finfisher-overall-spy

ammaralatif

finfisher-overall-spy

Graphical Overview – all Solutions/Methods6MethodologyTargetsIM – Mass (IP) LI - (IP) INF -(IP)Block -(IP)LI – (Voice + IP) LI – (Voice +IP)DRSNetworksMediationFront-EndBack-EndTgt.-IDProbeISPAAAIndex. IP-Probeactive/passiveEthernetNFS orUDPTgt.-IDProbeAAAISPEthernetLI-ProbepassiveNetworkElementsDLMediationIPHI2/HI3IRI/CCEthTCP/IPAAATgt.-IDProbeISPInfect. ProxyactiveBS IP-ProbeactiveNo incoming DATAEthernetPSTNPSTNInterceptionMgmt.HI3 –CCISDNHI2 – IRIX.25, TCP/IP,X.31FTAM, FTP,ISDNS2mRoseEth/X.25HI1MarkingTargetsHI3 – CCEthTCP/IPMobileMediationMobileHI3 –CCISDNEthISDNS2mHI1MarkingTargetsMobileInterceptionMgmt.HI2 – IRIX.25, TCP/IP,X.31FTAM, FTP,RoseEth/X.25CollectionDevicesEthernetAdminReceivingDecodeDemodDL/DE-AdminMass-IPRing-BufferModuleGRID DetectionModAssemblyModuleDL-ADMFLIHI3 – CC??? Module??? ModuleDL-ADMFFF-ISPDL-ADMFBSFinSpyMASTERHI3 – CCVoiceRecorderHI2 – IRIReceiver??? ModulesHI2 – IRIReceiverHI3 – CCVoiceRecorderHI3 – CC??? ModuleDRSSERVERStorageArchivingAnalysisEvaluationIPIP IP IP VOIC IRI IPEDATA WAREHOUSEUsers / Evaluator / OperatorsVOICEIRIIP


IP-Network – Lawful Interception8MethodologyTargetsNetworksMediationFront-EndBack-EndAdminReceivingDecodeDemodStorageArchivingAnalysisEvaluationRing-BufferModuleGRID DetectionModAssemblyModuleTgt.-IDProbeAAADL-ADMFLILI - (IP)ISPEthernetLI-ProbepassiveNetworkElementsDLMediationIPHI2/HI3IRI/CCEthTCP/IPHI3 – CC??? Module??? ModuleIP IP IPDATA WAREHOUSEUsers / Evaluator / OperatorsData Capturing:This will be the same kind of HP-Servers used for Mass IP-dataInterception to captureIP-Data for LI passively. In addition Dreamlab is capable of handling IP-dataprovided byNetwork Elements (Juniper, Cisco, Huawei).Target Identif.: Dreamlab has Tgt-Id-Probes available to capture assinged IPaddressesof Targets byData Handoversearching for their nw access credentials.= Mediation: This Dreamlab appliance can convert the captured IP-data into severaldata formats(i.e. ETSI) for IP-datza handover to several Monitoring Centers simultaneously.Admin: Has to take care about the workflow in the LI System. The user can enter theNW accessthecredentials for the Targets of interest forwarded to the Tgt-Id-Probe(s). For LIhandling of a LIIDs is esssential (to create warrants).The Admin has to be designed and has to integrate a User and WarrantManagementwith several layers of user rights (who has the right to access what kind ofdata; Admin,User, Auditor etc.). This LIID structure will aply for LI in PSTN / Mobile NW too.Receiving Data:It has to be analyzed whether the concept using the Ring-Buffer, GRIDandAssembly Modules of the Mass IP Interception solution can be used for LIas well.


IP-Network – Blocking/Shaping and Infection9MethodologyTargetsNetworksMediationINF -(IP)AAATgt.-IDProbeISPBlock -(IP)Infect. ProxyactiveBS IP-ProbeactiveRemarks: The solutions IP-traffic Blocking & Shaping and the Infection using FF ISP aredifferent form otherIntelligence Methods described because Blocking & Shaping doesn‘t require any data to betransferredfrom the Front to the Back-End. The same applies in the first step for the data provided byremotelyDatacontrolled targets. These data are received by FinSpy Server and can be pushed into toWarehouse on demand.Data Handling: Again HP-Servers will be used but for both Blocking & Shaping and Infection theseServers MUST beactively inline for data manipulations. The Bypass Function is a must have too.Front-EndBack-EndAdminReceivingDecodeDemodNo incoming DATADL-ADMFFF-ISPEthernetDL-ADMFBSFinSpyMASTERTarget Identif.: Tgt-Id-Probes are needed and used in the same way as for LI. In addition they canbe used to blockand/or shape the traffic of subscribers of interest. Without Tgt-Id-Probes B&S will take careaboutprotocols / applications only without target „awareness“.It has to be defined whether String Search must be integrated into the IP-Probes to reach afinergranularity for blocking / shaping and maybe infection.Data handover: Only defined for FinSpy (Master).StorageArchivingAnalysisEvaluationIPDATA WAREHOUSEUsers / Evaluator /OperatorsAdmin: The Admin is available for FF ISP.An Admin System has to be designed taking care about the workflow in theBlocking/Shaping System.The user can enter Filter Criteria = Blocking/Shaping Criteria (which might be the sameused for thetoo.Mass IP-data System). Using Tgt-Id-probes NW access credentials must be administered


MethodologyTargetsNetworksPSTN & Mobile NW – Lawful Interception(Voice and IP)LI – (Voice + IP) LI – (Voice +IP)PSTNMobileData Capturing:In both Networks (PSTN and Mobile) data capturing is performedinside the NW10using NW-vendor specific solutions (assuming the NW-vendor isproviding suchkind of solutions). This applies for both Voice (voice, modem, fax) and IPdata.Target Identif.:This is also part of the NW-LI-functions.MediationFront-EndBack-EndAdminReceivingDecodeDemodStorageArchivingAnalysisEvaluationHI3 –CCISDNISDNS2mHI3 – CCVoiceRecorderVOICEHI1MarkingTargetsPSTNInterceptionMgmt.HI2 – IRIX.25, TCP/IP,X.31FTAM, FTP,RoseEth/X.25HI2 – IRIReceiverIRIMediationMobileHI3 –CCISDNHI3 – CCEthTCP/IPEth??? ModulesHI2 – IRIReceiverHI3 – CCVoiceRecorderHI3 – CC??? ModuleIPISDNS2mHI2 – IRIX.25, TCP/IP,X.31FTAM, FTP,RoseEth/X.25VOICEDATA WAREHOUSEHI1MarkingTargetsMobileInterceptionMgmt.IRIUsers / Evaluator / OperatorsAdmin: Also the Admin-Function of the NW is part of the NW-environment.SubscribersMgmt.or as(fixed / mobile) will be marked for LI inside the NW. The InterceptionSystems (PSTN/Mobile) also provide the IRI-data (either ASN.1 encodedASCII-files). Assigning a LIID is part of this admin process and it has torefer to theLIID used in the Monitoring Center for admin the LI-warrant.Data HandoverCC-Voice:(PCM30, A-lawVoice data will be transferred via ISDN (S2m) to the Back-Endencoded) from the switches of the NW.IRI: IRI-Record can be either FTAM, FTP or Rose on X.25/X.31 or TCP/IPprovided viaCC-IPthe NW-LI-Management System(s).= Mediation: IP-data from GPRS/UMTS will be mediated using DreamlabsMediationAppliance to provide i.e. ETSI-formated data to the Back-End.Receiving Data:Receiving CC-Voice and IRI-Records will made own/separateAppliancesin thenecessary. IP-Data from GPRS/UMTS via DL Mediation have to be handled


All Networks – Data Retention System11MethodologyTargetsDRSData Capturing:Data to be captured accross all kinds of NWs are:is/wasWHO (IP, Username, [Mobile] Phone No., IMSI, IMEI)NetworksISPAAAPSTNMobileusingcommunicating with WHOM (IP....) at what DATE/TIMEwhat KIND OF METHOD/PROTOCOL (Mail, WWW, Skype,MediationCollectionDevicesi.e.classicChat, Voice, Fax, SMS...). It might be possible to keepalso the subjects of Emails etc. (which extends theDRS). Data are provided either by the Networksthemselvesby interfacing OSS/BSS (Billing Systems; CDRs), or usingNW-elements in IP-NW (Switches, Routers – Cisco,Juniper,Front-EndBack-EndEthernet...) or using own IP-Appliances in IP-NWs to create thesekind if data by analyzing/capturing the traffic. In IP-NetworksAdminDRSSERVERexisting Target-Id-Probes (for LI, FF ISP) can be usedadditionally to get user data.ReceivingData Handover:The different DRS-data have to be more or lessnormalizedDecodeDemodtoagaindepending from which source/NW they are coming frombe stored in the Data Warehouse and being retrievedStorageArchivingAnalysisEvaluationIPDATA WAREHOUSEUsers / Evaluator /OperatorsData Wareh.:data rateson demand.Due to the huge amount of data and the highcoming from different NWs it will make sense to keep thedata in a separate storage/Data Warehouse.Admin: Due to the very specific usage of a DRS and the different


Conclusion – proposal how to proceed ...ConclusionThis conclusion is based on the following assumptions and facts:121. More IP-knowledge than classic PSTN/Mobile NW knowledge available within the 3 partners2. Sales experience and market access is available for all solutions3. PSTN/Mobile Voice data need a complete different handling (receiving, decoding, evaluation) than IP-data4. No. 2 becomes even more difficult dealing with decoding of modem and fax transmissions5. LI for classic PSTN/Mobile NWs depend very much on the LI-implementations provided by the different NWvendors6. DRS is characterized by huge amounts of data, a wide range of different intefaces needed to capture/receivedata, different Hand-over-Interfaces (HI-A, HI-B) and different approaches when data are to be retrieved,own/different user management etc.7. Different Intelligence Methods need different kinds of administration functions8. Different Intelligence Methods need different ways of storage (data structures), different decoding andanalysis/evaluation methodsThe proposed way to go should be:9. Start with Mass IP-Data Interception (for this Intelligence Method the most work is done / solutions are available)10. Next Step will be LI in IP-Networks (a lot of components can be used and/or are available and can be modifiedaccordingly)11. Due to the fact that Infection solutions are products ready to use (FinFly ISP, FinFlyWeb, FinFlyUSB) the datacoming from FinSpy Master have to be integrated into the Data Warehouse (like we did for other MCs).12. Blocking and Shaping has no real impact on the Back-End because no data transfer towards the BE has to takeplace. It can be kept as a separate product, making use of filter criteria also used for Mass IP-data Interception.Having an own GUI running on the same Management Workstation like Mass IP Interception and/or LI and/orInfection will be sufficient.13. Although LI in PSTN/Mobile networks provide a lot of functions as part of the networks we still will need a lot ofadditional equipment (HW/SW) to receive, decode and evaluate captured data. Maybe Appliances and Softwarefrom 3rd Parties might be a solution (ASC, Spectronic, others). For us integrating the data in the Warehouse thenwould be the major task together with an overall System/Warrant administration. Interfacing to other data


Vielen Dank für die Aufmerksamkeit13

Similar magazines