initial heartbeat is mandatory as this is the only possibility for the FinSpy Infrastructure to determine the
FinSpy Target Phone number.
Syntax: +<ContryCode><PhoneNumber>
Example: +49170111111
FinSpy / User Manual
FINUSB SUITE 29
SPECIFICATIONS
2.1.5.1.9 Positioning Options
This section defines the positioning and locationing options.
The order can be sorted with the arrow-up & arrow-down icons. It can also be configured that certain
methods will be disabled.
FinSpy / User Manual
FINUSB SUITE 30
SPECIFICATIONS
2.1.5.2 Configuration – Tracking
The sdfsdfsdf
The modules will then immediately be removed from the FinSpy Target or immediately downloaded
from the FinSpy Master to the FinSpy Target if added.
FINUSB SUITE 31
SPECIFICATIONS
FinSpy / User Manual
FINUSB SUITE 32
SPECIFICATIONS
In this case the configuration can be changed via pushing out a SMS to the target.
The Emergency Configuration is slightly different from the normal Configuration. No Modules can be
added or changed. Furthermore the GUI is also slightly different as it will first of all give an overview of
the infection.
If any setting is changed and “Save” is selected the SMS will be sent out to the target.
FinSpy / User Manual
FINUSB SUITE 33
SPECIFICATIONS
All modules which are installed on the Target and furthermore allow a live session will be listed in a
dialogue:
Description
Name
Spy Calls Directly activates the Microphone of the target phone and allows listening to it
Each Live Session is opened in a new tab inside the FinSpy Agent. After closing the live sessions, the
connection to the target computer can be ended by clicking “Disconnect” inside the expanded FinSpy
Target of tab Target List.
The following chapters describe live access of each module in more detail.
FinSpy / User Manual
FINUSB SUITE 34
SPECIFICATIONS
2.1.7.1 Live Session – Spy Calls
For a live-session of the FinSpy Target’s Display, Webcam or Microphone use the “Start” button inside
the FinSpy Agent. The quality of the recording depends on the predefined configuration.
To stop recording live images or microphone, move the mouse over the image and click the “Stop”
button
.
FinSpy / User Manual
FINUSB SUITE 35
SPECIFICATIONS
To use the Evidence Protection, it can be selected via “Evidence Protection” on each FinSpy Mobile
Target.
Name Description
Evidence All the collected evidence is listed and the user can check if the signature is valid.
Mobile History A history of the FinSpy Mobile Target activity can be shown.
FINUSB SUITE 36
SPECIFICATIONS
possible (3). The folder where the evidence is exported will be opened in a Windows Explorer once the
downloaded is finished. A progress dialog will monitor the download of the evidence since this could be
a lengthy operation.
Name Description
Location Source The method/device used to obtain the Target Location (in Polar Coordinates)
Coordinates The Polar Coordinates of the Target Location. The position accuracy depends on the
Location Source value.
FINUSB SUITE 37
SPECIFICATIONS
To initiate purging of recorded data, expand the respective FinSpy Target in the tab “Target List” and
click on “Remove Data“.
FinSpy / User Manual
FINUSB SUITE 38
SPECIFICATIONS
FINUSB SUITE 39
SPECIFICATIONS
Click “Create Target” on the left navigation pane of the FinSpy Agent. This will open the Target Creation
Wizard.
Within the wizard, to navigate between the dialogs for configuration, “Next” or “Previous” buttons can
be used or clicking on the items on the left navigation pane is possible.
FinSpy / User Manual
FINUSB SUITE 40
SPECIFICATIONS
The following dialogs consist of:
Name Description
Heartbeat Options Criteria when the infection removes itself from the FinSpy Target.
Select Modules Defining which modules should be integrated with their settings.
Target Options Advanced configuration of the behaviour of the FinSpy Trojan on the FinSpy
Target
FINUSB SUITE 41
SPECIFICATIONS
2.1.11.1 General
General settings configure the behaviour and identification of a FinSpy Installer Package. Some
parameters are changeable after infection of a FinSpy Target.
The Operating System of the Target has to be chosen. This will result in a different FinSpy Trojan with
different modules.
Android 2.x
Blackberry 4.6
5.x
6.x
7.x
Windows Mobile 6.1
6.5
FinSpy / User Manual
FINUSB SUITE 42
SPECIFICATIONS
FINUSB SUITE 43
SPECIFICATIONS
2.1.11.3 Heartbeat Options
These settings are explained in chapter: Time Based Heartbeat Configuration, Event Based Heartbeat
Configuration & Heartbeat Restrictions.
FinSpy / User Manual
FINUSB SUITE 44
SPECIFICATIONS
2.1.11.5 Self-Removal
“Infection Limit” defines the amount of maximum infections per Trojan. If “Max Infections” is set to “3”,
then only the first 3 Trojans heart beating to the FinSpy Master will be accepted.
FINUSB SUITE 45
SPECIFICATIONS
For detailed description how to configure each Module see the following chapters:
Configuration – Tracking
FINUSB SUITE 46
SPECIFICATIONS
2.1.11.8 User Permissions
Each creation of a FinSpy Trojan allows assigning users to work with it. Multiple users can be chosen (1).
Furthermore it is possible to give special rights to each user like establishing a Live Session or configuring
the FinSpy Target (2).
2.1.11.9 Summary
A Summary of the generated infection can be reviewed. Listed is the name of the infection, some
configuration settings and all chosen modules.
FinSpy / User Manual
FINUSB SUITE 47
SPECIFICATIONS
2.1.12 Tools
On the left side of the FinSpy Agent can be two configuration options be found which are meant for
Deployment of the Trojan. Currently two possible in-built deployment methods are given.
FINUSB SUITE 48
SPECIFICATIONS
The Target Mobile Number must be in the format which contains the country code and the regular
phone number.
The Target Mobile phone might display the message like this:
The Text cannot be more than 140 Characters as this is a protocol limitation of SMS and should contain a
link to the uploaded FinSpy Mobile Trojan. The Trojan must be uploaded to some web space where the
Target can download it from.
FinSpy / User Manual
FINUSB SUITE 49
SPECIFICATIONS
2.1.12.2 Tools – WAP Push
WAP Push SMS are so called Flash SMS or Class-0 SMS. These SMS directly flash onto the screen of the
mobile phone and the Target doesn’t need to open the SMS application or similar.
Example:
FinSpy / User Manual
FINUSB SUITE 50
SPECIFICATIONS
3 SUPPORT
All customers have access to an after-sales website that gives the customers the following capabilities:
https://www.gamma-international.de
o Username:
o Password:
FinSpy / User Manual
FINUSB SUITE 51
SPECIFICATIONS
FinSpy / User Manual
FINUSB SUITE 52
SPECIFICATIONS