1. Standard Demo 1 © Hacking Team All Rights Reserved

2. The Standard Demo In order to standardize how Remote Control System is presented to the client and maximize the effectiveness of the presentation, a Standard Demo has been created. Following, the steps that need to be followed and the feature that has to be highlighted.

3. Desktop Restore Database to known status, deleting old evidence and instances, by running: rcs-db-demo –b NAME (to backup) rcs-db-demo –r NAME (to restore) Preparation Access Facebook, show list of friends and old chats; write a new message in chat Access Gmail, show to Prospect some emails, then open the email with.docx attachment (exploit) Social evidence generation Show that on the Target Kaspersky is running and won’t complain when infecting the PC Open the.docx attachment (exploit); tell the Prospect you are opening an Exploit Document The custom script starts the Agent when any.docx file is opened Infection Open a TrueCrypt container Open the file in the TrueCrypt container (PDF to be agreed on), show them to the Prospect Perform a Skype call Evidence creation on target

4. Desktop Show collected email from Gmail; they look exactly like in the user’s inbox! Show contacts collected from Gmail (including the ones that Gmail automatically remembers), Facebook (even when profile is private), Skype Show Facebook chats: all chats are collected, even when generated before infection. This is called Active Scraping Play the captured Skype Call Show the captured document: exactly the same as on the Target computer, not a screenshot! Introduce the File System, and schedule a “Retrieve Default” Show evidence to Prospect

5. Desktop Show “Last Known Position” and explain how RCS can determine the most frequently visited places (such as home and office) Introduce the concept of “Digital Identity”, showing all the identities that the Target uses on the Internet: Gmail, Facebook, Skype, eccetera Show the picture taken from webcam, and explain that a Face Recognition Algorithm will select the best pictures to be used for the Profile section; obviously it is possible to manually add any other picture Show how RCS automatically gives you information about the most contacted persons and most visited websites Show Intelligence (Profiling) to Prospect Go back to “File System”, explain it and browse into it. Download few files from the Target Device Show the newly collected files Show other types of evidence, such as the file container in the TrueCrypt container, the device information, the BitCoin wallet and details More evidence to be shown

6. Desktop Turn on TNI and show the GUI Briefly explain Wifi Cracking capabilities Briefly explain possible attacks using TNI: infect executables downloaded from Internet, infect the target when visits any website, infect the target on youtube Show information collected on all hosts connected to the monitored wifi (IP, MAC, Browser, OS, Visited Websites) and select the target On the Target, visit youtube.com and show how the video is blocked Explain that downloading the update for flash, the Target will be infected (without doing it) TNI

7. Mobile Open the Mobile Factory previously configured Click on “Build” and briefly show that there are many infection vectors available Go to “QR Code/Web Link” and build using the App X as the app to melt with; App X needs to be defined Open the QR Code, scan it with Android using QuickMark. Setting up QuickMark correctly it is possible to have it download the file automatically upon scanning of the QR Code, without further confirmation asked Infection Show all evidence collected on Android Play microphone audio recorded during the demo If requested, generate new evidence and show it Show Evidence to Prospect

8. Correlation Enter the console in Demo Mode; explain that you will show correlation using pre-generated data because the data generated during the demo is not enough for correlation Show the Entities Person, explaining how they are automatically generated: one per each target in the Operation and others when somebody is a usual contact for your Target Show how such entities are correlated, as peers or as known, and show the timeline playing the communications between the Targets; show how you can easily jump back and forth to the detailed evidence Correlation in Demo Mode

9. Correlation Show the Entities Place, and explain how they are automatically generated. Show that two Targets met in these places Show the Entity Virtual and explain how it is automatically generated when at least two targets visit a website Show how you can manually add and edit entities and relations, to integrate further Intelligence Switch to “Position Map” and show relevant places and Target positions Show how you can play the timeline and see the Targets moving Correlation in Demo Mode

10. Other procedures and notes A Master Demo Chain is setup; it stays in the office and is upgraded when a new version of RCS is available. Once the new version is tested, server and target of the Master Demo Chain will be used as source to clone each FAE’s Demo Chain. In order to do so, all hardware must be aligned. On the Demo Chains, all automatic upgrades must be disabled. All Demo Chains will run Kaspersky with all cloud features disabled.