Title: HTTP Activity vs. User Activity

Release Date: 2015-07-01

Document Date: 2009-06-19

Description: This NSA presentation from 19 June 2009 explains the metadata capabilities of XKeyScore: see the Intercept article XKEYSCORE: NSA’s Google for the World’s Private Communications, 1 July 2015.

Document: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

m





V



HTTP Activity vs
User Activity

19 June 2009





Derived From: NSA/CSSM 1-52

Bated :l2007i

MM

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

HTTP Activity

■ HTTP Activity is essentially all web-based
activity from a user’s internet browser (with
some exceptions)

■ It includes, web-surfing, Internet Searching
(like Google), Mapping Website (Google
Earth/Maps) etc.

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

HTTP Activity

■ HTTP activity comes in two types:

cnn.com Server

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

HTTP Activity Client-to-Server



Accepté */*

//search.bbc. co.uk/sear ch?tab=ur disorder=sortboth6: ci=iiiusharraf6: star t=2&s cope =ur du

Referen:

Accept-Language
A c c e p t- En c

en-us

Us er-Agen t| Hozilla/4. Q (compatible; HS IE 6.Q; Windows HT 5.1; SV1)
Ho s t ■■u -----

)

j E3
Con

Cookie! BBC-UID=b479a5f 4ad230a53063d51363Ü2Ü3acti22684634aÜeÜtil64c45f 96ef c054c£950Mozilla%2f 4%2e0%20%28cc

Cache-Uontroi: max-stale=u

1 66808702E9À98546 | 1
URL Path URL Args

Host

search.bbc.co.uk /search tab=urduâorder=sortbothâq=musharrafâstart=3âscope=urduâlink=next

Search Terms Language Browser

musharraf

en

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Via

66808702^

Referer

http://search .bbc.co.uk/search?tab=urduâorder=sortbathâq=musharrafâstart=2âscope=urdu

Cookie

BBC-UID=b479a5f4ad230a53063d513630203acb22684634a0e0b164c45f96efc054cf950Mozilla%2f4%2e0%20%28com

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

r

■ User Activity is best described as meta-
data from “communication based protocols”
like Webmail, Chat, Web Forum, Voip etc.
in which we have protocol processing
capabilities like AppProc.

■ It’s important to note that there are many
applications that fall within this definition in
which we do not currently have protocol
processing capabilities

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

■ Most analysts will probably already be
familiar with “User Activity” from MARINA

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

r

■ While not an exact duplicate, MARINA and
XKS’s User Activity share a lot in common

XKS runs the same software
(AppProc/WebProc/StarProc) that is used
to break out meta-data for MARINA

■ In some cases, it’s actually the XKS at the
front-end site that is feeding the meta-data
to MARINA (the source will be ‘XKS’)

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

■ Since applications like web-mail are web-
based, HTTP and User activity will contain
information about the same session.

■ While HTTP contains information about all
web-based sessions, user activity contains
information on “user activity protocols” in
which we have identified and developed
exploitation capabilities

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

) 10 01
1001 1 oc

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL



How the Search Forms Fit Together

Y



of all DNI sessions collected

Sessions from

Sessions
from web
based

User



protocols*

HTTP Activity

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Examples of traffic

Webmail (client side)

Session Header (3) Meta (9)
jjjggggglj DNLPRESENTER v ( , , j Diïittfîi iséïî 1 ÄÄii« 1 ; , ■ « 1 ■ 1.: 1 « 111 ■ 1 .j ül.- ■ t j Enter text to search

Datetime

Case Notation

From IP

To IP

From Port To Port Protoco Length

ID: sess orig proc

Type: HTTP-GET Si Printer Friendly Version

DNI Display] Raw Data [ DNI Format

Services ^

GET /mc/modules/im/abContacts?mcrumb=EIEDbfi9ijm &.jsrand=9S037307 &.rand=2127033459 HTTP/1.0
Accept: */*

Accept-Language: fa

Refer er: http ://us. me 57 5. mail, y aho o. c om/mc/showF older ;_ylc=X3 oDMTBucmhob GROBF 9TAzM50DMwMT

AyNwRhYwNk»/xNc2dz?mid=l_21857_AFRkxEIAANvjSi6wUQ7filZa4fY&£Ld=Inbox&sort^date&o
r dep=up &startMid=3 6 &filterBy=
x-re que ste d-with: XMLHttpRe que st

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

us.mc575.mail.yahoo.com



Host:

Cookie:

MG

d=IvAXlF va Y nF GnmIfzw3zB C WRe 2jUKZLwwyoK SrjxxGOXVY aJhF 9 5 dLsZ5 C Ox 1 eDlcT c aHS_vpi

ad9XvB0emj5Rrl

v=l

V=1

n=66k3gh6ns551f

I=ce70cc03_01sqq^/o (Yahoo login id:

P=m2g265i0130 00000 ( Gender: male, Birth year:
r=hq

lg=en-US ( Langnage/content: English )

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Postal code:

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Examples of traffic

Webmail (server side)

Datetime Case Notation From IP To IP From Po
2009-06-16 16:23:5 IR1S021DÛ0Û0Û0C 69. United State: 91. Iran) 80

To Por Protoc Length

Session

Formatter:

Header (3) Meta (5) Attachments (2)

TOP SECRET//COMINT//20320108

ID; sess oriq proc
ffl Document Information Type: HTTP rSi Printer Friendly Version



DNI Display Raw Data DNI Format

® HTTP Header Information

Content Type: HTTP/YahooWebmail

Services ▼

UIS Webmail Display

Active user;

C,a££ic Unknown

*

Folder List
Name Count
Inbox (1655) 4035
Drafts (5) 5
Sent S31

Message in folder: Inbox

Fwd: Fw: ijrS^ líja

4 • •

Tuesday, June 16, 2009 1:14 AM
From:

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

of all DNI sessions collected

Sessions
from web
based

HTTÏÏP Activity

Sessions from
protocols*

TOP SECRET//COMINT//REL T O USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

r

■ MSN Messenger

Datetime

Case Notation From IR

To IR

From P To Pc Proto Length

2009-06-16 16:1 IRS1014A

(■— Iran) 65.|

|(S United S1 51818 1863 TCP 137

Session

Header (3) Meta (7)

Formatter

I

DNI PRESENTER

Mode: Snippet

•Mi Hälft ixi

Search Content:

m

TOP SECRET//COMINT/.'20320108

20090616 1617Û7Z

@y ahoo. c om logged in (im)

DNI Display ] Raw Data [ DNI Format

MSN Messenger 0 Display Status Messages □ Show Messages Only □ Reverse
Message Display

Messages

From

To

Message

Size: Q ©

l@yahoo.com logging in

Project Manager:

Page Publisher: \

Version: 1.4.0.3

Build Date: Thu Feb 1913:02:15 GMT 2009

g DNI PRESENTER

TOP SECRET/iCOMINT.u20320108

89.

Sen/er Processing Time: 2 ms Data Load Time: 0 ms Type: MSN Messenger

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Examples of traffic

Skype sessions:

Datetime

Case Wotation

2009-06-16 15:25:46

IRS1014B

From IP

To IP

(-i* Iran)

(E3 Switzerland)

From Port
14414

To Port

Protocol

13510 UDP

Length

179

Session Header (3) Meta (3)

»

DNI PRESENTER



Enter text to search

TOP SEC RET//COMINT/.'20320108

89.

89.

89.


SkypeUser>

'SkypeTJser>



Project Managed
Page Publisher^

Version: 1.4.0.3
Build Date: Thu Feb 19 13:02:15 GMT 2009

ID: sess orig proc

has leaker IP

10.0.0.3

Tvnp' KFF/Rinarv r’*L Printnr Fripnrllv Vpmion

c82814cf5ffD5776

seen with machine ID c82814cf5ff05776
seen with machine ID c 1695fc7feefl59 e

has buddy
client to server
logged, in (im)

|

89

c82814cf5fiTO5776

c82814cßff05776

cS2314cf5ff0577ö

c82814cßfiTO5776

c82814cßff05776

seen with machine ID1 c82814cf5ff05776 c82814cf5TO5776 “

’ • '-L»

è3L5 DNI PRESENTER

TOP SEC RET//COM INT/.•'20320108



TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

> 10 01 1
1 ûû I I oo I

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

of all DNI sessions collected

Sessions
from web
based

HTTP Activity

Sessions from

protocols

TOP SECRET//COMINT//REL T O USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

The typical way to search HTTP Activity is to start with
User Activity in MARINA.

For example, we’ll start with this 16 June activity

TS A

20090616 143827Z
20090616 143936Z
20090616 144127Z
20090616 144409Z
20090616 1444 27Z
20090616 144715Z
20090616 144715Z
20090616 144715Z
20090616 144715Z
20090616 144715Z
20090616 144715Z
20090616 144717Z
20090616 144717Z
20090616 144718Z
20090616 14495ÛZ

USERID PHONE USER A


|
:SkypeUser>
:SkypeUser>
|
|
:SkypeUser>
|
|
:SkypeUser>
|
:SkypeUser>

|
:SkypeUser>

ACTIVITY USER_B

logged in (am) 89.
logged in (im) 89.
logged in (im) 89.
logged in (im) 89.
logged in (im) 89.
logged in (im) 89.
logged in (im) 89.
logged in (im) 89.
logged in (im) 89.
logged in (im) 89.
logged in (im) 89.
logged in (im) 89.
logged in (im) 89.
logged in (im) 89.
logged in (im) 89.

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Understand what is behind the IP

■ Ensure Activity on IP can be associated with
Target

■ Understand IP usage Dynamic/Static

■ Research IP using Foxtrail/NKB

■ Is it a Proxy, DVBLAN, Dial-Up, DSL, etc

■ Is it Client to Server or Server to Client

■ Still not sure? User Activity pull for 5 minute
period on Foreign IP

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

MultiSearch on IP Address

7

Let’s take what we used last week and do a Multi-Search to
discover any web activity around the time the account was active

G 3-e G 3 Search 3 Q Classic a 0J MultiSearch
l SlP Addresses

S Mac Address Datetime: Custom v Start: 2009-06-16 □ 14:30 A V Stop: 2009-06-16 □ 16:30 A V

Q G3 Classic A-M
I-SI Alert
¡5 Black Derry
j L0CNE
SI Call Logs
S Category DNI
j ;•••[£] Cellular DNI

S Cisco Passwords
j ;-0DNS

S Document Metadata
S Document Tagging
S Email Addresses
S Extracted Files
j H£| Full Log DN
| ;-S HTTP Activity

I-SI IKE Parser

IRC Cafe Geolocation
¡2 Logins and Passwords
S Micro plugin Metadata

IP Address:

0 From

IP Role: 0 To

0 X-Forwarded-For

✓ User Activity
Search Phone Number Extractor
Email Addresses
Forms Extracted Files
Clear ✓ HTTP Activity
✓ Full Log
Web Proxy

TOP SECRET//COMINTWRELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Note the # of results for each search, compared
the 28 MARINA results which was for the same
IP address and same time frame

My Recent Results
Help Actions T View r
Query Name Query Type Status Actions Num Results Num DBs
[r] 16 iune example userjactivity finished 0 1 of 1
[p| 16 iune example fulljog finished 3223 1 of 1
[H 16 iune example httpjoarser finished *0 2626 1 of 1

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

HTTP Results

Of interest we see visits to Web Pages like

littp:tfwitter.

•p^rshinkiwi

liti|K//wwwJïlï€xoaik.|iersiaii/

I IHBi . ■H. ■ ■ i _ 'tieliriiiiloiitloii.com. ■ 1
ijhiiliimnews.ir'

htt|>:/'esht^r,i^-in,it,ill>^¡,iíliclJ>loíi5|>ot.coni2(M)9li06l>h>ii|>oít_4312.litnil

weh search: Prärie lection

google search:

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

HTTP Results

■ Notice how all of the HTTP GET requests were going to the
same IP address even though they are for different web
servers....what’s going on here?

Host

i nt e gr at ed sea re h .t witt e r .c orn

www.bbc.co.uk

www.newyorker.com

newsimg.bbc.co.uk

twitter .corn

www .1 acebook .com

static.twitter.com

stats.bbc.co.uk

visualscience .external .bbc .co .uk

news.bbc.co.uk

profile .ak .facebook.com

To IP To Port

Count

489

126

57

31

22

21

12

12

7

6

5

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Example #2

■ Analysis of 27 May Internet session of PK
based target started in MARINA

TSA

20090527 052156Z
20090527 052156Z
20090527 052156Z
20090527 052157Z
20090527 052159Z
20090527 052236Z
20090527 052236Z
20090527 052236Z
20090527 052236Z
20090527 052236Z

USERID PHONE USER A

ACTIVITY USER B

[@gmail.com logged in (email) 116
@gmail. com 4* logged in (email) 116
§)gniail.com & logged in (email) 116
yahoo> logged in (email) 116

yahoo>

-yahoo > A?
-yahoo > A?
-yahoo> A?
-yahoo > A*
-yahoo>

logged in (email) 116|
logged in (email) 116.1
logged in (email) 116.
logged in (email) 116.
logged in (email) 116.
logged in (email) 116.

i

13

(3

0

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

The analyst then did an HTTP activity query to
find all web surfing from that IP address within
the same rough timeframe.

0 {=3 Classic A-M
¡1=1 Alert
¡£1 BlackBerry
:gCME
¡1=1 Call Logs
¡£1 Category DNI
g Cellular DNI
¡1=1 Cisco Passwords
g DNS

g Document Metadata
g Document Tagging
g Email .Addresses
g Extracted Files
j-g Full Log DNI
j-g HTTP Activity
j I-IS IKE Parser

g IRC Cafe Geolocation
g Logins and Passwords
•■IS Micro plug in Metadata

r~i hi v

Search: HTTP Activity

Query Name: 27_may_activity

Justification:

PK IP address used by ct. target
in paksitan

Datetirne;

Custom

-

Start: 2009-05-27 □ 05:20 A V Stop: 2009-05-27 □ 06:00 A V



IP Address:
IP Address:
Port:
Port:

116

From v

To Ü

From v

To v

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

27 May HTTP Activity

■ HTTP meta-data indicated possible Maktoob
activity

Datetime HTTP t] Host URL Path
2009-05-27 05:22:39 get cilii.niaktooD.com .iie w Ma kt o o D:11 o m e P ag e ima ges/l ogo. i ï n g
2009-05-27 05:22:45 get ciln.maktooD.com 'iiewMaktool>.'liomePaíje'Imagesjlmcj3.gif
2009-05-27 05:22:45 get ciln.maktöoD.com /newMaktooD.liomeP age •Images.lmg4.gif
2009-05-27 05:22:3» get ccln.maktooD.com .4ocalizatioii.1niages.4ocal_toolDai7rit_lctalj.gif
2009-05-27 05:22:45 get ciln.maktooD.com /newMaktooDliomePage.ImagesImyl.gif
2009-05-27 05:22:39 get ciln.maktooD.com iocalization/images'localtoolDar/grcILCtab.grf
2009-05-27 05:22:3» get cilii.maktooD.com iocalization.ini,lgesiocaltoolDar.Tlags'ae.ijrf

FmO Fm City (IP)
PK KARACHI

PK KARACHI
PK KARACHI
PK KARACHI
PK KARACHI
PK KARACHI
PK KARACHI

To C To City (IP)
US HERIJDOH

US HERNDON
US HERNDON
US HERNDON
US HERNDON
US HERNDON
US HERNDON

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL



TSA

20090527 052156Z
20090527 052156Z
20090527 052156Z
20090527 052157Z
20090527 052159Z
20090527 052236Z
20090527 052236Z

20090527 052236Z

20090527 052236Z

20090527 052236Z

USERID PHONE USER A

ACTIVITY USER_B

@gmail.com 4? logged in (email) 116
ail.com 4* logged in (email) 116

§j}gniail.com 4* logged in (email) 116j
yahoo> logged in (email) 116.

yahoo>

'yahoo>
'yahoo> A?
-yahoo> A?
-yahoo> A*
-yahoo>

logge d in (email) 1161
logged in (email) 116]
logged in (email) 116
logged in (email) 116
logged in (email) 116
logged in (email) 116

i

13

(3

0

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL



TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

27 May User Activity Results

■ XKS’s User Activity also didn’t show any
Maktoob activity

Datetime End
2»®» 05 27 05:23:58

05-27 05:23:58

05-27 05:23:58

05-27 05:23:58

05-27 05:30:07

Search Value

Realm Attribute Type Attribute Value Activity
yahoo B_cookie bsgamu5517ssv loginjwebmail
yahoo B_cookie bsijamv5517ssv loginjwebmail
yahoo B_cookie bsgamu5517ssv loginjwebmail
yahoo B_cookie Iistjamv5517ssv loginjwebmail
yahoo B_cookie bsgamu5517ssv loginjwebmail

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

■ Was it just a visit to the Maktoob home page or
was there an actual web-mail log-in?

In most cases “active user” and “previous user”
information from web-mail protocols comes
from the cookie field.

■ XKS HTTP Activity breaks out the entire cookie
field, even if protocol analysis doesn’t know
what each part means

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

) 10 01 ,ül
1001 I oc

H * IJ_1 : J

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

27 May HTTP Activity

Look at the full cell value:

Cookie

ang=ar; OAX={IEiHOEocyulAC5Lw; RMFD=011M9BlliO1043II |01
Row Actions

[-» View Session

View Session (New Window)

; — Show All Row Values

☆ Mark Metadata row as Important

vjfc/ Send to Agility Realtime

y Execute Persona Analysis Query

Cell Actions
Filters

S3 Show Full Cell Value

Check where Cooke Equals 'lang=ar; OAX=dEcHOEo,,

Un-Check where Cookie Equals 'lang=ar; OAX=dEcHOEo..

i c=i>k; _
;c=pk;_

I c=l>k; _
;c=pk;_
: c=pk; _
; c=pk; _
)1047Px;

; c=pk; _
I c=l>k; _
;c=pk;_
: c=pk; _
: c=|>k; _
; c=|>k; _
; c=|»k; _

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

By looking at the full cookie, the analyst noticed
what appeared to be the target’s username

lang=ar; OAX={IEcHOEocyulAC5Lw; RMFD=011 M9BHi01043II|01047Px; c=|>k; _ http:7www.makti

Cookie

fliCSLw; RMFD=0 I I M9BI HOI 04311 |G1 047Px; c=pk; _ http:yywww.ijgi

i

lang=ar; OAX=dEcHOEocyuIACSLw; RMFD=011M9BND104311101047Px; c=pk;

__utma=206054159.4027773062198129700.1243400938.1243400938.1243401768.2;

__utmb=206054159.1.10.1243401768;

__utmz=206054159.1243400938.1.1. utmcsr=idiredOlutmccn=(direct) | utmcmd=(none);

str_tab=sport, news, jokesNew, undefined; (m^^^^^^:.22%2C%22 1243401282;

RMAM=0 lcen 16_1060.4aD066GG |; _utmc=206054159

[■

it'

t'

i

r

h

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

27 May HTTP Activity

The content also shows the cookie value:

GET /to c aiization/js/loc alization. utf- 8. js/20 0 9/5/2 6/8 999991 HTTP/1.1
Accept; */*

R efer e r; http ://w eb 14. makto o b. c om/mail2. ne wlogm/ compose432.php? nm==956880045

Accept-Language: eri-us
Accept-Encoding; gap, deflate

IJs er-Agent: Mozilla/4.0 (c omp atibl e; MS IE 6.0; "Wind o ws NT 5.1; S'V1)

Ho st: c dn. rnakt oob.com

C onne ction; Keep - Alive

Cookie: lang=ar

OAX=dEcHOEo cyuIAC5Lw

RMFD=011 M9BNtO 104 3jt|010431I|01047Px

c=pk

__utma=2 06054159.4027773062198129700.1243400938.1243400938.1243401768.2

__utmb=206054159.1.10.1243401768

__utmz=206054159.1243400938.1. l.utmcsr=( direct) |utmccn=( direct) |utmcmd=(none)

str_tab=sp ort,news jokesN ew, undefined
I MKLLD^^B"^1243402079 |

RMAM=01 c enl 6_ 10 6 0.4aD0 6 6 GG|
wlm_utf- 8=0
wlm_windo ws -12 5 6=0
__utmc=2 06054159

MKTID=JDhdVmJ8RKc4fWIF OAZScTS1 eTcs cE97EyoMGiVjeA4sDAdWPzMWQkOLKm5 acjxNBjMxN
logged=l

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Why wasn’t this activity in MARINA or XKS’s
User Activity (both fed by AppProc)?

Because Protocol Exploitation hadn’t identified
this particular Maktoob service

Since it hadn’t been identified, AppProc could
not produce meta-data and DECODEORDAIN
was not producing permutations for strong
selection

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

27 May Maktoob Activity

■ In this particular case, analysts from Protocol
Exploitation were able to determine that the
MKLLD= cookie was identifying the “previous
user” but not the “active user”

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Moral of the story

Internet applications are dynamic, and protocol
analysts are not able to identify and build
capabilities to exploit every known application

It’s important that target analysts use tools like
XKS to aggressively develop their target to
uncover applications that are previously
unidentified or are not currently being
processed properly

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

■ The Multi-Search page gives you the ability to search full log and
HTTP activity based on an IP address at the same time

0-03 Search
0 03 Classic

0 £3 Multi Search

[

®IP Addresses

•0Mac Address
H Username
003Classic A-M
I-IH Alert
¡5 Black Derry

Hcne

H Call Logs
H Category DNI
H Cellular DNI
H Cisco Passwords
•El DNS

H Document Metadata
H Document Tagging
IH Email Addresses
H Extracted Files
Full Log DNI
0 HTTP Activity
H IKE Parser
¡2 IRC Cafe Geolocation
¡2 Logins and Passwords
=2 Micro plugin Metadata

Simply enter in an IP address, choose any or all
“roles” (ie. from/to/xff) and then choose what
search forms you want.

IP .Address:

0 From

IP Role: 0 To 0 X-Fomarded-For
Search User Activity Phone Number Extractor
Email Addresses
Forms Extracted Files
Clear ■■■■i ✓ c HTTP Activity Full Log Web Proxy

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Who to contact

■ If you discover examples that don’t seem to be
processing correctly, don’t hesitate to contact
the experts at traffichelp@nsa.ic.gov

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh