Title: Writing XKS Fingerprints

Release Date: 2015-07-01

Document Date: 2010-11-22

Description: This 67-page NSA presentation from November 2010 explains how to create the “Fingerprints” which enable analysts to trace individuals within XKeyScore: see the Intercept article XKEYSCORE: NSA’s Google for the World’s Private Communications, 1 July 2015.

Document: writing-xks-fingerprints-p1-normal.gif:
Writing XKS Fingerprints

November 2010

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZLwriting-xks-fingerprints-p2-normal.gif:
Agenda

• Naming Fingerprints

• Simple Keywords
° Boolean Logic

• Variables

• Context-Sensitive

TOP SECRET//COM1NTwriting-xks-fingerprints-p3-normal.gif:
Fingerprints 101

• What’s in a name?

• The XKS Fingerprint naming convention
can help organize fingerprints and make
searching easier so its important to make
sure you name your fingerprint inline with
the existing convention

TOP SECRET//COM1NTwriting-xks-fingerprints-p4-normal.gif:
• For example, fingerprint names look like this:

• encryption/archive/rar

• encryption/archive/pkzip

• encryption/archive/pkzip •

• Notice the directory-like structure so that all
encryption fingerprints are within the same
“folder” and allencryption/archive fingerprints
are within the same Tolder”

TOP SECRET//COM1NTwriting-xks-fingerprints-p5-normal.gif:
What's in a name

This allows for smarter searching because
you could look for all encryption
fingerprints by searching for encryption/*
search for all encryption/archive
fingerprints by searching for
encryption/archive/* and etc.

TOP SECRET//COM1NTwriting-xks-fingerprints-p6-normal.gif:
• When you want to submit a new fingerprint,
look to see if it would fit into any existing
fingerprint folders.

• Best way to do this is to use either the “Field
Builder” or “Tree Field Builder” next to the
AppID+Fingeprints field in the search forms

TOP SECRET//COM1NTwriting-xks-fingerprints-p7-normal.gif:
TOP SECRET STRAPi

What's in a name

The field builders allow
you to browse existing
fingerprint directories to
see if one already exists for
your new fingerprint

R.ul.W

* , Apple (♦Fira«ipnritii

> (_JA>pllc-a1lcr«s

:• Qct_mo

> GPSjuAhfl

2 HTMLD_cjtion
P QlCBM
P OQUWTUM0OT
p Qtao
P L jOv«ltl»KI’l«llt
p i_3

P (_l analytic*

> L an»

j anonym*«'

> LJ anIMius
P [_J app

__| applet on

pQ application*

S Jisociatc
»atAsoor
:> Q_jPjcPCooo
p JMog
:• _DPotn«t

TOP SECRET//COM1NTwriting-xks-fingerprints-p8-normal.gif:
botnQtA'lad<6nergytx)V'comni¿ind/icrrip
botnetyblackenergybof/comniand/strip
botnet^lackenergytotAommancl/syri
botnet>lDlackenergybot/comrrand/*/ait
TOP SECRET//CÜM1NT

3 a s a a e 6 F » rë
TJ 13 TJ TJ "O 13 n n n n n n 13 n ■c 15 ■3 C.
1 1 t ^ 1 t ? S 5 ?
mm f. 1 T S IX
•K T n T «< j. : j.1 _ : j.1 1. ^ ^ >. %. > % ■» S I m'
V) OT V> Vt m v> V?
S" rfi" ro* ¡o’ 5- ro" CL CL CL CL CL CL ü) Ri H W H H c- Ss S- S: è 11 i il 'I ! £ G O CL ro Q. t-* I *cr r $ < 5 6

[CR BT Sl'RAPiwriting-xks-fingerprints-p9-normal.gif:
What s in a name

If no existing directory makes sense for your
fingerprint, you can always create a new
one.

TOP SECRET//COM1NTwriting-xks-fingerprints-p10-normal.gif:
Fingerprints 101: Getting Started

• The first step is to define the name of the
fingerprint.

• To do that, follow the syntax below:
fingerprint(encryption/archive/test_new’)

TOP SECRET//COM1NTwriting-xks-fingerprints-p11-normal.gif:
Fingerprints 101: Getting Started

• Note that fingerprint names can not have
spaces or any other punctuation other than
/ which denote directories and _ which can
be used in the place of spaces to make
fingerprint names easier to read

•fingerprint( encryption/archive/test_new’)

TOP SECRET//COM1NTwriting-xks-fingerprints-p12-normal.gif:
TOP SECRET STRAFi

Fingerprints 101

As an example, let’s say we want to fingerprint
traffic like this:

. ¿***\kJ^ *IL*j

(^120^

)-cr [ yp

WOWH - ni-ini? C* |

tawab



ft» Btg'r ASRAR □ Mc||tfwd««r *2.0 EncryptedNitiiK 11»
ifRflTiT/ATRHH2E12jfl1 C^VQyfrfrRIMmEZZTdlNzZniZQhKJQUxZYVZhVDP' ICj YwtfVIZGUQ
ZiYWMjd
*OeYiY]c1ZDolMOAihfTQi7jn\'1NDV(Y2,ryMGJJYJ|.200K/ll4NiTt*nM2)1Mjc5OOk./ZGfJhOjRrn’%\%JrrNjVZjP0W‘jVtkY~'i4MiMit2iRiN2r Mi 13 M C1NGJ3UTA3ZDQ4 NAVR-n Yr MyOTU r Z ¡2Vj:j3NiQ10G04\ITA3N
rU2S2ZHN25YlU2YlYimFlOOiWiK2VW«2U6MT2iNCY2MirM2Z^/rijQ2Ya0C-Ga2ODUxMW
VVM.UMWVINDAyOSIOMm MTdnfiTY' YtfxMDgyOGZMawZWZI U OawV2CM MlNMOfllOD
UxZTUOOc1MTY2M?ONJU67JR» 7^»\jM>n-nh\flF i OTbmYVM HriiFI2]»yNn*l/*7nA3wnMO
N>.*ZDhhNrrl4ZmRhY'ic3NrrZH0Fk0DZ#lMZE«Z3Q5Nir#»TZDQxCTIWi NIBM|e3WzB OV/twZWb1 N)k3Yj gxY2VfnQ10WULnoiM>
UUJIbjUPqr*Oi;VKH»e«K aZjU2yqEmKbl-HHji*Mh*f-Urtf-AJwMS*i-KokUKfcc*Xh
I

Gut3juYTwlEOiG«20s3f>lS5kfRXXH-DiTnb70/ufeer6trA1>Q6
♦$ECSRUIdU€YVupr0bhac4Dof
$BbFR3i>vgOS>pUxPYgmEOf)HA*rm7tuH0NI>*cynZoati;NdnRUr«|EpFqFC3*PHSnaniqo
♦ 1C«fli*icr62XE2q>V.1XJWnM«VHAJy2n*L*«2TC1IHbae2J«t(V37
k1 X yO N7V 9YVR- ~ V.3 »VA’P XI» ytntw *,0 X WTqP HI I J1.IWA7ti2NKi.:3X»nMrr::i:l>4c jRJ6“Ery7t03xPfiB3loaf4*30aUkZHLEiivJlAvfl/B6Rri«JAhSqk5rMH(Xfc«VJc>3umWOmRtcCjz3
PW>!zrFCC»B4SK4HxIl»2Z(^2KttU8VMyNtrrls!U4Xl,*saK4iNxVL8•■Z1o\Y2fcA4N4y)niqfJ2FNftiAON$Ej»irKoggVrnkxl>jGaui*Tufpx3gatlg

tt9 End ASRAR □ Maja-wd««- «2.0 ErKiypted Message 11»writing-xks-fingerprints-p13-normal.gif:
TOP SECRET STRAPi



ro

4—»

ro

’U

C

CC

o

"Ö



C/D

a

<3J

X)

2

o

o

u

txO

c

• y-*

X

KV» .»< i r*v:writing-xks-fingerprints-p14-normal.gif:
Fingerprints 101: Keywords

• So let’s create a fingerprint to tag any data
that contains that string

ASRAR El Mojahdeen V2.0 Encrypted Message

TOP SECRET//COM1NTwriting-xks-fingerprints-p15-normal.gif:
Fingerprints 101: Keywords

First we’d define the fingerprint with a
name:

fingerprint(‘encryption/mojahdeen2’)

TOP SECRET//COM1NTwriting-xks-fingerprints-p16-normal.gif:
Fingerprints 101: Keywords

•Then, simply put the string in single quotes
to denote that XKS needs to look for it as a
keyword:

Fingerprint(encryption/mojahdeen2’) =

ASRAR El Mojahdeen V2.0 Encrypted Message’

TOP SECRET//COM1NTwriting-xks-fingerprints-p17-normal.gif:
Fingerprints 101: Keywords

Finally, all fingerprint definitions need to
end with a semi colon to tell XKS that the
definition is finished

fingerprint(encryption/mojahdeen2’) =

‘ASRAR El Mojahdeen V2.0 Encrypted Message

TOP SECRET//COM1NTwriting-xks-fingerprints-p18-normal.gif:
TOP SECRET STRAPi

Fingerprints 101: Keywords

• Using the fingerprint GUI on XKS Central, we can
test to see if this compiles:

Fingerprint Validation / Submittal

Stop #1 iCompilo Stop *2 i laet Agjintt Saexmn 0*1* Stop Ki IdSav* W Help


Signature

fingerprint (* encryption/moj ahdeen2 7) = 7A9RAR
El Mojahdeen v2.0 Encrypted Message7;

Success!

Results

SUCCESS!

Congratulations, your fingerprint was successfully compiledl

Now use the lest button to run it against the designated session datawriting-xks-fingerprints-p19-normal.gif:
y-wj i >» *'-<

CL o

cu ^

cu n
_ rD

^ Q-
2. «
5- a

• ss
cn rD
•• O-

=r

o

D

:CRET STRAFiwriting-xks-fingerprints-p20-normal.gif:
TOP SECRET STRAPi

Fingerprints 101

•Asa second example, let’s say we want to find
data like this:

la i Atu&ä ad.

Attn:

A.X Purchase

SUBJECT : QUOTATION AGAINST YOU?. ENQUIRY PXF: Purchase of P.TV Silicon DATED:

16/05/2010
Dear Sic,

91th reference to your subject enquiry, oe are pleased to enclose ouc Quotation No: Q-02153-03-5C7
dated: 07/06/2010, for your perusal.

Please see the ‘Terms of Sole' ottoched »ich our quote for any further details.

9e hope our offer suits your requirements and we loofc forward to your valuable purchase order In due

Ref: June 07, 201000803/0-02135 Islamabad:
National Development Cowp^x
Plot No reee No:

Sector:

TOP SECRLT//COM1NTwriting-xks-fingerprints-p21-normal.gif:
TOP SECRET STRAPi

Fingerprints 101

• Look for keywords that could be used to find
traffic like tnis in the future.

SUBJECT : QUOTATION AGAINST TOUR ENQUIRY PIT: Purchase o' RTV Silicon DATED:

18/05/2010
Dear Sit,

Uith reference to your subject enquiry, we are pleased to enclose our Quotation No: Q-02133-03-5C7
dated: 07/06/2010, for your perusal.

Please see the 'Terse of Sole' attached »ith our quote for any further details.

Be hope our offer suits your requirements and we loolt forward to your valuable purchase order In due

Ref: June 07, 201000803/0-02135 Islamabad:
National Development Complex



13 lairaceri.

■ - - B||||§!

AX Purchase

TOP SECRET//COM1NTwriting-xks-fingerprints-p22-normal.gif:
TOP SECRET STRA.Fi

Fingerprints 101

• What if we looked for “National Development
Complex” and “Quotation”

Dear Sic,

With reference to your subject enquiry, dated: 07/06/2010, for your perusal.

Please see the 'Terse of Sole' attached nith our quote for any further details.

Be hope our offer suits your requirements and we look forward to your valuable purchase order In duewriting-xks-fingerprints-p23-normal.gif:
Fingerprints 101: Boolean Logic

Starting with these two keywords, we’d
to use Boolean Logic to create our new
fingerprint

• national development complex

• quotation

TOP SECRET//COM1NTwriting-xks-fingerprints-p24-normal.gif:
TOP SECRET STRAPi

Fingerprints 101: Boolean Logic

• Again, step one think of a name:

fingerprint( cp/pakistan/agencies/ndc’)

TOP SECRET//COMINTwriting-xks-fingerprints-p25-normal.gif:
Fingerprints 101: Boolean Logic

• Step two, put single quotes around all
keywords:

fingerprint (‘cp/pakistan/agencies/ndc’)
‘National Development Complex’
‘quotation’

TOP SECRET//COM1NTwriting-xks-fingerprints-p26-normal.gif:
Fingerprints 101: Boolean Logic

• Use the Boolean operator and

fingerprint(‘cp/pakistan/agencies/ndc’)
‘National Development Complex’ and
‘quotation’

TOP SECRET//COM1NTwriting-xks-fingerprints-p27-normal.gif:
Fingerprints 101: Boolean Logic

• Finish the expression with the semi-colon

fingerprint(‘cp/pakistan/agencies/ndc’) =
‘National Development Complex’ and
‘quotation’;

TOP SECRET//COM1NTwriting-xks-fingerprints-p28-normal.gif:
TOP SECRET STRAPi

Fingerprints 101: Boolean Logic
• Use the fingerprint GUI to confirm the
fingerprint definition compiles

Fingerprint Validation / Submitt.il

Slep #1 Step#? Step #3
Compi «! 1 T»< Against Sessicn Data g Saw*

Signature

fingerprint('cp/pakistan/agencies/ndcT)
'national development complex' and
'quotation';

© Success!

Results

W Help

SUCCLSS!

Congratulations, your fingerprint was successfully compiled!

Now use the Test button to run it against the designated session cata.writing-xks-fingerprints-p29-normal.gif:
Fingerprints 101

• This fingerprint will now successfully find all
sessions like this in the future!

Usir tj TX" “c

Pcf: June 07, 2O10COB0 VO-02135 Is lair**»ad:

Nation*! Ccer

Plot Tfor^^^^^treet No:

Sector:
tele*

Attnr

AH Purchase

SUBJECT : QU07ATICfC JLOAHCST TOUR »QUIRT RET: Pucchtxo Of RTV Silicon DATED:

ia/os/2010

Desc Sit,

With reference to your subject enquiry, nc ore plcooed to enclose our Cwtotion No: Q-02135-05-567

dated: 07/06/2010, for your perusal.

Please see the ‘Terrs of Self ecteched with our quote for eny further decells.

tope our offer suits your requirements and ve look forward to your valuable purchase order in due

TOP SECRET//COM1NTwriting-xks-fingerprints-p30-normal.gif:
TOP SECRET SI'RAPi

Fingerprints 101

• However, how can we account for variations of how
the traffic might be seen? Maybe “National
Development Complex” will be listed as “NDC”. Or
maybe instead of a “Quotation” it will be a “Invoice”
and etc.



Pcf: June 07, 2O10COB0VO-02135 Isl-urehad
Nation*! Devglopeaent Complex
Plot Tfo: Street. No:

Sector s
131 m*r\Y. nr I.

Attn!

AH Purchase

SUBJECT : QUOTATXCfC AGAINST TOUR ENQUIRY REF: Punch**«* of RTV Silicon DATED:
18/OS/2010

I^eac Sic,

With reference to your subject enquiry, we arc pleased to enclose our Cwtation No: Q-02135-05-567
dated: 07/06/2010, for your perusal.

Pi«we see the ‘Terrs of Sftl«1 extmehed with our quote for any lurcher d«c*ila.

hope our offer suits your requirements and ve look forward to your valuable purchase order in due

A

TOP SECRET//COMJN7writing-xks-fingerprints-p31-normal.gif:
Fingerprints 101:

Boolean Logic

• Keywords can also be grouped together by
parentheses to form more complex Boolean
logic:

TOP SECRET//COM1NTwriting-xks-fingerprints-p32-normal.gif:
Fingerprints 101: Boolean Logic

For example, we can expand on our previous
fingerprint like so

fingerprint (‘cp/pakistan/agencies/ndc’) =
(‘National Development Complex’ or ‘NDC’)
and (‘quotation or ‘invoice’) ;

TOP SECRET//COM1NTwriting-xks-fingerprints-p33-normal.gif:
Quick Aside 1: Context Sensitivity

• All keywords in X-KEYSCORE are case-
insensitive by default.

• So in the previous fingerprint ‘NDC’ will
match on ride, NdC, nDC etc.

TOP SECRET//COM1NTwriting-xks-fingerprints-p34-normal.gif:
Quick Aside 1: Context Sensitivity

• If you want to force a keyword to be case
sensitive, simply append a c after the single
quotes.

• Ex: ‘NDC c will only hit when NDC is found
in all caps, or ‘ndcc will hit only when ride is
found in all lower case and etc.

TOP SECRET//COM1NTwriting-xks-fingerprints-p35-normal.gif:
Quick Aside 2: Keyword Scanning

By default keywords in fingerprints can hit in substrings
since for example ‘ndc’ is found within grandchildren.

So this fingerprint

fingerprint(‘cp/pakistan/agencies/ndc’) =

‘NDC’;

Will hit on terms like:

• grandchildren

• handcard

• handcuffs

• etc.

TOP SECRET//COM1NTwriting-xks-fingerprints-p36-normal.gif:
TOP SECRET SI'RAPl

• In specific cases to avoid false hits you can use the ‘word’
context.

• Or force there to be a space on either or both ends of the term
by including them inside the single quotes

• So this fingerprint becomes:

fingerprint(‘cp/pakistan/agencies/ndc’) =

‘ NDC
OR:

fingerprint(‘cp/pakistan/agencies/ndc’) =

word(‘NDC’);

TOP SECRET//COM1NTwriting-xks-fingerprints-p37-normal.gif:
Fingerprints 101:

Boolean Logic

• Let’s say that this fingerprint is producing
good hits, but it also hitting on spam E-
mails.

fingerprint(‘cp/pakistan/agencies/ndc’) =
(‘National Development Complex’ or ‘NDC’)
and (‘quotation’ or ‘invoice’);

TOP SECRET//COM1NTwriting-xks-fingerprints-p38-normal.gif:
Fingerprints 101: Boolean Logic

• We can use the Boolean and not to defeat
unwanted traffic like below:

fingerprint (‘cp/pakistan/agencies/ndc’) =
((‘National Development Complex’ or ‘NDC’)
and (‘quotation or ‘invoice’)) and not
(‘viagra’ or ‘herbal supplement’);

TOP SECRET//COM1NTwriting-xks-fingerprints-p39-normal.gif:
Fingerprints 101: Variables

• Variables allow you to link to a list of keywords.

• For example, working with this fingerprint, we
could create variables to each grouping of terms.

fingerprint(‘cp/pakistan/agencies/ndc’) =

((‘National Development Complex’ or ‘NDC’) and
(‘quotation or ‘invoice’)) and not (‘viagra’ or
‘herbal supplement’);

TOP SECRET//COM1NTwriting-xks-fingerprints-p40-normal.gif:
Fingerprints 101: Variables

Variables use the same syntax as fingerprints

$NDC_terms = ‘National Development Complex’ or
‘NDC’;

$procurement_terms = ‘quotation’ or ‘invoice’;
$spam_defeats = ‘viagra’ or ‘herbal supplement’;

fingerprint(‘cp/pakistan/agencies/ndc’) =
($NDC_terms and $procurement_terms) and not
$spam_defeats;

TOP SECRET//COM1NTwriting-xks-fingerprints-p41-normal.gif:
Fingerprints 101: Variables

• Variables can be re-used in multiple fingerprints.

• For example, we could have:
fingerprint (‘cp/pakistan/agencies/ndc’) =
($NDC_terms and $procurement_terms) and not

$spam_defeats;

fingerprint(‘cp/pakistan/angencies/ndc/testing’) =
$NDC_terms and (‘missile launch’ or ‘tactical
radio’);

TOP SECRET//COM1NTwriting-xks-fingerprints-p42-normal.gif:
Fingerprints 101: Variables

In the future, you can modify the
variable $NDC_terms and it will
automatically affect both fingerprints
since they use that variable in their
definition.

TOP SECRET//COM1NTwriting-xks-fingerprints-p43-normal.gif:
TOP SECRET STRAPi

When that's not enough...

For example, take the first scenario:

I want to look for documents from Iran that mention a banned item”

Just using keywords with Boolean equations, how could we
restrict the term to only a document body and only coming
from Iran?

TOP SECRET//COM1NTwriting-xks-fingerprints-p44-normal.gif:
top secret strapi

Context Sensitive Scanning

• X-KEYSCORE’s context sensitive scanning engine
allows you to explicitly say where you want a term to
hit.

As an early example, the Tech Strings in Documents
capability allowed analysts to restrict terms to only
Email, Chat or Documents Bodies

The full XKS Context Sensitive Scanning engine
allows for over 70 unique contexts to be used as part of
an fingerprint

TOP SECRET//COM1NTwriting-xks-fingerprints-p45-normal.gif:
TOP SECRET STRAPl

Context Sensitive Scanning

For example, take the first scenario:

I want to look for documents from Iran that mention a banned item”

Using the XKS context for Country Code (based on NKB
information) and the XKS context for Document Bodies,
this easily becomes:

fingerprint(‘demo/scenarioi’) =

cc(‘ir’) and doc_body(‘banned item’)

TOP SECRET//CÜM1NTwriting-xks-fingerprints-p46-normal.gif:
Context Sensitive Scanning

• As another example, let’s say we want to tag all Iphonc usage

• Using the XKS context for User Agent this easily becomes

fingerprint(‘demo/scenario2’) =
user_agent(‘iphone’);

TOP SECRET//COM1NTwriting-xks-fingerprints-p47-normal.gif:
TOP SECRET STRAPi

USSID18/HRA Considerations

XKS Fingerprints may not be USSID18 or HRA
compliant if they are queried on by themselves

For example, we may want to fingerprint the use of
mobile web devices like the IPhone, so that attribute
could be used as part of a more complex query.

But querying for the IPhone fingerprint itself would
be a USSID18 and HRA violation.

TOP SECRET//COM1NTwriting-xks-fingerprints-p48-normal.gif:
USSID18/HRA Considerations

But if you want to look for an IPhone user from
an Iranian Proxy accessing his Mail.ru account:

IP Address:

Either v

AppID

(+Fingefprints) ifulltextl:

Field Builder
ApplL) (+Fingerprints)

browser/re I |phrriR/iphm»|

Add to =ield

Field Umlder

Close

AppID ( Hinqerpnnts)

mailAvebmail/mailrj

mail/v/ebmail/rrailru

mali/v/etomali/irailru/attachme'it

mail/v/ebmail/mailru/post

TOP SECRET//COM1NTwriting-xks-fingerprints-p49-normal.gif:
What contexts are available for use in XKS Fingerprints?

TOP SECRET//COM1NTwriting-xks-fingerprints-p50-normal.gif:
TOP SECRET STRAPi

HTTP Activity Contexts (1 of 2)

html_title(expr) The normalized extracted text web page titles html_title(‘how to’ and ‘bomb’)
http_host(expr) The “Host:” name given in the http header. http_host( yahoo.com')
http_url(expr) Every URL from HTTP GET and POST commands. http_url(7mail/inbox?action=delete’)
http_url_args(expr) All arguments given as part of a URL (ie. all text following the ‘?’ in a URL string) http url(‘action=delete’)
http_referer(expr) The “Referer:” URL given in the HTTP header http referer(,http://badwebsite/cp?action=show’)
http_language(expr) The normalized two letter iso-6393 language code as inferred from any http and or html header info httplanguageffa' or ‘de')

TOP SECRET//COM1NTwriting-xks-fingerprints-p51-normal.gif:
TOR SECRET STRAPi

HTTP Activity Contexts (2 of 2)

http_cookie(expr) The “Cookie:” field given in the http header. http_cookie(/PREF=\d\d[a-z]/)
http server(expr) The “Server:” type name in the http header. http_server(‘GWS/2.1 ’ or ‘Apache’)
http_user_agent(expr) The “User-Agent:” field given in the http header. http_user_agent(/MozillaV[45]/ or ‘Chrome’)
web_search(expr) The normalized extracted text from web searches web searchfricin’ or ‘plague’)
X forwarded for(expr) The X-h'orw'arded Tor IP address from the HTTP I leader x_forwarded_for(‘i.2.3-4’)

TOP SECRET//COM1NTwriting-xks-fingerprints-p52-normal.gif:
TOP SECRET STRAPi

Protocol Contexts 1 of 2

ip(expr) The source or destination IP address of the session ipf 127.0.0.1*)
from Jp(expr) The source IP address of the session from_ip(‘l 27.0.0. V)
to ip(expr) Every URL from HTTP GET and POST commands. toJpC 127.0.0.1*)
ip subnet(expr) IP subnet in CIDR notation, ip subneti‘7.211.143.148/24’)
port(expr) The source or destination TCP or L DP port number. port(*22’)
from_port(expr) The source TCP or UDP port number. from_port(’22’)
to_port(expr) The destination TCP or UDP port number. to_port(’22>)

TOP SECRET//COM1NTwriting-xks-fingerprints-p53-normal.gif:
TOPSliCRETSTRAPi

Protocol Contexts 1 of 2

cc(expr) The country (either to OR from) based on IP address cc(‘ir or 4pk')
from_cc(expr) The source country based on IP address from_cc(‘ir’ or ‘pk’)
to_cc(expr) The destination country based on IP address to cc(V or ‘pk’)
protocol(expr) The textual form of the IP next protocol, protocol (‘TCP’)
next_protocol(expr) The textual form of the IP next protocol. ip_next_protocol(’ 1T)
mac address(expr) fhe MAC address of the target network device. mac_address(‘00:16:3E:3F:BD:EF’)

TOP SECRET//COM1NTwriting-xks-fingerprints-p54-normal.gif:
TOP SECRET SI’RAPi

ommunication Based Contexts

email_body(cxpr) The UTF-8 normalized text of all email bodies. email_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
chat_body(expr) The UTF-8 normalized text of all chat bodies. chat_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
document_body(expr) The UTF-8 normalized text of the Office document. - Office documents include (but are not limited to) Microsoft Office. Open Office. Google Docs and Spreadsheets. document_body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
calendar_body(expr) The UTF-8 normalized text of all calendars. An example is Google Calendar, calendar body(‘wedding’)
archive_flles(expr) Matches a list of files from within an archive. For example is a ZIP file is transmitted, all names of files within are passed to this context. archive_files(‘bad.dU’ or ‘virus.doc’)
http_post_body( expr) The UTF-8 normalized text HTTP url-encoded POSTs, http post body(‘action=send’ and ‘badguy@yahoo’)writing-xks-fingerprints-p55-normal.gif:
TOP SECRET SIRAPi

Communication Based Contexts

Aliases

doc email body(expr) This covers the email_body and document_body contexts doc email body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))
communication_body(expr) This covers the email body, document body and chat_body contexts chat body(‘how to’ and ‘build’ and (‘bomb’ or ‘weapon’))

A guide to XKS contexts can be found

TOP SECRET//COM1NTwriting-xks-fingerprints-p56-normal.gif:
TOP SECRET STRAPl

Context sensitivity

Why use context-sensitive scanning?

• More intuitive - you can say what you mean

• More accurate - ifmaps.google.com' is mentioned in a
blog post, you don't want to try processing it as a Google
Maps session

• Better performance for XKEYSCORE

TOP SECRET//COM1NTwriting-xks-fingerprints-p57-normal.gif:
Examples

• “I want to look for people doing web searches on Jihad from
Kabul”

• Using the from_city() and web^search() context this
becomes

fingerprint(‘demo/scenario3’) =

from_city('kabur) and web_search(‘jihad’);

TOP SECRET//COM1NTwriting-xks-fingerprints-p58-normal.gif:
top secret strapi

Examples

• “I want to look for people using Mojahedeen Secrets encryption
from an IPhone”

• You can even use existing fingerprints in a fingerprint
definition! So this becomes:

fingerprint(‘demo/scenario4’) =

fingerprint(‘encryption/mojahdeen2’ and
fingerprint(‘browser/cellphone/iphone’)

TOP SECRET//COM1NTwriting-xks-fingerprints-p59-normal.gif:
top secret strapi

Example 4

• “I want to look for E-mails that mention words from various
categories of interest to CP”

• You can use multiple variables in an equation like this

topic('wmd/acw/govtorgs') =

email_body($acwitems and Sacwpositions and
($acwcountries or Sacwbrokers or Sacwports));

TOP SECRET//COM1NTwriting-xks-fingerprints-p60-normal.gif:
TOPSECRETSTRAPi

• $acwitems = ‘machine gun’ or ‘grenade’ or ‘AK 47’

• $acwpositions = ‘minister of defence’ or ‘defense minister

• Sacwcountries = ‘Somalia’ or ‘liberia’ or ‘sudan

• Sacwbrokers = ‘south africa’ or ‘serbia’ or ‘bulgaria’

• $acwports = ‘rangood’ or ‘albasra’ or ‘dar es salam’

topic('wmd/acw/govtorgs') =

email_body($acwitems and Sacwpositions and
($acwcountries or Sacwbrokers or Sacwports));

TOP SECRET//COM1NTwriting-xks-fingerprints-p61-normal.gif:
New XKS Fingerprint GUI allows analysts to directly
test, submit and manage Fingerprints through the web

rvavKwtion Menu « Fnqpipnnt Valdition J Submittal
d —jFmoeipnnw d validate' Submit Step *1 Slap tl Step *3 ... , W
d App«WWl
H Pending Global Variable Dcriaratloiw ■ 1 *}
d Signature* Type or paste any global variable declarations here.

SHxutiie
Type or paste a FINGERPRINT definition here.
Pibss Compile wtien done eoilr u * Wi WAaV4VAJ a / f vv/kTOP SECRET STRAPi

New Fingerprint GUI

New XKS Fingerprint GUI allows analysts to directly
test, submit and manage fingerprints through the web

►reiffiMint VoWoiian ■ :>’Jbnittil



£up>i

(IHmI V«ut4r Ofrlc«tmi

^rest = ’bomb* or 'nissl*'

Si» p#3

H5**

or 'icd';

Ognatin

fingerprint < *test/testl'> = e-rvail bodyiStest?;

Q 5o.w*!

SUCCESS!

UOngretUaton*. voa Inge-pm*, succewMv cc«npl?d!

us* the Test but fen ta run it agarct tho ccsqnatQd sasacn dita.writing-xks-fingerprints-p63-normal.gif:
TOP SECRET SI'KAPi

Questions?

TOP SECRET//COM1NTwriting-xks-fingerprints-p64-normal.gif:
TOP SECRET STRAPi

Syntax Rules

• The definition of the fingerprint will look like this:

fingerprint(‘test/blah/something’, owner = =

Note the single quotes needed for the fingerprint name
and owner

TOP SECRET//COM1NTwriting-xks-fingerprints-p65-normal.gif:
Syntax Rules

• Secondly every fingerprint definition must be
completed by a semi-colon.

fingerprint(‘test/blah/something’, owner =
‘badguy’;

TOP SECRET//COM1NTwriting-xks-fingerprints-p66-normal.gif:
TOP SECRET STRAPi

Syntax Rules

• Variables also must be completed by a semi-colon
Sbadguy =

‘bomb’ or ‘gun’ or ‘weapon’;
fingerprint(‘test/blah/something’, owner =

Sbadguy;

TOP SECRET//COM1NTwriting-xks-fingerprints-p67-normal.gif:
TOP SECRET STRAPi

Syntax Rules

Definitions and Variables can span multiple lines

Sbadguy =

‘bomb’ or
‘gun’ or
‘weapon’;

fingerprint(‘test/blah/something’, owner =
Sbadguy;

TOP SECRET//COM1NT