Intelligence Technolgy Exellence Divion

Sgnal Protocol Department

Signals Intelligence Operation System Basics and it’s Key features

and utilization.

June 2021
 CHAPTER 1
FUNDAMENTALS
Incredibly fast changes are taking place in the world of technology, especially in
information and communication technologies. Products and systems are being
developed and used rapidly.
Considering the growth of technology and language terms, definitions in signal
intelligence and SIGINTOS I will try to list some of them that we must know while
using signal intelligence operating system and apply it in different areas.
Analysis: A process in the production step of the intelligence cycle in which
intelligence information is subjected to systematic examination in order to identify
significant facts and derive conclusions.
Atomic SIGINT Data Format: The metadata that gets generated for almost every
internet communication session that is collected through NSA's passive SIGINT
systems.
Bulk collection: The collection of large quantities of signals intelligence data
which, due to technical or operational considerations, is acquired without the use
of discriminants like specific identifiers, selection terms, etc.
Call Detail Record (CDR): Telephony Metadata include comprehensive
communications routing information, specifically, originating and terminating
telephone number, International Mobile Subscriber Identity (IMSI) number,
Mobile Subscriber Integrated Services Digital Network Number (MSISDN),
International Mobile station Equipment Identity (IMEI) number, also trunk
identifier, telephone calling card numbers, and the time and duration of call.
Telephony metadata does NOT include substantive content of any communication,
or the name, address, or financial information about a subscriber or customer.*
Case notation: All intercepted signals get a case notation which is an alphanumeric
value that identifies the link or the network that is being intercepted.

Close Access collection: The targeting, collection, and/or processing of

unintentional emanations from information processing equipment. Also: a program
to develop special unique sensors and systems to collect unintentional emanations
and/or signals from information processing equipment to exploit TEMPEST
vulnerabilities.
Codeword: A word used with a classification to indicate that the material was
derived through a sensitive source or method, constitutes a particular type of
sensitive compartmented information, or is accorded a limited distribution

Collect: In SIGINT, when used generically, to search, acquire, monitor, and record
electromagnetic emissions. Contrast with intercept. Note: Collection implies the
keeping and using of the material collected. Intercept, on the other hand, is not
limited until and unless it becomes collection.
Collection: Acquisition of information or intelligence information, and the
processing of the information into a form more suitable for the production of
intelligence.
Collection manager (CM) - An individual with responsibility for the timely and
efficient tasking of organic collection resources and the development of
requirements for theater and national assets that could satisfy specific information
needs in support of the mission.*
Community of Interest: A collaborative group of users within a mission enclave
who exchange information in pursuit of their shared goals, interests, missions, or
business processes and who therefore must have a shared vocabulary for the
information they exchange
Computer Network Attack: Efforts to manipulate, disrupt, deny, damage or destroy
information resident in computers and computer networks, or the computers and
networks themselves.
Computer Network Defense: Efforts to defend against the Computer Network
Operations of others, especially directed against US and allied computers and
networks.

Computer Network Exploitation: Efforts to collect intelligence and enable

operations to gather data from target or adversary automated information systems
(AIS) or networks.
Computer Network Operations: Term that comprises Computer Network
Exploitation (CNE), Computer Network Attack (CNA) and Computer Network
Defense (CND) collectively.
Contact Chaining: A process by which computer algorithms automatically identify
the telephone numbers or e-mail addresses that a particular number or e-mail
address has been in contact with, or has attempted to contact. The algorithms not
only identify the first contacts made by the seed number or address, but also the
further contacts made by the first tier, and so on.
Corporate Partner Access: Access to communication systems through cooperation
with corporate partners like commercial telecommunication companies and
internet service providers.
Correlated selector: A communications address, or selector, is considered
correlated with other communications addresses when each additional address is
shown to identify the same communicant(s) as the original address.*
Cryptology: The art and science of making codes/ciphers and breaking them.
Cryptology breaks out into two disciplines: Cryptography (making or using
codes/ciphers) and Cryptanalysis (breaking codes/ciphers).
Development: Finding new things, like new targets (Target Development) and new
collection methods (SIGINT Development).
Dialed Number Recognition: The process of extracting dialed telephone numbers
from the transmitted information present in a telephone signaling system. The
dialed numbers are looked up in a "directory", which contains the phone numbers
of persons from whom an analyst might gain intelligence information. If the
extracted number "hits" in the directory, the associated conversation is recorded.
Digital Network Intelligence: An analytic term, replacing Computer-to-Computer,
referring to SIGINT derived from the "digital network" which is commonly
identified today with the Internet, but for the purposes of SIGINT includes both the
Public Internet as well as private digital networks.

Direction Finding (DF): The process of determining the azimuth of an emitter by

the use of a direction finder.
The mobility management entity (MME): which presents a key control node for
the LTE access network, manages UE access network and mobility, as well as
establishing the bearer path for UE's. ... The MME also controls mobility between
LTE and 2G/3G access networks
Intelligence: The collection, processing, integration, analysis, evaluation and
interpretation of information.
Metadata: The dialing, routing, addressing, or signaling information associated
with a communication, which excludes any content, such as information about the
substance, purport or meaning of the communication also called events. The two
principal subsets are telephony metadata and electronic communications or internet
metadata
National intelligence: All intelligence that pertains to more than one agency and
involves threats to the United States, its people, property, or interests; the
development, proliferation, or use of weapons of mass destruction; or any other
matter bearing on United States national or homeland security.
Search: Search is the process which finds and assigns meaningful names to energy
events in the RF spectrum. This can range from a very general type of search (e.g.,
any RF signals that are detected) to very tightly defined searches (e.g., a certain
ELINT emitter). There are three modes of search – manual, interactive, and
automatic; and two search techniques – general and directed –within each mode.
Signals Intelligence (SIGINT): Intelligence information comprising, either
individually or in combination, all Communications Intelligence (COMINT),
Electronics Intelligence (ELINT), and Foreign Instrumentation Signals Intelligence
(FISINT).
Telephony metadata: These include the telephone number of the calling party, the
number of the called party, as well as the date, time and duration of the call.*
Later, also the IMEI and IMSI numbers were included.
Traffic Analysis: The cryptologic discipline that develops information from
communications about the composition and operation of communications
structures and the organizations they serve. The process involves the study of
traffic and related materials and the reconstruction of communications plans to
produce signals intelligence.
Upstream: Interception of communications as they transit through (fiber-optic)
backbone cables and other related infrastructures of internet and telephony
networks.
GUTI (globally unique temporary id): is a worldwide unique identity
that points to a specific subscriber context in a specific mme. the s-tmsi
is unique within a particular area of a single network.

2. SIGNALS INTELLIGENCE OPERATION SYSTEM

SIGINTOS as the name suggests, SIGINT is an improved Linux distribution for
Signal Intelligence. This distribution is based on Ubuntu Linux. It has its own
software called SIGINTOS. With this software, many SIGINT operations can be
performed via a single graphical interface.
Hardware and software installation problems faced by many people interested in
signal processing are completely eliminated with SigintOS.
HACKRF,
BLADERF,
USRP
RTL-SDR.

2.1 ABOUT SIGINTOS DEVELOPER

Murat ŞİŞMAN who developed SIGINTOS distribution; He worked as a volunteer
in Linux localization projects for many years. As a result of his interest in Linux
and cyber security, he prepared SIGINTOS distribution for his own use and made
it available for everyone who is interested and interested in this field.
Since 2008, he has carried out individual and corporate projects in the field of
Mobile Application Development and he gives trainings to many banks and
corporate companies on this subject. it has made application has been developed
with Unity3D Volkicar the games as users are actively used by over 2 million
throughout Turkey. He owns the Linux distribution called SigintOS for Signal
Intelligence. He teaches Signal Intelligence, Mobile Security and Espionage and
also works in the field of Crypto Coins. He is currently the C4ISR System
Engineering Manager in a private company operating in the Defens.

2.2 SIGINTOS quality issues based on the creator

They wright in their official website that SIGINTOS is to very well executed, with
a built in GUI that grants easy access to the some common sigint tools like an FM
and GPS transmitter, a jammer, a GSM base station search tool and an IMSI
catcher. SigintOS also has various other preinstalled programs such as GNU Radio,
gr-gsm, YatesBTS, wireshark and GQRX.
The OS also teases an LTE search and LTE decoder which to access requires that
you get in contact with the creators, presumably for a licencing fee. Regarding an
LTE IMSI catcher they write:

2.3 LTE IMSI Catchers

Due to the nature of LTE base stations, the capture of IMSI numbers seems
impossible. LTE stations use GUTI to communicate with users instead of IMSI.
The GUTI contains the temporary IMSI number called TMSI. This allows the
operator to find out who is at the corresponding LTE station who is authorized to
query TMSI information.
According to SIGINTOS documentation they answer that they can find the GUTI
number.
Fig 1 SigintOS: A Linux Distro for Signal Intelligence

3. SIGINTOS-TOOLS
It is a special software that contains many components:
FM Transmitter,
GPS Transmitter,
GSM Search,
IMSI Catcher and Jammer.
3.1 HOW TO INSTALL SIGINTOS ON HARDDISK?
We can install SIGINTOS on your hard disk by following the steps below.
Step 1Uninstall ubiquity software sudo apt-get remove ubiquity
Rebuilding the ubiquity software sudo apt-get installs ubiquity ubiquity-frontend
N.B SIGINTOS works live on DVD or USB Device.

3.2 SIGINTOS in our view

We try to install sigintos in our hardsik and also try to use it live in USB device,
but it has limitations.
 When we try to scan cells, it scans only small number of cells.
 Neither Wire-shark nor wireshark(GTK+) can’t capture any form of wired
or wireless traffics.
 If we install SIGINTOS in our hard disk instead of use it in live bootable usb
device, we can’t lock it by password. They prepare it only to use by their
own passwords. It’s unacceptable due to our security issues.