Name: FinFisher

Text: ••

G A M MAGROUP

GOVERNMENTAL SECURITY SOLUTIONS

COMMUNICATION MONITOR! SOLUTIONS

It%
GAMMA T H E BRIDGE TO TRUST AND SECURITY

6

7

10

CONTENT

Communications Monitoring Solutions
Lawful Interception and Monitoring Center
ul Interception Management Systems (LIMS)
onitoring of Telephone Lines
'Waring
- S Interception

9

PABX Monitoring

10

Radio Frequency Monitoring

11

FinFisher: Governmental IT Intrusion and Remote
Monitoring Solutions

13

14

17

I.

13

GSM/WATS/COMA Tactical Monitoring and Locating
(tactical/strategic)

14

Stategic GSM Locating

16

Speech Identifying Tools, Data Retention and Link Anal

17

elligence Fusion & Management
hnical Consultancy for Communications Monitoring

19

The Gamma Group of Companies,
established in 1990, provides advanced integration systems and
strategic technologies in the areas of government surveillance and
monitoring systems, and i n 2004
Gamma entered into a strategic alliance with its partner Elaman GmbH.
Our aim is to provide comprehensive security products and solutions,
technical consultancy and services
as well as professional training for
governments and security agencies.
Gamma Group Company Partners

The common aim of all Law Enforcement Agencies is to have state of
the art capabilities to intercept all
kinds o f communications within
different telecommunications networks and carriers inside and outside a country's borders. Different
methods of communications exist
such as network based communications (PSIN), Internet, private
networks (PABX), wireless communications MIN, WIMAX, etc.), cellular communications (GSM/GPRS/
UMTS/CDMA) and satellite communications (Thuraya, Inmarsat VSAT,
Iridium, etc.).
4

For all these technologies, different
intercept systems are available from
huge strategic systems t o small
portable tactical units:
• Lawful Interception and Monitoring Centers
• Lawful Interception Management
Systems (LIMS)
• Radio Frequency Monitoring
• Internet Monitoring, Internet
Blocking and Shaping, IT-Intrusion
• Satellite Monitoring
(Thuraya, Inmarsat, VSAT, Iridium,
etc.)
• PABX Monitoring
•GSM/GPIRS/UMTS/COMA Tactical
Monitoring and Tactical and
Strategic Locating eg
• Speech Identifying Tods, Data
Retention and Link Analysis
• Passive Monitoring of Telephone
Lines
• SMS Interception
> Intelligence Fusion &
Management
> Technical Consultancy for
Communications Monitoring



• -4

3
Lawful Interception d a t c e p t i o n
• end Wintering Center M a n a g e m e n t Systems

=MI
Radio Frequency
Monitoring

INEMEmid

LI

Intern, H u i ! mg,
Internet Blocking and
Shaping, IT-Intrusion

Satellite Monitor Lug
'Thaw's_ k o r a i
VSAT, Ingiuml

t

Intelligence Fusion & Management

rpm"
GSM,GPAS.uterS,
COMA Tactical Monitoring and Tactical /
Strategic Locating

4:

ra •

Skla

SpeL LI
Tools, Lln;

o

f

Gamma provides solutions i n all
fields and can be the sole supplier
and technical consultant for such
systems. Our combination of developments and systems, using third
party products a n d integrating
different systems, enables Gamma,
as a sole supplier, to provide our
clients with a unique portfolio of the
best services and solutions on the
market. With such a setup we are
able t o discuss possible interfacing between Monitoring Systems
having one common platform i n
place for data collection and analysis
(Intelligence Fusion & Management). Gamma's Technical Consultancy for Communications Monitoring is a service that provides our
clients with an "umbrella" o f all
systems and solutions in this field
from the process of setting requirements, tendering, ordering, implementing and operation.

Telephone Lines

and Lod, A.

Technical Consultancy for Communications Monitoring

5

LAWFUL INTERCEPTION OF PST
GSM /UMTS ETC. NETWORKS AN
MONITORING CENTER

Lawful Interception (LI) i s t h e
legally approved interception o f
telecommunications networks and
has become an important tool for
Law Enforcement Agencies (LEAs)
around the world. Lawful Interception provides access to calls and
call-related information (telephone
numbers, date, time, etc.) within
telecommunications networks, and
delivers this data t o a strategic
Monitoring Center (MC). The MC
can decode, store and playback/
view the data (call, data, fax). The
interface between t h e M C and
the telecommunications networks
varies depending on the networks
(PSTN, GSM, GPRS, (MT'S, COMA,
IP, etc.) and the switches used (Nokia
Siemens Networks, Ericsson, Huawei,
Alcatel-Lucent, Cisco, Juniper, etc.).
Such an MC gives access t o an
entire country's telecommunications
network from one central place,
but it needs the support of operatots and the relevant interception
capabilities of the network elements
(Hardware and Software).

6

ION
TEMS (LIMS)

The LIMS solution usually acts as
a bridge or mediator between the
telecommunications operators and
Law Enforcement Agencies using
Monitoring Center solutions f o r
PSTN, GSM, GPRS, UMTS, COMA,
IF', etc. The LIMS solution can provide interfaces for all kinds of network
elements. I t will standardize the
interface back to the Monitoring

telecommunication
Network Function

Interne
Network
interlace

Center to provide a homogeneous
structure of the Monitoring Center
under one generic Graphical User
Interface. Umbrella LIMS solutions
are available to act as the only
administration terminal t o mark
phone numbers within different
kinds o f networks from different
vendors and operators.

Lawlor Interception
Function

it
Nendever
Interlace

Monitoring
Function

Administration
Function

hairnet Irmercentio .
Function

Access, Mein
Delitiery Fuse
TICCU i n f K i c k ,

tar IFII end c c
Access. Medoi
Delivery Function Jo'

Figure 1, Functional model for lawful interception

I
GOF TELEPHONE LINES

The possibility to passively monitor
a huge number of telephone lines
has become more and more important as it provides a full history of
telephone data f o r a predefined
time-frame (e.g. last six month).
In this case, all communications are
passively intercepted without active
intervention by the communications
network. This is an ideal method
to collect information for intelligence agencies, and also to identify
targets for use in a Lawful Interception (LI) based system. The number
of intercepts in the case of passive
Interception is much larger than in
the case of LI.

International gateways:
This point provides all land-based
communication across the borders
of a country. The same technology
can equally be used to intercept
within the country or in a specific
area.
Mobile Networks (PININ)
From a passive perspective, this
is the interception between PSTN
and PLMN as well as within PLMN
systems themselves on the level of
the communications between the
MSC and BSC.

The demands of passive surveillance are
• Large volumes of traffic need to be
intercepted (e.g. 1000s of Els)
• Different types of interfaces are
required (E1/11; STM1/STM4. etc.)
•Large storage capacity (Petabytes)
and vast processing & filtering are
required
•Changes in protocols or telecommunication environments continue
to occur

The aim of passive surveillance is
to intercept all traffic (voice, faxes,
data-sessions, emails, internet sessions, etc.) on:

Filter

Analys

long term
Storage

New targets

0—tor
S

MIEMMt

First, it is important to distinguish
between the two types of satellite
systems concepts:

on the satellite footprints and the
terminals used within the area that
should be intercepted.

General satellite operators, like
EutelSat, ArabSat, IntelSat, etc. are
mainly used to provide telecoms
carriers or broadcasting stations
with a transmission bandwidth or
provide dedicated links to private
users and organizations 0/Sall

For satellite communication — "off
the shelf" interception systems
are available. These systems are
purely passive and do not need any
support from a satellite operator.
All signals are passively monitored,
decoded and viewed. In case of
Thuraya Monitoring, the exact positions of the intercepted phones will
also be given.

• Satellite communications systems provide clients with communication services over certain
providers, like lumarsat, Thuraya,
Iridium, etc., using attractive
handholds similar to GSM phones
The approach to define an interception capability is totally different
for both types. For general Satellite
Systems a detailed survey is required, as the interception solution will
be different for each country based

Satellite interception, especially with
the Thuraya network, is becoming
more and more important as mobile

satellite services have expanded
very successfully due to the small
size of handhelds and the combined
roaming possibilities within the GSM
networks using the same handset.
The coverage of Inmarsat is worldwide. The coverage of Thuraya is
over Europe, Middle East, most of
Africa, Central Asia, Far East and
Australia.

/

\


C - Band e l s .

Primary Gateway IPGINI

8

S

t

r

a

t

•eilie - Band

e

g

i

c

Monitoring System

Mobile Earth Station
(SAES)



The SMS interception system is connected to the GSM operators Short
Message Service Centre ISMSCI
within a Mobile Switching Centre
(MSC) and receives all SMS. The system decodes, monitors, and stores
them via the secure TCP/IP connections. All SMS are inserted into a
central database for later analysis.

The system is capable of holding
multibillions of records over terabytes of storage systems and can
process up to 200 million SMS
day. By implementing the latest database technologies the system offers long-term archiving of SMS and
fast data mining capabilities, including a full indexed multilingual SMS

text-search. T h e implementation
and interfacing of an SMS interception system depends on the type
and version of the operators Short
Message Service Center ISMSC).
The modular configuration o f the
SMS interception system allows
it to interface and adapt to each
vendor of such SMSC.

Mob.le
•••••••••

DB Server



To p %Pt lP-Links



f i b r e Connections



CATS Connections

Rbre w i t c h
SAN t Storage Ares
nemort
MSC r Mobile switching
Cent.,

SAN
PC C ients

SMSC S h o r t Message
Service Center

9
A

PABX MONITORING

r
itzsi

A strategic LI monitoring system
can intercept all communications
within an operators communications network (e.g. PSTN, GSM,
UMTS, COMA, etc.). Such a system
does not offer the ability to monitor
calls, faxes and data within private
networks (PABX o f hotels, companies, etc.). Based on the type
of PABX, a variety of interception
solutions are possible. For instance,
equipment must be installed in the
PABX in order to have access to
a private network to mark certain
numbers to be intercepted (extension) and to route intercepted calls
to a place where the recording and
storage should be done. Remote
control is possible, particularly for
network wide recording solutions
in case several PABXs are connected to a communication network.
A PABX interception solution can
also be integrated into LI-Monitoring Systems in order to use a single
platform and give the operator one
common Graphical User Interface.

database

Digtal Recorder
Storage

/

PABX

/

playback via phone

PABX: Private Automatic Branch Exchange

10

n e s s e .
00

a a
1

WEB play

a

P O W E R

play

Data Manager

tifik

NCY MONITORING


*IX

Telecom Regulatory Authorities
need Radio Frequency (RH Monitoring systems based on ITU recommendations and systems to monitor
their target/client i f they follow
their license agreements and ITU
standards. The key for Law Enforcement Agencies is to have access
to the content of Radio Frequency
Signals and to locate them, Therefore, the focus is on:

I
II

CCT

• Signal Detection
• Signal Classification
• Signal Analysis
• Signal Decoding/ Demodulating
• Wideband Recording
• Direction Finding Systems
• Speech Classification
The design, production and delivery
of systems on turnkey bases are
essential and the use of COTS (Commercial Off The Shelf) technology
makes the operation of the system
easier and extremely cost effective.
A wide range o f RF-Monitoring
systems can be offered from big
strategic systems to portable tactical systems including Direction
Finding Systems.

We Box
SigP-Box
WB-Rec-Box

NTP-Itosea
external
Turettase

WP I

BB D F

WP X

Mrnmixtrannx Woriplacx

ADU

Antenna Distribution Unit

COT

Corneal Tuner

WB Rec Box Wideband Recording Box
BB OF
BroadBand Direction Finding

W8 Box

Wideband Box

BBX

SigP Box

Signal Processing Box

Broad Band component

—0•

11

Network Analyzing
Pladorm Management

r 1

Roam

Internet Service
Provider IISP)
Target PC

(,j) Passive intercept of all IP-Data which goes via ISP backbone
Filtering - Decoding - Storage - Viewing: Target Based Interception & wild card
Monitoring Center
IMC) - Front End

C

Fin py
Agent 2

Remote Forensic Software
Eithsher IFF)

C
FinFisher Interface

FinSpy
Agent I

C ) IP Manipulation (blocking of IP-tratfic & shaping)


12

RADIUS- Monitoring Correlation ITCP/IP address login)

Monitoring Center
IMC) • Back End

MC-Interlace
FinSpy
Monitoring Center

•GOVERNMENTAL IT INTRUSION
MONITORING SOLUTIONS


FinFisher
Fisher is the leading offensive
IT Intrusion solution through which
Gamma provides complementary
solutions, products and advanced
training capabilities to Government
end-users who are seeking world
class offensive techniques for information gathering from suspects and
targets.

of products, the end-user will have
the capability to remotely infect a
target's Windows or OSX based PC.
In addition to target computer systems, EinSpy
Spy Mobile allows monitoring of Symbian, Blackberry, iPhone,
Windows Mobile Devices, Android
and Maemo.

extensive training courses both on
products supplied as well as practical
IT Intrusion methods and techniques,
transferring years of knowledge and
experience to end-users and thus
maximizing their capabilities in this
field,

Tactical IT Intrusion Portfolio

EinFisher combines three critical
areas i n one comprehensive I T
Intrusion Portfolio giving the Law
Enforcement and Intelligence Communities a vast array of intrusion
capabilities from starting up a new
Intrusion Department to providing
world-class solutions and training
for enhancing existing resources.
Remote Monitoring & Infection
Solutions:
FinSpy is a product used for remote
monitoring and reel-time access to
target systems, allowing access
even to encrypted data and communications. In combination with
enhanced remote infection methods,
which fall under the FinFly
Fly family

Having the right set of tools enables
the agencies to maximize the use of
their resources. The Finintrusion Kit
provides end-users with the needed
know-how and capabilities to optimize operations as well as significantly increasing their success rate.
With the upcoming introduction of
FinFireWire, end-users will be able
to access Windows, OSX & Linuxbased systems via the FireWire port,
PCMCIA or Express card without the
need for any logon information.
IT Intrusion Training Program:
The use of all our solutions can be
maximized depending on the enduser's knowledge of the offensive IT
Field. Therefore, Gamma provides

11
FINFISHER
IT I N T R U S I O N

13

•TS/CDMA TACTICAL MONITORING
ATING (TACTICAL/STRATEGIC)

For operational field usage, off-air
GSM monitoring systems are very
powerful and essential. Such systems
are portable and can be installed
into vehicles for covert operations.
Systems for GSM, GPRS, UMTS and
CDMA are available. Three different
types are available:
Active systems

Active systems

Figure: Virtual Base Station

14

E

x

a

c

t

locating of targets via triangulation and silent call

Such systems simulate a GSM/
UMIS base station to attract GSM/
UMIS phones away from the normal
GSM/UMTS network and log into the
system's "fake" virtual base station.
As soon as the phone is logged onto
the more attractive active system,
its identity is extracted (IMSI and
'MEI). By logging the phone onto
the virtual base station the phone
can be forced to transmit on a given
channel, frequency and time-slot
(establishing a "silent call"). This
transmission can be picked up by
a direction finding system (vehicle
based o r handheld) which then
gives the exact position of the target
phone. When the target phone

is logged into the active system
intercepting of calls can be done, but
only calls that are initiated by the
target (target is out of the normal
GSM/UMTS network so no calls can
be received by the target phone). In
addition, phones can be completely
taken off the real network ("intelligent jamming"), fake calls and SMS
can be sent to the target phone, and
private networking by using the virtual base station can be realized and
the battery of the target phone can
be drained, etc. The active system
also allows operating within UMTS
networks. Collecting the identity of
the target phone (IMSI, IMEI) can
be done without bringing the phone
down to GSM/GPRS, therefore, no
jamming of the overall UMTS signal
is needed. For all other operations,
such as locating the phone, intercepting, etc. the target UMTS phone
is either pushed back into GSM
mode by the system or new UMTS
Direction Finders can be supplied
for locating of UMTS phones only.

log

Passive systems
The key function of passive off-air
system is to intercept GSM phones
(incoming calls and outgoing calls).
The system monitors passively the
air interface and therefore has no
influence on transmitted numbers.
The called party will always see the
original calling number. Depending
on the type of encryption on the air
interface (5.0, 5.1, 5.2) such systems
can be used and give a wide range
of interception possibilities, I f 5.1
encryption is used, the key must be
known, otherwise 5.1 decoding systems must be available (real time
decoder passive systems will not work with
systems currently on the market.
Passive off-air systems are portable
and in combination with the use of
directional antennas the range can
be quite substantial (several kilometers).

Semi Active Systems
Semi Active Systems are in place to
realize GSM interception of 5.1 encrypted calls. With the active component of the system the target phone
will be grabbed within milliseconds
by using the 5.2 encryption mode.
The 5.2 ciphering key will automatically be calculated and the authentic parameters of the target phone
will be taken. These parameters are
cloned onto another mobile phone
(cloning box) attached to the semi
active system establishing the link
back to the real network (base station). The targets calls are now routed through the cloned mobile phone
maintaining the same encryption,
and target identity and recording
for all incoming and outgoing calls
is realized. Multi-channel systems
are available for recording of several
calls at the same time. Semi active
system only work with GSM target
phones having 5 . 2 encryption.
Certain new phones only have 5,0
and 5.1 encryption available.

PSTN

Mobile Switching
Center (MSC)

Passive

GSM
Target Phone

BTS
Semi active

15

In almost every country in the world,
wireless service providers a r e
required to enable the monitoring of
voice calls and data sessions, termed Lawful Interception (LI), for use
by government agencies in criminal investigations and ant-terrorist
measures.
LI applications focus purely on intercepting content and have very low
accuracy location context, provided
by cell tower location techniques,
like Cell-ID (CID) or Enhanced CellID (ECID). This can render the applications ineffective because the
target's actual location is relatively
unknown; whereas, with accurate
location data the LI mission can be
accomplished with a much higher
success rate. Using GPS for LI applications is not feasible because it
does not work indoors and in dense
urban areas, and the target user has
the option to disable or jam GPS location tracking capabilities on their
phone. Location technologies such
as multi-lateration (U-TDOA) require
radio hardware on every cell tower
making it extremely cost intensive

16

with a large degree of complexity
in terms of deployment and maintenance. The solution is the only high
accuracy, software-only location
solution that is low cost, scalable,
and reliably provides high accuracy across all types of environments. Besides high accuracy (sub
50m) and scalability, one of the key
unique features of the solution is its
ability to perform mass (bulk) location of all subscribers, on a near
real-time basis, enabling applications such a s mass location
interception along with post-event
analytics. The solution in conjunction
with its intelligent zone services
software platform also powers border
zone interception with a high degree
of precision.
Key features
• high accuracy
•software-only
• real time, historical and mass
location
• Coo Fencing

IDENTIFYING TOOLS, DATA RETENTION AND
ALYSIS

The mass storage o f intercepted data and its analysis is becoming more complicated and time
consuming f o r Law Enforcement
Agencies. Investigations typically
involve large amounts o f data
gathered f r o m a w i d e variety
of sources (all kinds o f communications monitoring systems).
Somewhere in this data lies the key
to an investigation, but it can remain
obscured by the volume of data and
the uncertainty of individual facts.
Tools to filter out useless data and
to visualize large amounts of data
will turn the mass of information into
meaningful actionable intelligence:

Data Retention
In the field of telecommunications,
data retention generally refers to the
storage of call related information
(numbers, date, time, position, etc.)
of telephony and internet traffic.
The stored data i s usually telephone calls made and received,
emails sent and received, web-sites
visited a n d location data. The
primary objective in data retention
is traffic analysis and mass surveillance. B y analyzing the retained
data governments can identify an
individual's location,their associates
and members of a group, such as
political opponents.

Speech Identifying Tools, Analysis- L i n k Analysis
of Audio Data
• Speech Detection
• Language Identification
Speaker Identification
• Keyword Detection

• Visualize disparate data and turn
it into meaningful information
-Analyze data to extract maximum
value
Focus on key areas
Communicate the results of investigations effectively

11

I
181
IN
III

1-------

I,/

/

Speech Detection
Classifier

1

?







Speech..
Noise
Speech

Language Identification
Classifier

English...
German._
Japanese...

Speaker Identification
Classifier 1

Speaker a...
— i s i s S p e a k e r b._
Speaker c...

Keyword Detection
.11••

Classifier

Keyword a...
— i s - Keyword
Keyword E._

-esse
17

t

GAMMA OFFICES: ANDOVER - DUBAI - SINGAPORE - JOHANNESBURG

G

A

M

M

A

GROUP INTERNATIONAL

Unit 6, Parnell Court, East Purtway Industrial Estate,
Andover, Hampshire, SP1031_,X, United Kingdom
Tel: + 44 1264 332 411

GAMMAGROUP

Fax: + 44 1264 332 422
infongammagroup.com
www.gammagroup.corn

Document Path: ["793-gamma-group-product-list-finfisher.pdf"]

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh