Title: Tracking Targets on Online Social Networks

Release Date: 2014-05-13

Document Date: 2009-09-01

Description: This September 2009 NSA presentation outline some of the insights that analysts can gather from online social networks (OSNs) and show the XKeyScore interface for performing such searches: see the book No Place To Hide, 13 May 2014.

Document: TOP SECRET//COMINT//REL TO USA, FVEY

(S//SI//REL) Tracking

Targets on Online
Social Networks

The overall classification of this briefing to TOP SECRET//COMINT//REL TO USA, FVEY

Online Social Networks SME
September 2009

Derived From
NSA/CSSM 1-52
Dated 20070108
Declassify on: 20320108

TOP SECRET//COMINT//REL TO USA, FVEY

SECRET//COMINT//REL TO USA, FVEY

(U//FOUO) OSN Overview

(S//SI//REL TO USA,
FVEY) OSN Selectors
are usually invisible to
the user and are only
used internally.

SECRET//COMINT//REL TO USA, FVEY

I **MC;g



‘Wlw
*»^A ^ u&4



v->M d»c«lii»D

Kn M>*D

i: g»*-*

rr^T.’«r-7>Tpr¿.j i Tn??

0







jtPum tyj usi'J «»i ui ußi$

wímo.0**».

(»Mln-M|V »x^d r *us\

**i % (*•> juirtri juiru*



A3Ad ‘vsn 01 n3H//lNIIAI00//13U03S dOl

■ssejppe IIBUJ0 xoquej
©nbiun e }i ©>|eiu oj s}i6ip wopuBj
M0j, b puëdde À|daiis'||iM xoquBj

‘SS0jppB |IBIU0 XOqUBJ B SB SJSIX0
ÄpB0J|B SS0JPPB ÜBUJ0 dn ußis jrioA
j! jBqj 0JON (A3Ad vsn oi i3y//is//s±) ■

(U9>]8} ApB0J|B SI SS0jppB 0AOqB ©q;

]|) iuoo’xoquBj©9t728 uoqujoqjouo}

: 11Boi 3 (A3Ad Vsn oi i3y//is//s±) ■

(0|qB|jBAB

st}\ j!) Luoo xoquBj@jequjocjjójje)

:|!BUJ3 (A3Ad Vsn oi i3y//is//si) ■

ZQZOWllZ

:p|j0Sfj (A3Ad Vsn oi i3y//is//si) ■

ZZ9 l,698Z£J9quJoqjoJJ©}
:©UJeuJ8sn (A3Ad vsn oi i3y//is//si) ■

:8>i!l >|00| |||M sjei^quep!

jnoÁ }BqM S.0J9H
ÜBLU0 xoquej jo] dn uß|S
os|B noA pub luoo’eAHgjjQquioq’JOJjei

sssjppB aq| q^iM xoquej joj dn ußis

noÄssoddns (A3Ad VSn Oi~l3a//IS//Sl)



xoyuejf*

If) nrwuxi a sucj ^od-CD xoquj ptiu3

/Ouf«s ‘XHid |aroj>v



A3Ad ‘vsn oi n3y//iNiwoo//i3ao3s doi

X C<< ;*i-9 * *3» r.* JjjJ »y .X u wrs Éjàâ opiui uiopmy {*■
X Um i«, g ^ P*i W J^J trojXlt
X rU lOJ-r w MPÂ-, ijd m ,iK W
W3 V5»J
xoquiCj

!•-*! w M uMds janteofl m*wi Q ll>üJt|Aw
VM iifinliit'L ziaiiBcn

TOP SECRET//COMINT//REL TO USA, FVEY

What intelligence do OSN’s

provide to the 1C?

(s//si//REL to usa, fvey) Insight into the personal
lives of targets MAY include:

■ (U) Communications

■ (U) Day to Day activities

■ (U) Contacts and social networks

■ (U) Photographs
. (U) Videos

■ (U) Personnel information (e.g. Addresses, Phone,
Email addresses)

■ (U) Location and Travel Information

TOP SECRET//COMINT//REL TO USA, FVEY

UNCLASSIFIED

(U) Popular Online Social Networks as of 2007

bebo

blogger

cyworld

facebook

fotolog

friendster

hi 5

livejournal

myspace

orkut

skyblog

studiverzeichnis

unidentified

UNCLASSIFIED

UNCLASSIFIED

(U)Popular Online Social Networks as of October 2008

wffw.oxyweD.co.uk/blog

The data shc\v3 the highest ranking social
network fo- each country by irsff c. not by mem-
bers page views or any other -netho d.

Data was taken from Alexa.csn on 15ti Oet
2008

Alexa data mid«? fair users who lave tie Alexe
toolbar as well a$ 'data obtained from other,
diverse traffic data scuroes* ■ Alexa.com

Countries in gray do not heve data a/aileb e and
for a few counlries it was difficjli to identify local
social network* and therefore were omittad from
the map.

It's not perfect so 1st ire know of aiy errors or
suggestions,

(Bcbc

cioob(iR;

fey World (SKorea)
Draugiemlv
f Faccbook
jFac9s.nd1lnpul3e.fcg
I Frl erlöster
]G‘01C (PL)

Hi-5

Hyves (ML)

I IRC Galleria (Fl|

Ivt1w.hu (HU)

I Lide (CZ)

|Mixi

Myspace

I Notion (SI)
fone.lt
I lo kut

Perlspot

\^i

Styrock
SludiVZ V
Tueiti^P)-
V Kontakts
Wretch (TW)

Xiaonei

>

•.vww.cxyweb.co uk/blcg
revision 0.3'0ct 2DC8





.•--r

UNCLASSIFIED

UNCLASSÏFIED//FOR OFFICIAL USE ONLY

cwibten

Collective

groups that work 1



opensocfal

SKYROCK

Free People Network’*

libarme

Friend Connect

facebook

BETA

Windows Live Spaces

•t( I Recruiting Grounds

y a ^ y Gaming Network

o FanBox

friendster

ISlmysjpace.com

™ a place for friends

place for friends

UNCLASSIFIED//FOR OFFICIAL USE

ONLY

TOP SECRET//COMINT//REL TO USA, FVEY

Free People Network-



myspace.com

aplace for friends

©Gbo

mm

a

(TS//SI//RELTO USA, FVEY) CT

Targets have been
observed using more
than 50+ OSNs as of

nJ\RTUa/

* TAr m

C ‘0B.COM

late 2008


^friendster

facebook

NETLOG

■ hila

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY WÊÊÊ^ÊÊÊÊÊÊÊKM

(TS//SI//REL TO USA, FVEY) Types of OSN

Activity

(TS//SI//REL to usa, FVEY) Type I: Operational Communication

(TS//SI//REL to usa, FVEY) Type II: Technological Operational Communication

(TS//SI//REL to usa, FVEY) Type: III: Extremist/ Propaganda OSN Users (Overt)

(TS//SI//REL to usa, FVEY) Type IV: Direct Non-operational OSN Users

(TS//SI//REL to usa, FVEY) Type V: Self-Provided Personal Data on OSN

(TS//SI//RELto usa, FVEY) Type VI: Close Associate Information or

Communication (“The Super Sloth Method”)

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(TS//SI//REL TO USA, FVEY) Types of OSN

Activity

TOP SECRET//COMINT//REL TO USA, FVEY

(S//SI//REL TO USA, FVEY)

OSN Selectors expand SIGDEV opportunities

Leverage initial selector seeds to build a better
picture of the target’s online persona and the

selectors involved

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(U) OSN Comms Flow

(TS//SI//REL to USA, fvey) TWO individuals communicating
seamlessly through at least FOUR independent selectors

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(TS//SI//REL TO USA, FVEY)
User Activity Possible Queries

User Activity

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(TS//SI//REL TO USA, FVEY) Pros and

Cons of User Activity Queries

Pros:

Hard Selector query
Easy to pull/automate

Email Addresses in the Username can lead to new leads
Cons:

Only certain OSN’s usernames that can be queried
No content that doesn’t have a selector associated with it
No Web-Browsing

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY Wggf

(TS//SI//REL TO USA, FVEY)

HTTP Activity and IP Multisearch Queries

Datetime:

1 Day



Start:

2009-09-23 □ 00:00 ^

Content Must Exist: □
Snippet Must Exist: Q

Max Re suits for a
Single DB:

IP Address:

0 From
IP Role: 0 To

0 X-Forwarded-For

Search

Forms

Clear

3 User Activity
3 Phone Number Extractor
3 Email Addresses
3 Extracted Files
3 HTTP Activity
3 Full Log
3 Web Proxy

HTTP Type;

Host:

URL Path:

URL Args:

Search Terms:

Language:

Active User:

TDI Type:

TDI:

HTTP Activity Queries usually require some other piece of technical
information to query while leveraging the OSN appIDs to be legally

compliant

•IP Address
•MAC Address

TOP SECRET//COMINT//REL TO USA, FVEY

-| ■:_j Search

[^¡Search Wizard
=!■! 1 Classic

.rj O Multi Search

=J IP Addresses
• [U Mac Address

Domain

Content Must Exist: □

Snippet Must Exist: Q

Max Results for a
Single DB:

,=H Username

Search

Forms

0 User Activity
0 Email Add res
0 Full Log

Clear

Source

username

username

username

TOP SECRET//COMINT//REL TO USA, FVEY

(TS//SI//REL TO USA, FVEY)
Username Queries are preferable

•Email address of the user often appears in the “Attribute Value” or other
fields when looking at OSNs.

TOP SECRET//COMINT//REL TO USA, FVEY

00:00 A
V

Search Far Search Value @[>omain Realm Subject Attribute Type Chain Attribute Value Activity

TOP SECRET//COMINT//REL TO USA, FVEY

(TS//SI//REL TO USA, FVEY)
HTTP Activity Queries

HTTP Activity Queries usually require some other piece of technical
information to query while leveraging the OSN appIDs to be legally

compliant

•IP Address
•MAC Address
•Country of Origin

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FV«|||g||||pH

(TS//SI//REL TO USA, FVEY)

Pros and Cons of HTTP Activity Queries

Pros:

OSNs that don’t require login are seen

Mobile and other technologies may be seen more easily

Web forms, chat, etc. that may not be collected by normal dictionary selection
can be seen and saved off

Cons:

Traffic Overload - Too many results (GET requests etc.)

Proxies and network architecture can obfuscate the target’s traffic
Bad presentation - HTTP activity usually needs to be viewed as code

TOP SECRET//COMINT//REL TO USA, FVEY

Latitude (IP)

Longitude (IP)

Longitude (IP)

Application Type

Facebook | Target's Name

Application Info

sodal/facebook|

Application

fField Builderl

AppID (+Fingerprints)* ffulltextl

Application Type1

target's Twitter (Name1

Application Info1

social/twitter

Application

fField Builder!

AppID (+Fingerprints)* ffulltextl

TOP SECRET//COMINT//REL TO USA, FVEY

(S//SI//REL TO USA, FVEY)
Xkeyscore Server Side Pulls

TOP SECRET//COMINT//REL TO USA, FVEY

To
From 1
To

TOP SECRET//COMINT//REL TO USA, FVEY

(TS//SI//REL TO USA, FVEY)

Useful Applds

Social/* = A great starting point, will show all social traffic on an IP, also an
efficient way to see the types of OSN are being used in a geographic area,
region, etc.

Social/YourOSNHere = Great for IP level targeting etc.

Social/Facebook/chat/to_server = Possible to see the recepient of a

target’s chat and the message that was sent

Social/Facebook/upload/photo = AppID detects the photos being uploaded

onto Facebook by your target

TOP SECRET//COMINT//REL TO USA, FVEY

£^4TES 0\h

TOP SECRET//COMINT//REL TO USA, FVEY

Questions or Comments?

Contact Info

(U//FOUO) Online Social Networks Working Group

Main Page: “Go OSN»

Ollier Pages: “Go Faccbook” “Go Twitter” “Go

ci Team

TOP SECRET//COMINT//REL TO USA, FVEY


e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh