Title: The Unofficial XKEYSCORE User Guide

Release Date: 2015-07-01

Description: This 27-page NSA document, authored by a consultant from contractor Booz Allen Hamilton, provides a step-by-step guide to using XKeyScore, together with screenshots: see the Intercept article XKEYSCORE: NSA’s Google for the World’s Private Communications, 1 July 2015.

Document: unofficial-xks-user-guide-p1-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

The Unofficial XKEYSCORE User Guide

E92 - ADET

Consultant, Booz Allen Hamilton

The Unofficial XKEYSCORE User Guide................................................1

Creating Queries................................................................2

Classic Queries...............................................................2

Multisearch:................................................................2

Classic Searches (A-Z)......................................................6

Creating a WorkFlow............................................................18

Searching - Tips and Tricks....................................................24

Which Query Is best for Me?....................................................25

Derived From: NSA/CSSM 1-52
Dated: 20070108
Declassify On: 20320108

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108unofficial-xks-user-guide-p2-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Creating Queries

Clicking on Search at the top of the screen will bring up a list of searches in the
Navigation Menu:

Ô He«» (4 Users Workflowsearch ^"Tj^suts 0 Statistics f;

hiaviqationj

SQ!

ft) Classic
dC-JMJt (Search

2 IP Addresws
Address
»3 Username
UGlO*SS»C A-N

2 ASF andWMV I

»^BlBcKEerry
2CT€

Call Logs
^Category DM
3CdWar DNI
3Cisco Passwords
T^Docurienl Metedstej
^ Document Taggng i
3Et>«I Adresses
2 Extracted Files

2^11-08 cw

3HTTPAdr
jlRCCy^Oeolocaton
l^Logns and Passwords
S CjCtaMcN-Z

Kelp

Fields ’ Advanced FeSearch: hull Log

Query

Dustif

Additional Justif
Miranda N

Da

Client IP (X-fowarde
Use

Attribui
IP Ac

IP Af

The Search screen has cascading menus of different Searches: Classic, Common,
Dictionary Hits, File Transfer, Multisearch, Network Management, User Activity, VoIP,
and Wireless.

Classic Queries:

Within the Classic Menu there are three folders: MultiScarch, Classic A-M, and Classic
N-Z.

Multisearch:

Expand the Multiscarch folder by clicking on the plus sign:

2

TOP SECRET//C0M1NT//REL TO USA, AUS, CAN, GBR, NZL//20320108unofficial-xks-user-guide-p3-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Navigation Menu

3 LJ Search

CeC

a I IMJt (Search^).

STCrussîïrXw

a(jci«wN-z

Navigation Menu

=lt3Suurdi

QQCtesic

I QMiit ¡Search
i^lP Adresses
f^Mac Address

Tl Usornomo

• k KJ

Multisearch IP Address:

The Multisearch IP Address query allows you to search on an IP address into seven
different searches. Think of it as a federated query using an IP address. The Multisearch
IP Address query searches on:

• User Activity

• Phone Number Extractor

• Email Addresses

• Extracted Files

• HTTP Activity

• Full Log

• Web Proxy

Refer to some of the individual searches below for more information about specific
queries

Creating a MuItiSearch IP Address Query:

When you have Filled in your query name, justified it, entered an IP address, selected
your search engines and sites the last thing is to submit the query. If you select “Merge
Results”, then all of your individual queries will be merged into one consolidated result.

“Why would I w ant to merge my results?”

If you wanted to see all of the activity together to get a ‘big picture’ look at the IP
address, regardless of the activity or application that is on the IP. The New GUI's results
screens allow you to filter your results easily which may make viewing your results more
intuitive. Sec "Viewing Your Results" in this Guide.

“What would I w ant to NOT merge my results?"

Viewing the results individually allows you to focus on a particular activity or result (e.g.
Documents or email addresses).

TOP SECRET//COM1NT//REL TO USA, AUS, CAN, GBR, NZL//20320108

3unofficial-xks-user-guide-p4-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Multisearch MAC Address:

The Multisearch MAC Address query is exactly the same as the IP address query
except it only allows you to search on a MAC address. Follow the same instructions as
the Multisearch IP Address query above but replace the IP address with your MAC

address(es).

Fields » ¡hwf rtdden 5«rth h^ds Oar Search Values Reload lest Search Va*jss

Multiple Search: Mac Address

Query Name: [

Justification: [

Additional

Justification:

Mranda Number: [

Date time: 11 Day v Start: 200901-22 Jj OOcOO |:

Wax Results for a
Single 06:

Search

Forms

fei

User Activity

Phone Number Extractor

Email Addresses

Extracted Files

HUM Activity

Full Log

Web Proxy

Multisearch MAC
Address looks just
like the Multisearch
IP Address query
except you must now
search on a MAC

Save m my Favorites No

Load From my
Favorites

4

TOP SECRET//COM1NT//REL TO USA, AUS, CAN, GBR, NZL//20320108unofficial-xks-user-guide-p5-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Multisearch Username:

As you may have guessed, the Multisearch Username query is exactly the same as the
IP Address Query and the MAC Address except it only allows you to search on a target’s
Username. Follow the same instructions as the Multisearch IP Address query above but
replace the IP address with your Usemame(s).

FtHfc * ShHsrtMitiiMio1««! Our S*«-Multiple Search: Liter-name

Query Mam»: |ehufhrc

ration: (ctngclin atgamna-i

Adcticnil
mertfivMinn:

MrarcaWuirosr:

Ditutrnn: Cuspr v, Start: 200901-22 Gj OQOC

Type in the username and domain
(without the “@” symbol)

Search

Forms



User Activity
enoll Addrr ues
rill Log

Lcqins ani Password:

S*x* m my Firorrt** |No
Lojc Free» my

mrnrltec

M M.t-central.corDrt«» itaontaOl

“What is a Username?”

A “Username" in XKEYSCORE queries is the portion before the symbol in an
email address.

For example:

Abuiihad@hotmail.com: Username = abujihad

Domain = yahoo.com

TOP SECRET//C0M1NT//REL TO USA, AUS, CAN, GBR, NZL//20320108

5unofficial-xks-user-guide-p6-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Classic Searches (A-Z)

There are 32 different searches between the A-M and N-Z searches. This guide will cover
some of the most common searches. You will notice that most of the fields of the
searches arc the same and each individual query will be unique because based on its
query name. For example, the Extracted Files search has Fields that are only applicable
to file attachments (e.g., file names, file extensions) and the Email Addresses query has
fields for email addresses (e.g., username and domains). All of the Classic queries will
have common fields like Ports, IP addresses, Countries, SIGADS, and CascNotations that
you can use to

• Ad/axacfc^uci - £i:v Ccar le»vh Wjc: Ur iccKhVjtz:

rrh: l mnll Art

Here are two Classic queries: 3u:i7 fiJ-o:
Email Addresses and
Phone Number Extractor.


Catcti-w: 1I.W -| STan: 3 C0.<0 £ «00: »»

-cc I line-» a\

¿(EZH)

v It, -

6

TOP SECRET//COM1NT//REL TO USA, AUS, CAN, GBR, NZL//20320108unofficial-xks-user-guide-p7-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Email Addresses Query:

One of the most common queries is (you guessed it) an Email Address Query searching
for an email address. To create a query for a specific email address, you have to fill in the
name of the query, justify it and set a date range then you simply fill in the email
address(es) you want to search on and submit.

That would look something like this...

Mk » » 9*v« Hdtor SSearcl): Email Addresses
Ouery Maine: abJIihod
justficador: ct targe) in n atnes
Addit onal Xst ficatior: -
Mraida Mom bo«: 1 1

DsNihn*- 1 Mnnlh v| ftwt: 2006-12-2« C* 00:00 ~ <

Em.-il Uiirnamc: objjihod_______________________________

OOcmair: frqfcoa.con |

NOTE: You DO NOT have to know an email address to use the Email Address Query.
You can also search on an IP address*, domain name**, country, port, cascnotation,
protocol, SIGAD, MAC address, PID and more. If you search on something other-than an
email address (e.g., an IP address), your results will be all of the email addresses seen on
those IPs.

* The IP must be hosted OUTSIDE 5-eyes countries

** The Domain MUST be foreign owned. Check WHOIS and NSLOOKUP for more info on your domain before-hund

TOP SECRET//COM1NT//REL TO USA, AUS, CAN, GBR, NZIV/20320108

7unofficial-xks-user-guide-p8-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Extracted Files Query:

1. To find a specific file (i.e.. if you already know the file name): For example, if you
noticed a file name in your target's inbox and you never actually got the file attachment.
This is VERY common for wcbmail collection because the attachment is often not put
into PINWALE with the email.

ti:s * AJiancxFe.>;ir« » SxwHdJcn ieatchReds dear S;cr
Sedn.li; ExlictiicU File»

Qc orv M am© jrtH wtaitf
Xsalication: lartent'uselles

Addoonef Xs^tication:

vianda I'amoac

Oitobmo Cotton * ;tart 20C8O1-24 □ 03:00 C í-too 2CDXI

Estractec Filename.

Extension: I______________________________________I

File Tvpc (M1MK -ye?): [ )

li Obfuscated;»*»/^): j |

Obfuscated o»aim* Extension- |

ri* r-.- rs.-i .

2. T_o_scarch_fp/jill_filcsj)r_s]y_ciric_rilcjyp_csj)n_a p_;irtic_ularj>rca_orj^n_a_nct\york. (E.g.,
IP address). This is a GREAT query if you have a foreign mail server and want to see
what files are collected on that IP address.



Scorch; Extracted Flcs

Çuery fJsne ¡(fioxwri

lusttiiefcm >ia -lar -lU-ctCo
iddittond .usofi:et>:n
Mraida Vumse-

Tie T>oe ;mme Tr:e)
1: Otfuj::te#»ej/-o)
OWui«©’.id Rial fi «

FísíeooxOal
JaceFie Ci rated
Fie lestactees
Fie Lest

JM1-1.-.4.-» oooo -

If you leave the Extracted Filenames
field blank, you arc wildcarding the
search to look for ALL files names

The IP Address of the mail server
you found using NSLookup in
Foxtrail or your non-attrib Airgap
account goes in the “IP Address”
field

TOP SECRET//COM1NT//REL TO USA, AUS. CAN. GBR. NZL//20320108unofficial-xks-user-guide-p9-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Logins and Passwords

1. If you already know the login and/or password.

fWA • i.ircifi.W. OtuUmfryitM l.fe.c v*.»<

Sifiircli: l oijlns «iikJ P,isvwor«K

Cf.ervf, air*v ^uyrrsiu AyhauP
XibfiWX«: Y-xfaitv*nnor«-OfVrrei sscv9-petiw:*d

Ad3i?icn:l Xcbticrari
Mi-aids Nuirber

I 1 Unnfi v '.rA^r 25» 12-24 H

PAXless. f
P Agrees: f

Piil [
Po-t: [

If you know the logins or passwords,
query on them as long as they are unique
and will comply with USSID-18.

«» Z v«p jwMi-a i -i--------------------

IF.JW al

Ho ,v

:\Ei

to is,

“Where would I find passwords to use in this query?”

Passwords can be found in TUNINGFORK (c.g.. FoggyBottom). passed in the content of
emails or text messages, or from previous XKEYSCORE queries.

2. Trying to discover logins and passwords on a network? NOTE: Logins and
passwords are valuable tools to enable Tailored Access Operations (TAO).

“What tools would I use to get the network information like a Mail Server, or Name
Server?”

NS Lookups tools on NSA net such as FOXTRAIL and Open Source tools such as
robtcx.com, ccntralops.net. and nctwork-tools.com arc a GREAT START. They provide
you with IP addresses for domains. You can then query on tlie foreign-hosled IP
addresses.

TOP SECRET//C0M1NT//REL TO USA, AUS. CAN. GBR. NZL//20320108

9unofficial-xks-user-guide-p10-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

r*U • M-o•.» • rcoui rvJ> Om Jetufivajm !«rdiY.Ae!

Search: I ogins and Passwords

Cyiorf Mam«: |l riyiMvA'iyanIP |

JustflCctlan: [Mjhanittan nwecrk mtil server ^atswordt |

irtlituinal v

Mi-anda Mumtor: | ~~|

0»t«:im« 1 Mcrth « Start: 2008-12-24 B 00:OC 0 Stpp: 20COO1-23 B 23:J0 * H

rasswerd: 1 ~ If you are trying to FIND logins and passwords
Domain. [_ and you know the IP address for the network,

JC Add-est; Your results will be.... LOGINS and
tC AlMlM*: £ PASSWORDS!

Phone Number Extractor

The Phone Number Extractor query looks through the content of an email for phone
numbers. This is very similar to a PINWALE DoPhone query except the traffic that
XKEYSCORE finds may be survey (i.e., unselected, non-tasked data) and might not be
in PINWALE. XKEYSCORE may be your only hope at finding an email address for a
target where you only have their phone number as lead information.

1. Already have a phone number? If all you have to start with as lead information is
a phone number, you may find it useful to query on that phone number and see if
anyone sent an email with that number in the signature line.

FWfc » Ai}
Search: Phone Number extractor

Querj Name: |Alghan |

Justification: [Afghanistanphone number cttatge^ |

Additional Justification: v

Miranda Number: | 1

Dacetime: 11 Month y] Start: 2008-12-2* C3 00:00 |$ stop:

Phone Number
Number Type
Country Code
Area

IP Address: [________________________________________ | From v

IP Address: | 1 1 To

10

TOP SECRET//COM1NT//REL TO USA, AUS, CAN, GBR, NZL//20320108unofficial-xks-user-guide-p11-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

2. Looking for anv phone numbers on a network? Quite often you know the mail
server IP address and could use some telephone numbers to task?

F«Mi • AMfOl '«Xu.»: * Show S*jr4r Om> SMrihVMjK -H»;

Search Pl>one Number [Extractor

Jj«ry name:
cation:

^Qhai_________________________

Aiqroitjian chont mrr-te- ci'aoe'

AJJUj'MlJ.nlif«aUuii;

Nircnda r*jTber:

l>*et)m®: f I f/onti y

S:ar.

2006-12-2* 3 03:03 * sroo: 200901-23 “ 23:59 * W

F>Toric Nj-rbcr:
Humt«rTfp#;
CjuiiU j Cod#:
Add,

J

IP Srtrtiw
IP ,VJdro:s:

I t-.in=-i v

TOP SECRET//COM1NT//REL TO USA, AUS. CAN. GBR, NZL//20320108

11unofficial-xks-user-guide-p12-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

3. Looking for a phone number without the country code (non-normalized)? It’s
possible a target will pass their phone number without the country code (e.g. a
signature line with ‘Tel: 5354658”). In that case, XKEYSCORE will not find the
number with the country code so you must create a query that looks for fewer
digits but still complies with USSID-18. This is not a 100% solution* but
ANDing your query with a country or IP address would certainly be more
compliant. See example below:

The number you enter here isn’t
normalized beciiuse you expect to see
it in traffic without the country code.
To make this USSID-18 Compliant
you must AND this with something
like a country or IP address.

This example shows traffic in/out of
Pakistan

This example shows traffic
in/out of a particular
network/IP Address

•If you ask XKEYSCORE to give you all Pakistani traffic, it’s doing an NKB lookup on all Pakistani
registered IP addresses. Geolocation of IP addresses is not 100% accurate at this time. Unofficial estimates
say asking for all of Country X’s traffic will find between 50-60% of the actual traffic. (That’s more than
0%. though, right?)

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

12unofficial-xks-user-guide-p13-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZU/20320108

HTTP Parser

The HTTP Parser query looks for web activity (remember, HTTP = web) on a particular
link. This query is useful for several reasons. Firstly, if you know a particular website and
want to see if a foreign target visits it (e.g. an extremist web forum URL, or
maps.google.com). Secondly, this query enables you to query on a network IP(s),
casenotation, or country and see what websites we don't know about (survey-type query).

Here are two examples

1. If you know the particular website the target visits. For this example. I'm looking
for everyone in Sweden that visits a particular extremist web forum.

Search: HTTP Activity

Query Name
Justification
Additional Justification
Miranda Number

HTTP Type:

|HTTP_in_Sweden

SwedishE>»emis-i website visitors

Scroll down to enter a country code (Sweden is sc,

Datetime: [ 1 Week v Start: 2009-01-20 □ 0

The website URL (aka “host) is
entered in with a wildcard to
account for “www" and “mail”
other hosts.

To comply with USSID-18 you
must AND that with some
other information like an IP or
country

13

TOP SECRET//COM1NT//REL TO USA, AUS, CAN, GBR, NZU/20320108unofficial-xks-user-guide-p14-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZLV/20320108

2. If you don’t know the wcMtc_but_yoii know the network information (IP). For
this example. I’m querying on a network IP block to see all of the websites the
target visits.

Search; HTTP Activity

Qu» > Msm»: //ebUccV-iWBTc

AiSMCcOCri: vVeliitos Fu lonantAirweitrfy

AdOflooa AiiWCeOcn;

KiraiJa M.mb«r: |

Cm Lent su*j: I_________________________________|

irr»l: ] |

ftofo'or [ ~|

Xfo-fiareec For.

To comply with USSID-18 you AND that with some other information like an IP or

Results from an HTTP Parser query

This shows what the results from a query look like for an HTTP Parser query:

ut ox» A.v*
-trr -I’-VrT tr>rr.e Swwfclws
> n w*
9 Î /fSüqh»
» D J ! I
t 3 i MHMItNBt «muni;«*» mnbMiu AVAÜU
* n i .'•»tWJUJSclJ MMUfitiStM P*\ »r* n i vr* \ innhutn AVjUIV
i a l pyi \ nun hum
* n 9 ; l

Example 1 above shows a person was visiting www.f-gamine.com/s/stat.php
Host = f-gaming.com
URL Path = /s/stat/php

14

TOP SECRET//COM1NT//REL TO USA, AUS. CAN. GBR, NZL//20320108unofficial-xks-user-guide-p15-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Document Metadata

Document Metadata query allows you to search on document authors, organization,
encryption*, and many other things about a document. This is extremely helpful if you
have found a file attachment from a target (e.g. Brick-and-mortar targets, person, or
Organization) and you want to see all of the other files they have sent. With the
Document Metadata query you don’t have to know the email address of the person
sending the document, you just have to know the document’s properties.

“Most Microsoft Office allows uses to encrypt files by clicking Tools -> Options ■> Security and password
protecting the files. The Document Metadata query looks for that type of encryption. It doesn’t look for
PGP or oilier 3"1 party encryption.

“How do I find a document's properties?”

The easiest way to see this is to open a MS Office document and click on File •>
Properties. To find the document properties for a file you target sent, the easiest way is to
view the file in Agility and click on Properties.

Finding your target’s file properties

If you can view the target’s document in Agility, click on the Properties tab to show the
target’s Organization and/or Author. If the fields are unique or random enough you can
query on the term itself. If the Organization or Author aren’t enough to comply with
USSID-18, then you must AND that query with supporting information (IP or Country).

TOP SECRET//COM1NT//REL TO USA, AUS, CAN, GBR, NZL//20320108

15unofficial-xks-user-guide-p16-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Displaying MS Word document in Agility:

* Cßl V*»: C^crtft« 1 $rJ
cat«^v
Htddtnähd »Court (l
LtncCcu« VM
LlnkxUp'o^nt. 1 >>N
V»mqM
wap Count fa>
««»Court
1*« r«ç ount l*riiwr|ilnn!rn»1 *

Sc.kCrcp 1
»idtCwim «
Autnsr
C»m~Ki>u
UMiCitttoa gosoot *«(*>**
T.fjVWfâï LottAuttKf


3398__applic atiot^ogtet y rear baT
^~~6^^pplicgticr>^ftewn5r^ bas



Author =
Last Author =

To create a query in XKEYSCORE from this information:

Search: Document Merariara

Query Home: froriogndoaimemt_____________________|

Ju*t
Adcitiooal Justification:

r

2019-01

16

TOP SECRET//COM1NT//REL TO USA, AUS. CAN. GBR, NZI7/20320108unofficial-xks-user-guide-p17-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320I08

View of document properties of PDFs in Agility:

içlfcy- ItaUfia-MpnwtefeiSljVir Civil

(Is id: t:d l?fc

5" I HJ I if*. I ll\A .s. I

loriMuf/.trnM «3 vjo\ otyyu w^ftakui

IT.

If •

|C:

trt*atz «1: r !t

±

' r***n zn
l rup$ Cl*
t [* tgal vH
1
l ri-jsei Zti
i . vp? M

I rcjwy'

XtKmt |fw| {H*Fr«it( f'ii-.ë J Cm | X Ui-| :*«} | v.*.-v | » .--.«m |.
"3

rofPvf-».


Cmta&c] fôjwÔTÏÏÏÎÔÔ»
TJV
r*4*t aw. ’ ■>
tv - |V->'vl '>H-f flf*Vvip*|
¿ttto /

Author =

To create a query in XKEYSCORE using this information:

Scdrchi Document Mot.id.it.i

query Maine: kx«ry«iüouimeiil*

Justification: S-ACdish CT Torgot____________________]

Additional Justification: v

Miranda Nnn-ihar

TOP SECRET//COM1NT//REL TO USA, AUS. CAN. GBR, NZL//20320108unofficial-xks-user-guide-p18-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Creating a WorkFlow

Workflows are periodic queries you can set up that run at specified times. They are great
for sustained targets because they query the database for you (c.g. every night) and you
can easily view the recently collected traffic without having to create a new query each
day. They are also very helpful if you are performing target discover)' on a network and
haven't seen much traffic yet on a selector. A workflow for an email address can bridge
the gap between when you discover the selector (and you task it to UTT/Cadence) and
when it actually makes it to the appropriate dictionaries).

It’s important to understand that a normal (ad hoc) query is submitted when you hit
Submit. Workflows, on the other hand, are created then submitted to the XKEYSCORE
team for review. The XKEYSCORE team docs not review it for USSID-18 compliance

(that’s up to you); they only review it to ensure your query won’t strain the system with too complex a query. The first step in creating a Workflow is click on Workflow Central:
XKEYSCORE
rtyn« 4 worWow central ^Verch . Res«*« 3 Statistics ¡fi Ftefe'ences 0 Help
hi»tu: Query Type *
d^SResuls Clear Sdecticn

Then click on Request on the left to start the Workflow Request Wizard, and then click
Next.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

18unofficial-xks-user-guide-p19-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

WortNcw Cotral Rttucit Miord

Welcome to the X KEY9CCRE Workflow Request Wizard.

T ¡i> *nos lI a¡II yjkJe ycu ü u lcijI i Ü * oí u *Ui y a Wo kfbft.

A /Vcrin adamen, a •/'ortrlow ca‘ fel ow-on «tier« cor* th$ qjyy h=ç
crmrte-el. Fo l.-.w-rn ¿rtvr#; .re scripts twpwfcinr certain «urhas
s«n:ina email ex orsedro o sum cry ct the reíe«s (hrou;h ícocitíed C3_
q^nes.

Lfccn cccrclebcn o; ris wiwd tie »voridlcw wi I be sibiríted for epcro.«l.

£





Next, select the search type you want to create from the pull-down menu. For this, I’m
selecting an Extracted Files query. These queries are essentially the Classic A-M and N-
Z queries you have seen in the Classic Search screens. The only difference is an
Extracted Files workflow will start looking for extracted files in the future and an ad hoc
Extracted Files query will search in past/previous collection.

W(rW1ou I mtral woar.1

PW i» ithtl * iunh Typ«.

H---------------------0

Alert ±\

A£= ID Colo
GlttWioy
CJ Log:

0*30* (Wfl)
mu« on n\s
(«c r*twori»



üoorrent
Erra Adiáis«
e.«*o.ioj
FU Log
VA>e#ierti
MTTT1 ActMly

IRC CoiîGixfceoton v

19

TOP SECRET//COM1NT//REL TO USA, AUS. CAN. GBR, NZL//20320108unofficial-xks-user-guide-p20-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Next, fill in the name of your query (“AfghanFilcs”), the auditor-compliant justification,
and how often you want the query to run. I recommend offsetting the time from the
default of midnight (2400) by a few hours (before of after). For this, I’m selecting 0400.
Then hit NEXT.

In the Add Search Fields window, you will select the search criteria that you want to
search on. In this example, I’m looking for specific file attachment (DOC or PDF or XLS
or PPT) on a specific Afghanistan IP address.

You must hit the green “+” symbol to enter the search criteria.

TOP SECRET//COM1NT//REL TO USA, AUS, CAN, GBR. NZL//20320108

20unofficial-xks-user-guide-p21-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Click Next

Single Field Search only searches in one field (e.g. File Extensions)

Multiple Field Search allows you to search on several fields (c.g., To IP AND From IP)

Aild Sean h f wills

Next, you will select the sites where you want your query to run. Scroll down in this
window to use the convenient "Select All" or "Uncheck All" buttons.

NOTE: If your selector is NOFORN, you must DESELECT sites that are 2nd/3rd
party.

TOP SECRET//COM1NT//REL TO USA, AUS. CAN. GBR. NZL//20320108unofficial-xks-user-guide-p22-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Follow-on Actions tell XKEYSCORE to do things after it runs your query. For example,
it can email you with the results, or it can send them to Agility, or any combination of the
two. For this example, I want XKEYSCORE to email me telling me I have results and I
want it to download my results to Agility. Make sure you select Send to Agility if you
want the same.

Click the Green Add symbol, and then click next when finished.

On the next screen, enter any comments you wish (optional) and click Next

TOP SECRET//COM1NT//REL TO USA, AUS. CAN. GBR, NZL//20320108

22unofficial-xks-user-guide-p23-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320I08

Lastly, click SUBMIT. Your query isn’t active yet. The XKEYSCORE team will review
it and you will have to check back later and turn the query ON or OFF as you wish.

namiow menu

(B repeal

W MyWor
f Aran;»

Cue r7«>i Ck*tiy r*»r*f LaHHxJleO arte * Aitco:
+ ilMIC_ U'iH HHW^CCOCH 200MMS Jl -;, tfCK liriM sv*ilsrPi:res Our 230S-0I-I* >1:47 40 ®'v«J 1 3 KW Ti
X ibwjfc'iw 2TOMM-10 21: *711 df jkwd«f
aVMIMVZI ■ -1 0,t 1 u
Mitnrjrhrao ?ar»:-oi-i: m n ¡1 ji *©a* i
"* ~lliv ¿war
± «t>J* *c* . ’1 j< -1 WhirJ.O 7005-01-n :t ;i ?nmi.wsrs75r cr 1 r; off xw IT 4r iff
- -* 300MMS «.*751 1 4 "" V -y ¿XU jTf
a fwow*» 2T?.CO?J4^:iEA 300MMt21:*721 o'r V/ XwJK

TOP SECRET//COMINT//REL TO USA, AUS. CAN. GBR, NZL//20320108

23unofficial-xks-user-guide-p24-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Searching - Tips and Tricks

The Official XKEYSCORE Frequently Asked Questions page is located here:
http://xkevscore.rl .r.nsa/redmine/wiki/xkevscore/FAO. Here are some other dps/tricks
that may be useful

1. Underscores in usernames:

If your selector has an underscore in it. you must precede the underscore with a backslash. For
example: abujihad would become searched as abu\_jihad. If you leave the underscore in the
query without the backslash, you are wildcarding a single character (see below).

To search on: abujihad@hotmail.com:

Bad query: Abu jihad
Good query: Abu\ jihad

If you search on “abu jihad” (without the backslash), you could bring back “abu ljihad”,
“abuTjihad”, "abuSjihad”, “abu-jihad”, etc... because you are wildcarding that character and
therefore you would be pulling on an entirely different selector.

2. To search on a range of IP addresses:

IP Address Range:

202.82.86.224 - 202.82.86.244

Becomes this XKEYSCORE Query (entered in the IP Address as To, From, or Either):
regex:202\.82V86\.22[4-9] OR regex:202V82V86\.23[0-9] OR regex:202V82V86\.24[0^]

3. Boolean Search Descriptions (Wildcards. ANDs. QRs. etc):

OPERATOR DESCRIPTION USAGE
t Not Equal Comparison beginning of word (i.e. !joe and !sam)
or Logical OR (Search for multiple values) between words (i.e. osama or laden)
and Logical AND (Search for combination value matches) between words (ie. ♦osama* and *laden*) takes precedence over ORs
• Multiple Character Wildcard anywhere in word (i.e. *osam*bin*laden)
_ Single Character Wildcard anywhere in word (i.e. _sam_bin_laden)
> Greater Than Comparison beginning of word (i.e. >00080 and <00111)
< Less Than Comparison beginning of word (i.e. >00080)
regex: REGEX Expression (i.e. to retrieve only numbers: regex:[0-9]*)

24

TOP SECRET//C0M1NT//REL TO USA, AUS, CAN, GBR, NZL//20320108unofficial-xks-user-guide-p25-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Which Query is best for me?

Quite often the most difficult part of using XKEYSCORE is deciding which query to use
at which time. Here’s a rough guide to help you decide.

Do you have an IP Address and want to learn more about that network

lera

N*yt\«b >*rWr
,'e.e. Iron a ns loaltua)
___________________________

and need

Milch websites seo«*£
m t-i» rWrV vhi
(«.}. Goxie Ca-.h, «b >
\ tre MriPAUiViiY qusv ]

a-K) fiJ cn the I3

TOP SECRET//COM1NT//REL TO USA, AUS, CAN, GBR, NZL//20320108

25unofficial-xks-user-guide-p26-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Do you have an Email Address or Foreign Domain
And want to learn more about it?

Which XKEYSCORE Query is Best for Me?"

I have.

a/an

Email Address or
Domain (foreign)

___________________

and need to know

26

TOP SECRET//COM1NT//REL TO USA, AUS, CAN, GBR, NZL//20320108unofficial-xks-user-guide-p27-normal.gif:
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20320108

Do you have a phone number for your target and want to learn their

email address?

and need to know

The target's email address

then use

The PHONE NUMBER EXTRACTOR query
and search on the PHONE NUMBER(S).

TOP SECRET//COM1NT//REL TO USA, AUS, CAN, GBR, NZL//20320108

27


Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p1-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p2-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p3-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p4-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p5-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p6-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p7-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p8-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p9-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p10-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p11-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p12-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p13-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p14-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p15-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p16-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p17-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p18-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p19-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p20-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p21-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p22-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p23-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p24-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p25-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p26-normal.gif)

Download Document

The Unofficial XKEYSCORE User Guide (unofficial-xks-user-guide-p27-normal.gif)

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh