OSCOR-5000 | Features of detection and identification of bugs using “OSCOR-5000”.

#OSCOR-5000

OSCOR-5000

BUZOV Gennady Alekseevich, Candidate of Military Sciences, Associate Professor
LOBASHEV Aleksey Konstantinovich, Candidate of Technical Sciences, Associate Professor
SHCHERBAKOV Dmitry Aleksandrovich

FEATURES OF DETECTION AND IDENTIFICATION OF EMBED DEVICES USING OSCOR-5000”

Combating unauthorized interception devices installed at protected facilities is one of the important areas of information security.

Currently, the domestic market offers a wide range of tools for searching for eavesdropping devices (ED), in which the spectral correlator OSCOR (OSC-5000) (Omni Spectral Correlator) from the American company REI occupies a somewhat separate place.

Separate, first of all, because this device was among the first to be presented on the Russian market as a multifunctional automated software and hardware complex capable of monitoring and detecting the charger for 24 hours, analyzing radio air, infrared range, telephone, wire and power lines.

Fig. 1. OSCOR device (OSC-5000)
(Omni Spectral Correlator)

The advantage of this device is its convenience, the user's quick «adaptation to control the device using buttons (keys). And finally, the software, as well as the structural elements of the device (for example, in OSCOR-5000E version 5.0) are constantly being improved, which is also an attractive side of this device.

Considering the fairly wide distribution of the device in Russia, I would like to highlight some problematic issues that relate to the practice of use.

A fairly large accumulated experience of using this device and teaching students the basics of using OSCOR has revealed the following.

One of the key problems, according to the authors, is that of all the research procedures presented in OSCOR-5000, the most important one is ultimately obtaining a reliable fact of identification (localization) of the memory device.

This procedure can be considered to be the target function of the search operation.

Without this final” procedure, the execution of other functions does not lead to the desired result.

An analysis of the device characteristics allows us to conclude that, in general, the main operating modes of the device (scanning, analysis, correlation and localization) are used for identification, of which analysis and localization are carried out mainly manually.

Moreover, the use of the listed modes in relation to different types of memory devices is, as a rule, strictly individual.

In this regard, for successful work on the identification of the ZU, first of all, it is necessary to determine the range of ZU objects of interest to the user of the device, and then decide on the tactical and technical options for conducting the search.

Why is this necessary?

First of all, because the “differentiation” of search approaches in relation to various types of ZU increases the efficiency of the search.

Experience shows that the OSCOR-5000 device can be used to solve the following basic search tasks:

1. Identification of the fact of operation (detection) and localization of radio-emitting chargers.

Such means primarily include:

• radio microphones (RM);
telephone radio transmitters (TRP);
radio stethoscopes;
hidden video cameras with a radio channel for transmitting information;
technical means of spatial high-frequency irradiation systems in the radio range.

2. Detection and localization of ZUs using wire lines for various purposes. Such means can be:

• ZUs using 220 V AC network lines for transmitting intercepted information and capable of operating at frequencies up to 5 MHz;
technical means of HF imposition systems;
ZU that use subscriber telephone lines, fire and security alarm system lines to transmit intercepted information.

3. Detection and localization of ZU that operate with IR radiation.

Such means primarily include:

• ZU that register acoustic information in a monitored room with subsequent transmission via a channel in the IR range;
ZU of spatial irradiation in the IR range.

After designating the objects of probable search, the next step for successful detection and identification by the ZU device is to conduct a preliminary classification of the signals recorded by the device.

In this case, the greatest difficulties in working with the device arise when studying the radio range, since the huge number of recorded signals requires a lot of time and presents significant complexity for the operator.

These signals can be created due to external radiationworking sources (for example, broadcast radio stations).

They can arise due to side electromagnetic radiation (SEMI) of technical means of information processing (PCs, telexes, faxes, etc.) and have an internal nature.

The most optimal in this case is the need to classify signals in the radio frequency range according to a set of criteria.

From the point of view of solving the problems of detection and identification of radio emissions, all radio signals falling within the operating range of the device can be conditionally divided into dangerous and non-dangerous. Accordingly, dangerous signals can include signals from the charger, and non-dangerous signals can include all other “interference signals.”

According to the authors, it is also useful to classify the radio signals recorded by the device by the most probable place of their origin relative to the object being tested — internal and external.

Detailing the presented classification, we can conclude that dangerous radio signals can be created by both internal and external sources. Moreover, in practice there can be a large number of their most diverse combinations.

Thus, the number of internal dangerous radio signals can safely include signals from “radio bugs” from RM, TRP, etc.

At the same time, the category of dangerous in combination with externalradio signals can be classified as sources of: RM with an external acoustic microphone; TRP installed on the communication line outside the monitored premises; radio stethoscopes installed on the outside of the surfaces enclosing the premises; external transmitters of hidden video cameras; external high-frequency irradiation devices.

To the category of non-hazardous in combination with externalradio signals can be classified as sources of broadcast radio stations, television broadcasting stations, radio communications equipment, etc.

As sources of internal non-hazardous radio signals, electrical appliances, office equipment, household appliances, as well as their power supplies can be considered first of all.

To develop tactical and technical recommendations for searching for various types of storage devices, it is necessary to analyze the main methods of identifying storage devices used in the device.

Practical application of the OSCOR-5000 device allows us to conclude that the following main methods are used to identify the ZU: the correlation method (CM), the method of classification by ear”, the method of using a locator probe (ZL), the method of using a triangulation acoustic locator (TAL), which is the OTL-5000 element.

Visual is also used as one of the main methods.method of monitoring signal parameters using oscillograms and spectrograms..

All of the above methods are described in sufficient detail in the description of the device.

Specification of the application of the above methods for identifying various types of memory devices may be of practical interest.

Let us consider the main characteristics and features of RM identification.

A study of the results of practical application of the device shows that in general the following types of RM can be included in this group:

• RM with parametric stabilization of the transmitter frequency;
• RM with quartz frequency stabilization;
• RM with an external transmitter, RM with a closed or masked radio channel.

The main feature of RM with parametric stabilization of the transmitter frequency is a large range of change of the carrier frequency (up to several megahertz).

Therefore, all of the above methods can be used to identify this type of RM.

The features of RM with quartz frequency stabilization are small limits of carrier frequency variation (up to tens of kilohertz).

All of the above methods can also be used to detect and localize this type of RM.

Based on experience, failures in searching for such memory devices usually do not occur.

RM with a remote transmitter are used as highly professional means of covert information acquisition.

Their main feature is the separation of the installation locations of the microphone and the radio transmitter itself (up to moving it to another room). In this case, all recommended methods can be used to detect such ZU.

Moreover, to localize the microphone, it is necessary to use the TAL method, and to localize the radio transmitter (in the checked room or outside it) — the ZL method.

Highly professional means are also RM with a closed or masked radio channel.

Their main feature is that the received and demodulated signal does not carry information about the acoustic background of the room.

This is explained by the use of spectrum inversion methods, digital transmission methods and complex types of modulation for closing (masking) the radio channel.

The study of such signals presents the greatest difficulties, especially with complex types of modulation.

In general, it should be noted that their identification can be based on the ZL method supplemented by the analysis of oscillograms and spectrograms. At the same time, the analysis of practical results of working with the device allows us to conclude that a simple technique can be supplementary here, which is as follows.

If you turn off the test phonogram source and create a short sharp sound in the room being tested (a loud bang, a blow on a table top or a metal object), you can record characteristic changes in the demodulated signal “by ear”, as well as changes in the oscillogram and spectrogram.

Often, great difficulties arise when identifying TRPs. In order to detail the procedures for identifying such PDs using the device, we believe it is necessary to consider a brief description of such PDs.

At the same time, despite the variety of design options for TRP, they are clearly divided into two groups according to the method of connection to the elements of the telephone line — with and without galvanic contact.

Thus, galvanic connection can be carried out in series (into the break of one of the wires of the telephone line) or in parallel (simultaneously to two wires of the telephone line).

The main feature of serial connection TRP is the appearance of a modulated signal on the air only when the telephone handset is lifted.

In this case, the signals of the PBX (“call”, “busy”), the clicks of dialing a number, and the conversation of subscribers after establishing a connection are clearly audible.

Such TRP can, in principle, be installed on any section of the telephone line (the body of the device, its handset, distribution boxes and boards, and the subscriber line wires themselves).

A study of work experience shows that the identification of this type of TRP is most expediently carried out by the ZL method.

Parallel-connected TRPs can have two varieties.

The first of them provides for the implementation of only the repeater function.

In this case, in the picked-up mode, the signals of the PBX (“call”, “busy”), the clicks of the dialing number and the conversation of subscribers are heard on the radio frequency. When the receiver is hung up, there is no modulation of the radio signal, and the carrier frequency itself may be absent.

Such a TRP can be installed in principle on any section of the telephone line. Therefore, for identifying a ZU of this type, the ZL method with activation of the ZU by lifting the handset of the telephone set is preferable.

The second type often combines the functions of the TRP and the RM, which is powered by the telephone line and provides control of the acoustics of the room in the on-hook mode.

Such ZUs are installed on elements of the telephone line within the premises under investigation.

Therefore, for their detection and localization with the receiver hung up, we can recommend the TAL method.

In the picked-up mode, the ZL method is preferable for detection and localization.

When using the device to study radio signals from a telephone line, it is necessary to keep in mind that galvanic connection TRPs, as a rule, do not have their own antennas, but use telephone line wires instead.

In this case, identification of such ZU can be carried out by the ZL method by identifying the distribution of the maxima of the high-frequency electromagnetic field level along the telephone line.

In this case, the maxima alternate through half a wavelength, and the one closest to the transmitter is removed from it by a quarter of a wavelength. The wavelength is determined in accordance with the frequency value determined by the device.

For example, at a radiation frequency of 300 MHz, the wavelength is 1 m. Consequently, the radiation maxima for this case will alternate every 0.5 m, and the most probable places for installing this type of TRP will be at a distance of 25 cm from the maximum points.

When using the device to study radio signals from a telephone line, the identification of a non-galvanic TRP is of great interest.(inductive information removal), which can be installed on any section of the telephone line, as a rule, outside the premises of interest on the subscriber wiring without damaging the insulation.

They generate a modulated radio signal only when the telephone handset is lifted. In this case, the signals of the automatic telephone exchange (“call”, “busy”), the clicks of the dialing number, the conversation of subscribers after the connection is established are heard.

Experience shows that the localization of such ZU can be carried out by the ZL method as the telephone line is examined along its entire accessible length.

Studying the experience of searching for TRPs shows that for the effective use of the device it is important to follow the basic tactical recommendations, which include, first of all, activating the charger. To do this, it is necessary to pick up the receiver of the telephone set being examined.

The tactical features also include the technology of detecting TRPs in the charger, which can be divided into two stages.

First, the telephone sets themselves are checked for the presence of the ZU. In this case, either a continuous or intermittent tone signal of the telephone exchange is listened to.

At the second stage, the search for the TRP is carried out by walking around the premises along the subscriber telephone line and identifying places on it with an increase (maximum) in the radio signal level.

There is almost always a need to check the line up to the main distribution board.

Often, when conducting a search, it is necessary to detect the presence of a radio stethoscope.

The main feature of radio stethoscopes is that they are installed only on the outside of surfaces enclosing the monitored room, or on pipes of heating systems, water supply systems and other communications extending beyond it.

Therefore, to detect the signal of radio stethoscopes, it is necessary to examine all really accessible external surfaces of the enclosing structures of the room. Since the medium of propagation of vibroacoustic vibrations can be heating and water supply pipes, these communications are also subject to inspection.

A study of existing radio stethoscope circuits shows that the vast majority of radio stethoscopes use an open radio channel. This makes it possible to analyze the received signal «by ear».

For localization of radio stethoscopes, it is recommended to use the ZL method, supplemented if necessary by the use of oscillogram and spectrogram modes with the movement of the ZL to adjacent, higher and lower rooms.

When using the OSCOR-5000 device, the search and detection (identification) of hidden video cameras with a radio channel for transmitting information may be of great practical interest.

The device in question has undeniable advantages for such a search.

Thus, to detect video transmitters, the device has a sensitive receiver that allows intercepting low-power video signals transmitted via radio. The presence of Delux modifications in the OSCOR device, containing PAL, SECAM, NTSC decoders, allows analyzing the video transmitter image on the monitor.

For better image analysis, you can use an external video monitor. In addition to the fact that the OSCOR video system demodulates standard television formats NTSC, PAL, SECAM, the device is capable of demodulating video signals with a non-standard format.

For example, signals from NTSC (PAL) format video transmitters, which use frequency modulation instead of amplitude modulation, as in a standard television signal. If the radio transmitter has a non-standard type of modulation, then OSCOR in some cases is also capable of providing viewing of the image, but with obviously low quality.

Very often (to make detection more difficult) the synchronization of video transmitters can be inverted in relation to the television signal. In this case, the device provides the ability to manually set the synchronization polarity, which solves the identification problem.

Let's consider the tactical and technical features of detecting video transmitters using the OSCOR-5000 device.

Identification of hidden video cameras with a radio channel for transmitting images (often sound) is associated with significant difficulties, which are determined by the similarity of the video transmitter signal with the signal of a television broadcast transmitter and the operation of a significant number of these devices. Therefore, in the course of work, upon detection of such a signal, the first task is to recognize it according to the criterion “external-internal”.

To perform the recognition, it is necessary to close the windows with curtains or blinds, leaving the interior lighting on, and then turn the artificial lighting on and off several times. When the mode is on, “clear changes in the tone of the detected signal should be heard by ear and changes in the image of the video transmitter should be detected on the monitor.

To increase the reliability of recognition by the criterion “external–internal” it is necessary to turn on the analysis mode and make sure that the signal structure changes according to the oscillogram when the lighting is turned on and off.

If the results of such a check are positive, then the signal can be confidently classified as internal, created by a video camera transmitter, since changes in the room illumination do not affect the parameters of the television broadcast signal.

The analysis conducted allowed us to conclude that video camera transmitters can operate at frequencies up to 2300 MHz. Detection of a signal at frequencies outside the television broadcast range almost unambiguously indicates the operation of a hidden video camera transmitter.

At the same time, most video transmitters have the same format as a television signal, but their carrier frequency differs from standard signals of television stations. Consequently, the difference between the frequency of the video signal detected by the device and the frequency of the TV station signals can serve as an unmasking factor for detecting a video transmitter.

In practical use of the device for identifying a video signal, the presence of a characteristic vibrating sound during demodulation of the video signal can also be used as an unmasking factor.The vibrating sound is caused by synchronization pulses in the video signal. In this case, the video transmitter can be detected even without the video analysis option.

One ​​of the unmasking factors when searching for a video signal can be the absence of an audio carrier frequency in the video signal (this applies to video transmitters without audio and transmitters with non-standard modulation).

Some video cameras emit a low-power signal in the 15 kHz range. In this case, a loop antenna with an extension cable can be used for searching.

When searching for a video transmitter, its location can be determined using the ZL method.

Dangerous means of intercepting speech information include means of spatial high-frequency irradiation.

The problem of their detection is quite urgent. Such means are (according to the classification presented earlier) external and are used to obtain information from a room by directing a powerful, highly directional beam of high-frequency electromagnetic radiation at it (mainly through window openings) and receiving the re-radiated (already modulated) signal at higher harmonic frequencies. The main features that make it possible to detect and localize them are that the probing signal is stable in frequency, there is no modulation, and the level is uneven (higher in the window area, significantly lower in the corridor and other rooms).

In addition, the re-radiated signal corresponds in frequency to the higher harmonics of the probing signal and is modulated by the acoustic background of the room. Therefore, detection of such means is carried out by the ZL method in combination with listening to the signal, and localization of the direction of irradiation is carried out only by the ZL method.

With regard to spatial high-frequency irradiation, the main task is to identify the fact of creation of this artificial channel for obtaining information.

Usually it is solved in two stages.

At the first stage, the fact of irradiation of the room by a high-frequency signal is revealed.

At the second stage, the response to the probing high-frequency signal is monitored.

In this case, it is necessary to focus on the following points:

• when creating this artificial channel for obtaining information, a highly directional beam of electromagnetic energy can only be formed at very high frequencies (800-900 MHz and higher). The study of the characteristics of the propagation of radio waves in this range (the need for “direct visibility” between the radiation source and the irradiated objects) determines the main paths of their penetration into the controlled room, primarily window openings;
• re-radiating objects can be technical means common to a given room, which have the so-called microphone effect (parasitic acoustoelectric transducers). These usually include speakers of household loudspeakers, acoustic systems of even switched-off audio equipment, telephones with an electric bell, etc.
• the signal re-radiated at frequencies of higher (usually the second or third) harmonics is localized in the immediate vicinity of the irradiated objects and is modulated by the acoustic background of the room.

Based on this, the following options for working with the device can be proposed. To detect the fact of high-frequency irradiation, inspect potentially dangerous window openings one by one using the ZL method.

To do this, bring the ZL to the inner glass at a distance of 5 — 10 cm, record the level and frequency of the most powerful signal.

Next, use the “by ear” mode of the device, determine the presence and characteristics of the demodulated signal and evaluate the stability of the radiation frequency.

To confirm (or deny) the presence of dangerous high-frequency radiation in the room under study, it is necessary to go to any of the neighboring rooms (with windows facing the same direction) and repeat the check in the area of ​​each of its window openings.

The basis for making a final decision on the fact of high-frequency radiation and the presence of re-radiating objects in the room are the readings of the graphic indicator of the device, as well as the results of listening “by ear”.

In this case, the main features are usually considered to be the fixation of the frequency nominal, a multiple of the maximum third harmonic of the irradiating signal, and the identification of the sound signal in the listening mode with the acoustic background of the room.

Therefore, the use of the device for detecting information leakage channels along wire lines for various purposes is one of the important directions.

The main types of wire lines are power grid lines (high-potential lines), as well as subscriber telephone lines and lines of fire and security alarm systems (low-potential lines).

Connection to the lines being tested is carried out using a VLF adapter (for testing the 10 kHz – 5 MHz range) or a wire line adapter (for testing the 50 Hz – 15 kHz range).

An analysis of the results of the search activities allowed us to conclude that the greatest attention should be paid to the range of 40 — 2500 kHz, as the most typical for the use of ZU, powered by the voltage of wire lines and transmitting intercepted information via wires. ZU with frequencies of about 5 MHz and higher are much less common.

Let's consider some tactical and technical features of the use of the OSCOR-5000 device for identifying such ZU.

Experience shows that detection and identification of such EDs should begin with setting the upper limit of the scanning range at 5 MHz, which enables the device to assess the general spectrum situation in the analyzed wires with maximum reliability.

Next, it is necessary to visually study the most characteristic features of the scanning panorama image and determine the presence of frequency components that exceed the general background level.

If there is a large number of interference signals, it is necessary to divide the analyzed range into separate intervals and scan them in detail, focusing primarily on the frequencies of the most intense components.

Accumulated experience shows that the result of identifying wired ZU can be refined by switching the device to the analysis mode, since such an image of the signals provides a more detailed characteristic of the parameters.

When examining wire lines for the presence of ZU, it is necessary to take into account some features determined by the specifics of each type of wire line.

In particular, there are proven tactical and technical features of the study of the electrical network.

Thus, it is advisable to start checking the presence of the charging device in the electrical network that receives acoustic signals from the room, is powered by the network and transmits information at a high frequency along its wires, from the network sockets.

To reduce the background level during the study, all electrical appliances and equipment located in the monitored room should be turned off.

Next, the panorama image is analyzed.

The main unmasking factor during the analysis should be considered the detection of a signal containing signs of modulation by the room acoustics.

Localization of the ZU can be carried out using the OTL method, with an alternate check of all the sockets of the room being checked. A similar check should be carried out on the elements of the lines supplying the electric lighting devices.

After checking the power lines and lines supplying lighting fixtures, it is necessary to check the tees, extension cords and other power-consuming devices by connecting them one by one to the power grid.

Checking the wire lines of fire and security alarm systems, as well as lines of unknown purpose, is similar to checking the power grid lines.

When checking subscriber telephone lines, in addition to searching for the above-described memory devices, it is necessary to solve the problem of identifying the fact of using the line to obtain acoustic information from the premises due to linear high-frequency interference.

In this case, a sign of the fact of linear high-frequency interference is the presence of an unmodulated stable probing signal in the line at frequencies of at least 150 kHz. The order of connecting the device and the analysis procedure for determining linear high-frequency interference are similar to checking power lines.

Today, it is important to detection of information leakage channels in the IR range.