RCS on a low bandwith
What happens if an agent is running on a device
with very slow Internet connection?
An improper configuration may lead to loss of
the Agent.
If you use all the bandwidth available, the Target
will notice.
An Agent that produces too much evidence may
be unable to transfer it.
EMPYRICAL TESTS
Test on a low bandwith
A Windows target has been infected, but the bandwith available to the agent
is limited to 3 kB/s
The following modules can be freely used in a low bandwith environment:
• Device
• Position
• Addressbook (21 contacts in few seconds)
• Application
• Calendar
• Chat
• Clipboard
• Keylogger
• Password
• URL
Test on a low bandwith
The following modules need particular attention when used in a low bandwith environment:
•
Camera + Screenshot
•
Medium quality: 50 seconds to sync one evidence
•
Low quality: 25 seconds to sync one evidence
•
•
ADVISE: use low quality and never take more than 1 screenshot or camera per minute
Call
•
Quality 5: 3 minutes to sync 46 seconds of call
•
Quality 1: 1m50s to sync 46 seconds of call (still good quality)
•
•
CAUTION: avoid or use for a very limited period of time; use lowest quality
File
•
Easy calculation: the bigger the file the longer the synchronization time
•
12 minutes to sync a file of 1Mb
•
CAUTION: absolutely avoid downloading more than 3Mb in files
Test on a low bandwith
The following modules need particular attention when used in a low
bandwith environment:
• Mail
• In a test mailbox, in one month 75 emails have been received.
Limiting the agent to collect emails <=50kB in size, it took 20
minutes to synchronize all emails received in the last month
• ADVISE: start syncing only one day of emails, then slowly
increase the timeframe according to your needs. Keep a low
maximum size limit.
• Mic
• It takes 1m50s to synchronize 1 minute of recording
• CAUTION: avoid or use for a very limited period of time
EXAMPLE CONFIGURATIONS
First Configuration
This configuration is to be used for the first infection:
• Device only
• Sync every 15 minutes
• Limit bandwith to 3kB/s
The device module will give you the basic information to
understand what kind of device has been infected. A 15 minutes
period between syncs will give you the chance to promptly
change the configuration when needed.
First Configuration
Second Configuration
This configuration will include all evidence that is known to work
without issues on a low bandwith target:
• Device, Position (every 5 minutes), Addressbook, Application,
Calendar, Chat, Clipboard, Keylogger, Password, URL
• Sync every 30 minutes
• Limit bandwith to 3kB/s
Most of the useful information that can be obtained from an
infected device is collected. A 30 minutes period between syncs
will prevent bandwith saturation, thus allowing to change the
configuration in reasonable time.
Second Configuration
Third Configuration
This configuration adds the retrieval of emails to the Second
Configuration. It starts collecting emails smaller than 50kB and
up to 2 days old.
• Device, Position (every 5 minutes), Addressbook, Application,
Calendar, Chat, Clipboard, Keylogger, Password, URL, Mail
• Sync every 60 minutes
• Limit bandwith to 3kB/s
A longer period between syncs will minimize the use of
bandwith from the agent.
Third Configuration
Third Configuration
You can evaluate to collect email bigger than 50kb and in
intervals longer than 2 days.
Check how many email were collected for the last two days.
Configure the agent according to the following table to collect
email from the past:
Collected emails
Days to collect
50+
1 day
30-50
2 days
15-30
3 days
1-15
5 days
Be very careful when configuring a new Agent!