Title: X-KEYSCORE as a SIGDEV tool

Release Date: 2015-07-01

Document Date: 2009-01-01

Description: This 2009 NSA presentation describes some of the plug ins available and the way the tool relates to other NSA methods for searching internet metadata, with XKeyScore having the broadest capability: see the book No Place To Hide, 13 May 2014.

Document: xks-as-a-sigdev-tool-p1-normal.gif:
X-KEYSCORE as a SIGDEV tool
2009

■EBTxks-as-a-sigdev-tool-p2-normal.gif:
What is X-KEYSCORE?xks-as-a-sigdev-tool-p3-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

What is XKEYSCORE?

A (DNI) SIGDEV Tool

It gives you the ability to discover things
that you otherwise wouldn't have seen

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p4-normal.gif:
M*x:. • ; TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123

What makes XKS so good at SIGDEV?

• XKS gives analysts unique access to
terabytes of content and meta-data

• Typically sites select and forward to
PINWALE less than 5% of the DNI
they're processing

The rest of that data used to be dropped
but is now being retained temporarily
and made available to analysts through
X-KEYSCORE

• As an example, at one our sites XKS
sees more data per day than all of
PINWALE

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p5-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

DNI Discovery Options

Content selected from
dictionary tasked terms

User Activity” meta-data with front end full
take feeds and back-end selected feeds

Unique data beyond user activity from
front end full take feeds

Meta-data from a subset Low |
of tasked strong-selectors /Tra hiél

High

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p6-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//2029112

"Slowing down the Internet"

XKS goal is to store the full-take
content for 3-5 days, effectively
"slowing down the Internet" so that
analysts can go back and recover
sessions that otherwise would have
been dropped by the front end

Meta-data is saved off longer, with the
goal of 30 days retention

A lot of analysis can be done through
meta-data only (MARINA is meta-data
only)

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p7-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123

XKS Storage Times

Front end storage is limited bv
and policy restrictions and will

resources
vary by site

At some sites, the amount of data we
receive per day (20+ Terabytes) can only
be stored for as little as 24 hours based
on available resources

Other sites have legal or policy
restrictions that limit the amount of time
we can store data (if we can at all)

It's a rolling buffer where new data comes
in and pushes the oldest data out

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p8-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//2029112

How can I "save off" XKS data?

• Content that is "interesting" can be pulled
out of X-KEYSCORE and pushed to Agility
or PINWALE or any other database for
longer retention

• Workflows can be set up to automatically
harvest content out of XKS before it ages
off

• The goal, however, is to use X-KEYSCORE
to discover new things, that will end up on
tasking for future collection

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p9-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123

How do I access XKS data?

It's important to know that XKS
queries meta-data tables only

r

Results from the meta-data tables
are then linked back to the original
piece of content

Goal of the system is to extract a
wide range of meta-data for users to
query

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p10-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

What kind of meta-data is produced?

Tr



□ Q Classic A-M

^ ASF andWMV Metadata
f] Alert
f] BlackBerry

ECNE

[^] Call Logs
Q Category DNI
f] Cellular DNI
f] Cisco Passwords
¡:É] Document Metadata
¡5 Document Tagging
l^| Email Addresses
^Extracted Files
g Full Log DNI
m HTTP Activity
Üzl IRC Cafe Oeolocation
Logins and Passwords

5

a-

;e

t

30 Classic N-Z

IS Network Logs
l^l PDF Metadata

Spilbeam

S Phone Number Extractor
f]RBGAN
S REGISTRY

1SRTP

\S Radius Logs
¡^1 RealMedia Metadata
SSIP
STOR Log

f]Tech Strings in Documents
User Activity
if] WLAN
f] Web Proxy
f Wireshark

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p11-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

xamples of "simple" Plug-ins

Plug-in DESCRIPTION
E-mail Addresses Indexes every E-mail address seen in a session by both username and domain
Extracted Files Indexes every file seen in a session by both filename and extension
Full Log Indexes every DNI session collected. Data is indexed by the standard N-tupple (IP, Port, Casenotatlon etc.)
HTTP Parser Indexes the client-side HTTP traffic (examples to follow)
Phone Number Indexes every phone number seen in a session (e.g. address book entries or signature block)

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p12-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

xamples of "advanced" Plug-ins

Plug-in DESCRIPTION
User Activity Indexes the Webmail and Chat activity to include username, buddylist, machine specific cookies etc. (AppProc does the exploitation)
Document meta- data Extracts embedded properties of Microsoft Office and Adobe PDF files, such as Author, Organization, date created etc.

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p13-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123

Plug-ins

A single session may contain entries in multiple
meta-data tables

• For example, if a single session had a user E-
mailing an attached word document the following
plug-ins would extract meta-data:

Plug-in Would have extracted...

Full Log ...bare minimum meta-data like To/From IP address, ports, casenotation, sigad etc.
E-mail Addresses ...any E-mail addresses seen on that page (including inside the attached word file)
Extracted Files ...the filename and extension of the attachment
Document Meta- data ...in addition to the filename and extension, any embedded properties of the word document like Author, last author, organization, date created, date last modified etc.

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p14-normal.gif:
xks-as-a-sigdev-tool-p15-normal.gif:
xks-as-a-sigdev-tool-p16-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

pplds and Fingerprints

ZXr

• X-KEYSCORE produces an application id
for each session processed

• Currently almost 1300 Appids in 28
categories

• An Appid is meant to identify a session
as a particular application

• Fingerprints are an extensible way of
tagging sessions

• Ex: A session Appid'd as mail/smtp
might also contain fingerprints for
encryption if used in the email

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR and NZL//20291123xks-as-a-sigdev-tool-p17-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123

and FingerprintsH|

Ex: E-Mails with encryption

—BEGIN PGP MESSAGE—
Application AppID (+Fingerprints)
mail/webmailfoutblaze mailhvebmailfouttlaze has_fingerpnnt encryption/pgp encrypt on/pgp/message

spflvtVPXsH>pgG7VdHRjprgiOJpirjQlb73gWnihbOUrZz> G (JDRIaQC cF zJA70IL
3XyCrtniniJ4/c98+fchDazh1XWS7yNi38W(lkjh3-Mtc0pv
OlyztsQzLFBÆ*qJrP»rrnW3fzz7tWp2€lj:eEFivrMOnBx€OSI «Fra7LpZ]#TUFpBJNAkgfluk7rrtBiJOdMrrUOS«M#M1yee«jWy5+

Uk4 b BwwZ1 VpE VHCyGuifl jï+V+KaSk OtDwihlpI 2S22SUm1 upnVB9lfcrlhW¥xZp
LaY3mXqNV7hyhzFPFxkhUi*qzd/rfii1»:fCJucfiCGaeisSizZDIQOW)«TSwe7BvAC-gB';nr
QEOVKY3l>iVVg+2pDTPrt*Vt)t9+2ZLlyGD>COhLMyBEIYns4-«)iP1id3E+TVV7JvAj6/dPlu)'C4DwOUPkhvuHcC+
StLAuQHMSBRkB4aDNd€QG9kEWiiq2PvfuMIBWo5>J8RFoDSx8q5HukgeCxi6xr
Q4eTmOFHA71 Z5EXyHDzWX»yEe/aomEqAsUqPs8MZirHHzpb3S3LbG5B6VKAKU59bENp^KOgT
a3IUAeQ11BxLzgToVdfhEkP|5bxODfWcZ£HeTEt1 nV*3pc2P58-»OICDOETiDCAij
dhG2biU*bxnyGAp7(U5e I ALU3tyo>JKW/K5M +Hk * hHy4 V7Wb137CSt2 eLda8BdU43KhOZCWWjk7 p DxKKhHLY iGlawRScQa
e6J*y4JR1KKyXiXY34Erx3/POFzuYV/QCJUDpqj\VFR22KUfgRxqQa sGOD bDD WjCOe LE AdE527VUg>'CVAOzTqDiP7 jZurQ7AQ FF GT 09n
=N4CJ

—END PGP MESSAGE-
TOP SEC Thanks.

:0291123xks-as-a-sigdev-tool-p18-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

Applds and Fingerprints

Ex: Airline E-Tickets

subject: Airblue E-Ticket - JGDTGSWB

From: Art ue Reservations ;

Dote: Nov 18,2008 10:41:54 AM

Reservation N

Application

mail/webmail/yahoo

AppID (+Fingerprints)

Tiailfa/ebmail/yahoo has_fingerpr nt travel/airblue

Date/Time Method Location

Description Amount

18-Nov-2008 _ . Khaleej Express-Pew t ,««**,**

341PM Travel Agency Muhamjned Younas, Man Branch TlckelSaIe ** 15.505.00

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p19-normal.gif:
r

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

Applds and Fingerprints

Ex: Extremist Forum Private Messages

□ HTTP Header Information Conlenf Type: HTTP/POST/Form-Dala

POST Afcfotwale pnp?do=in3erpm &pmid= HTTP/1 1

Accept im-age/gif, image/x-xbitmap. imageijpeg triage/pjpej applicatiortftc-shoclcwav'e-flesh. appIkstion'Vnd.ms-excel,

applicalionftnd rns-ptwerpont. apa ication/msword, *

Referir

AccepMinguag#: en-gb

Content-Type application/H-ww-form-urtorcoded

UA-CPU >:8E

Accepl-Encodingp grip, deflate

Usar-Aaent Mozilla'4 0 (compat ble; MSI.E 7.0. Windows NT5 1; FDM]
AppIcaWon AppiD (■‘Fingerprints)

mail Acl>nulvl>ullotiu piivato_mcssagc.4ii3Cit mail.-wcbmailvlHillctiivprivatc_mc99agC'1tt9ert lus_fingoi|>iintf<>ium.cxtiomi9t .ll-faPjja

bccrecipients

tido ^

lâic-j ,2009-01-05 - l!úI>31-* 1430 s“j~‘n 08 opjJM ,>) oLuio.¿ii i, i .iiiili < * * ,
fO_)l¿>o cJj[p^V*níl '■ *■ mui Cloli r>)l ÍSjlidl X¿ojl * l'.K cú 'jM ‘f I O jfS> UjJ tr¡C

message

Uvujc1 ^i¡r^. i |»l»U£■ jLúJI_A5I _*a»íl ol_# ^c- ¡c-ji Ia«
j iiajl ¿<0ljLeílCfl>ÚI yi -Cuutt. -U_uiú _jLuk y»^aj».ni ■; ». -flj Cj^hua!
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p20-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

X-KEYSCORE Workflows

•X-KEYSCORE workflows are standing
queries that run on set intervals during the
day (usually once a day)

•After action reports can E-mail the results
of the workflow, parse out data to mailorder
to other databases and more

•New GUI’s Workflow Central makes it easy
to create and manage your workflows

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p21-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123

XKS Workflows: Easy to Create!

FH to USA, AUS CAN. GBK. olid \7L

IfcYSCOKL

Saa-dï

welcome: dtstua2 sïiffchmsers
Resufcs Ü SaOsscs % Proférâtes «4 Hefe

Navigation Menu

±lC]*'W'r'

¿jQj Users
j £jV*rt*WV Central
H Request
{2AIVUofttk»ws
QMyVVbtMto’WS
d0J5MTaâctesîc

QPAittes»)

3VVK A£i*iU
3 JîttMlt*

UQjClasue a-V

¡3*5? aneViMXW'ivH

3‘m

ISaaoeerry
acrjE
Seal Logt

Welcome to the Beta release of the New XKEYSCORE Home

Pagel

If you have questions or bug reports please go to xkfySCORF Mew ru n Forum

News

(U//FOLJO) New XKFYRCORF GUI

(U//FOUO) XKEYSCORE is working on a new GUI that has now reached an open Beta state.
Follow t-e ink below to try it out Your account and preference! will automatica y be
transferee! when you log in Please v ew these trainii yid-j js to a cd i mate yourself with the
new ayout ard featu'es. Some features havB not yet been completed but will still be available
in the orig ral GUI. In' the new 3
(U//FOUO) If you find bugs please report them ONLY in the XKEYSCORE Forums under the
New GUI section, which can te*'ourc here, vve will try to fix any bjgs as quickly as possib e,

bu* when experiencing a problem- revert bac«- to the original GUI until we can fix it

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p22-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123

IjPlXKS Workflows: Easy to Create!

R

Naviqation Menu
9^ Worirtlow Central
^Fewest
[ü| All Workflows

Wnrkflrtw rertfral Reqiiecl Wizard



Vivkj.>tkm Menu

a OarIra

E§Aecfuest
B AI Wm knows
¡SMyWörMbws



Welcome to the X KfcYSCORfc Workflow Request Wizard.

-&•

My Wuiklluvn

rtstp Actons v

Query Type Cuery Name Last Mxifed Slste -
JalyYvk* Ii0ojj:lri2 2008-12-05152010 cn(xks)
tttnjtntrrt Woz JAa^_Fc*l5yi_Cco3lct 5 2C08-I2-0115»11 cn(xks)
Ktpjxree* ZSheÄn.Cooglere 2C08 11 -05 21 3557 cn (xks)
tit BJt&iXI Goo gle_E«*l h_Cua fee 2CCS 12-01 15 33 37 cn (xks)
tr»3h Ki J ir-pu J cch J no linj 2CC0-II-24 15O1O3 cn(xks)
megaproccy 2CC8-11-24 1501 03 cn (xks)
HUijurist V’&2irla:iri_t>'^P_i te»ne1_saarchaa 2C08 11-24 1501 03 cn (xks)
Hta_pnm li'Ai7_t.Wr:'_GoniJr»'_co,nj-» Xftfl-12-01 153540 cn (xks)
Wtojwreei t’AcJMfT*_Goost«S 2C08-12-01 153335 cn (xks)
ltf_cy zaf-ettevregsercocy 2C0S 11 05 21 1305 cn (xks)
uaer_adMty F n* r»j i_PVirf _tf _F rrl _ChntS 2CG0-II-21 234041 cn (xks)
httpjwrsef GUBrcteterJrom_VfeZ 2C08 11 21 23024-3 cn (xks)
login _T_pcne_arargfl_co_uk_fö£i.worcl_ 2C0S 12 01 151055 cn (xks)
tosh Dot v _tii 1: ic_fr : 2C08-12-0216 58 23 cn (xks)
httpjwrsw OetyJtoJStr* rgJUpowfejrom JAfcz 2C08-12-02 155553 cn (xks)
ttei y_v daüywkw _ndwarkJog X08 12-151503 22 cn (xks)

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p23-normal.gif:
■ ; TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//2029U23

Context-Aware Tagging £

• Provides for the ability to task and scan
for terms only when they appear inside
the body of documents like Microsoft
Office or Adobe PDFs

• EX: We want to find technical
documents regarding WIMAX networks
but tasking the term 'WIMAX' to
Cadence would flood PINWALE with
hits. What if we only look for the term
within documents?

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p24-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

la ä# M a !► m ÍV JjI^i - © li^'l
i 5S ^ = ; Vfw
A
i r rlWÄTEEl

ID DATETIME DATETIME END TECH NAME TECH VALUE TECH FILENAME
1 2008-01-01 04:55:00 2008-01-01 04:55:01 wireless WIMAX NIB Ranchor Line KHI.doc
2 2008-01-01 04:55:00 2008-01-01 04:55:01 satellite DVB NIB Ranchor Line KHI.doc
3 2008-01-01 04:55:00 2008-01-01 04:55:01 mac NIB Ranchor Line KHI.doc

—r m.Mi,
» BUC Rttjutoej
9 L?« type Kl
l 0 l-'-U Frasant?
1 l nvB-*csUíAiitrr* DVB STM lurtj

- f

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p25-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 2.1

Context-Aware Tagging

• E

subject: NFF-66024-GCC-KHI

1 From:



• To:

I. Cc:

b

Date: Toe Dec 30 10 57 48 GMT 2006

HTML Plain Text

Model: 6300

Fm City W0N:66»2«

KLOSTE ASC:GCC-KH3

Symptom: 4100

Comments: no fault found phone is working properly kindly confirm the fault in detail when and in which condition it
creates problem related to mention symptom

Event T
email t

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p26-normal.gif:
SECÇET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

Context-Aware Scanning

•Tasking is so flexible that it can include
regular expressions (REGEXs) with few or
no anchor points

•Ex: Can we find documents that have MAC
addresses in them?

•The following Regex looks for MAC
addresses:

•"(00|01|02|04|08|10|3C|44):(?=[\d:]{0,l

2}[a-f])([\da-f]{2»:([\da-f]{2»:([\da-

f]{2»:([\da-f]{2»:([\da-f]{2»"

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p27-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN,

GBR anc NZL//20291123

Context-Aware Scanning

•Supports full foreign language tagging and
querying

•Ex look for common Arabic expressions in
E-mails coming from the Pakistan tribal
regions:

e US Webmail Display '' . Windows Live Mail ^known

com)

Medium riskYou may not know this sender.Maik as safelMark as unsafe

Sent Thu V01/09 12:07 PM
To:

Jjj »LÎS-

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p28-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202011 23

X-KEYSCORE SIGDEV

• X-KEYSCORE's full take database of meta-data and
content make it an powerful SIGDEV tool

• Many DNI applications don't contain strong selectors
that allow traffic to be collected

• Web surfing

• Internet searching

• Anonymous file uploading/downloading

• The variety of applications processed and meta-data
available make X-KEYSCORE an ideal starting point for
DNI development

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p29-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123

X-KEYSCORE SIGDEV

• Scenario 1: Persona Analysis

• Goal to identify the "user session"

• Help answer the question : What did my target do
while he was online? •

• We may know from TRAFFICTHIEF, PINWALE or
MARINA that our target was online at a given time and
from a given IP address, so we can then search in X-
KEYSCORE for everything that happened "around" that
event.

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p30-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

XKS SIGDEV: Persona Analysis

TSA

20081229

20081229

20081229

20081229

20081229

20081229

20081229

20081229

20081229

20081229

20081229

20081229

20081229

20081229

20081229

ACTIVE

0514CK5Z

051406Z

051406Z

Ú51407Z

051mz

Q51410Z
051-110Z
051410Z
051411Z
051414Z
0514157.
051420Z
051420Z
051421Z
051426Z

Oacetme -*■

?Mt i2 n
2*99 12 »
■ 2MM2-21
20« 8-12-29

2D08.12-29
: 7*91 1? ?1
200Í-12-79
2008-12-28
2008-12-20
2008-12-21
2MI-I2-M
7008-17-71
7008-12-79

i

7*99-12-29
7*91 1? 79
2*99 12 29
2*99-12-29
2*99-12-29
700 8-17-79
7*99 12 29

• 5:1*07

• 5:1*07
•Srl*07
•5:1*07
•5:1*07
•5:1*07
•5:1*07
•5:1*09
•5n*w
•5:1*01
•5:1*01
•5:1*01
•5:1*01

• 5:1*01
•5:1*1«
•5.1*1«
•5:1*1«
•5:1*1«
•5:1*1«
•5:1*1«
•5:1*1«

ACTIVEUSFR

SearchFo-

ut.Bi ii.imr

user n.ini'?
username
username

user ii.inn-
nscrnwic

UHUI ll.llllt)
HKRtnanin

username
username
uocrnmic
username
user name
usar name
usar name
username
username
username
user name
username
uaorn.imc

IT ACT1

PK

Oeteturw Erci
2*0« 1? 79 05:11:18
2«0«-1?-2905:14:18
2008-12-29 05:14:13
2008-12-29 05:1*18
JWi8-1?-?905:1* IS
2008-12-29 05:1*18
200« 1? 29 05:1*18
2008-17-79 05:1*71
2808 12-29 05:1*21
200« 12 29 05:1*21
2008-12-29 05:1*21
2008-12-29 05:1*21
200S-17-29 05:1*21
7IHiI.17-79 05:1*21
2*08 12-29 05:1*50
2008 1? 29 05:1*50
2008 12 29 05:1*50
2008-12-29 05:1*50
2008-12-29 05:1*50
2IK.X-17.79 05:1*50
2*08-12-20 85:1*50

Search Vaue

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p31-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

XKS SIGDEV: Persona Analysis

Coming soon: XKS PSC query builder/viewer

ur.riii.mir «5:14:1» i»or_ie

ibbiiwiw «5:14:1» ■ Hi

_Row Actions

IKBIIMIxr 9MS.19.70M-IX71 ■

I’ersocio bcssion Lollcction X


usem« Justification: Persona session colecton tor to_p - 2C9.191.120.2<
inpiiim Addtianal Justification
iiwnwr Start Data & Time: 12/29/2008 |(3| 05:09 v (ri/D/YH:M)

irccrn« St sp Date & Tne: 12/29/2008 I“5! 05:19
(Cointry Code): -
iKeriMr Also Qixwy IP As: 0From ~
ueenuf 0 To
usent« □ X-Forwardad-For IP
XFF or Clant IP:
Add Search: □ Extracted Hie

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p32-normal.gif:
TOP SECRET//COMTNT//ORCONfREL TO USA, AUS, CAN, GBR anc NZL//202911 2.1

XKS SIGDEV: Persona Analysis

xrXYSCORt Per ion o Session Loki Lion

« ll«*f I IK« 7 Hear 3
HUP Actrvity l meine

I I 1 IZ

wzmummm

C'5Ql.ck

Mceboek C«B

•awer ru

com.tr

topnews lu

tmgsmad.rj

¿la 1112 :3 !-'• \:i\:¿ i'

nwoteka ru

OV24 rj

crúmedi com
rotator, ru

' Z*,.,, 1

Browser Ult

----S

ÔICM-Ïi"

MnlM0(eon«1 at**?. M3E 60 MndBwo HT 5- a
M;rt»U 0 (conpatle. M3t 60 WMovrs HT Î: 3
cort»pe 2

M»k CompaMc&O (H\WTT, » NCCC Oi 2

liter n ame Summary

Usanerex *

3 mallí’’nebmall.'(jnull (I Rem)

3 moil/wct>nv>il/m.»liij (2 Item«)

Refeter Sumnwy

RetWreOSI»

3 a
3 tlvR.yolioatoni (3 Item»)

3 iocetsook.com (7 Rem»)

3 (otomoAni (2 Rems)

3 Haber ter.cum (3 Items)

3 mpwlr4y?4jn(1 Item)

3 «»tjrlrr.mtjj.y*li«o.rftm (« Item«)

3 nMliXHH>rxc*n(l Item)

3 m«tr«
extracted Tiles

f*S lime » mo

9 Unknown UV- txteintnu (I Item)

rwrw

Gcooraptuc IP Summary -1
CIV Ceirtry - Colt
0 Prom (2 Items)
KOMM PR 20S
XX 1E03
9 To (H Items)
ce«v a CH 2
MOSCON RU 100
lOI to *n

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p33-normal.gif:
TOP SECRET//COMTNT//ORCON,REL TO USA, AIJS, CAN, GBR anc NZL//202911 23

XKS SIGDEV: Persona Analysis

Coming soon: XKS PSC query builder/viewer

I Hern ame Summary

tel inail/ivebiiuiil/ynidfl (1 Item)

U mail/webmoil/mailru (2 Item»)

O mail/web mall/mallru/post (I Item)

3 mall/webmail/rambler (2 Items)

® niail/ivebniail/i ambler-post (1 Item)

0 mail/webmall/yahoo (5 Items)

Web Searches

>nn! * Search Erqres

3(None)(1 Item)
rrxie

Trafile Summary —h
*1*0« Froetphrt c
d C) •CN«l1iS«W1t 2
3 Qwtp 6
0Qmsi 11
3 Qiws 2
aD««i i:
J Qurtnown 1?

Domain Summary
tutdosnari! *

tel adlnterax.com (2 Items)

3 adnyer.ru (1 Item)

3 alcamai.net (I Item)
tel bn&ru (1 Item)

1) «.¡ty24.ru (1 Item)

3 coni.pk (1 Item)

3 com.tr (1 Item)

iil lacebook.com (2 Items)

3 ibcdn.net(I Item)

3gismeteoju(I Item)

3 «jourjle-cutn (I Item)

3 habeilei.com (3 Items)

3 imrjMii.iil.ru (1 Item)

3 macromedio.com (3 Items)
3 masl.ru (7 Items)

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p34-normal.gif:
O O

> 10 01 101
loot I 001





TOP SECRET//COMINT//ORCONfREL TO USA, AUS, CAN, GBR anc NZL//20291123

NWFP Example

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p35-normal.gif:
TOP SECRET//COMTNT//ORCON,REL TO USA, AIJS, CAN, GBR anc NZL.//202911 2.3

XKS SIGDEV: HTTP Traffic

Example: I
queries co
Pakistan

Informati(
Activity m

Fm IP

11« J

To IP

osB

FmPort loFort Font Google

1233 6* 9

Ruw Actions

[i^| View Session

View Session (New Window)

; E Show fll Row Values
^ MarkMstiiatarowasImpo'tont

reas of

in HTTP

Host Query Marina For IP: 116.58.126.162
www.gt Datetime: 2008-12-29 07:21:42 (+/-) 3 - hours

Fm Country (IP) Fm
PK BA

OK

Cancel

i stan WLL.PTCL

0 Un-Check where Fm IP Equals '116 J

01 Query Kdrirw

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p36-normal.gif:
TOP SECRET//COMrNT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202011 23

XKS SIGDEV: HTTP Traffic

T SA

USERID PHONE USER A

20081119 Ü74259Z
20081119 074259Z
20081119 074304Z
20081119 074316Z
20081119 074316Z
20081119 074316Z

STARTTIME STOP_TEME DURATION CALL.

20081119 073141Z 20081119 092841Z Od 01.57:00 UNK
lU'.iliJl.l y .'■J.i.L

20081119 CT743 57Z
20081119 074357Z
20081119 074357Z
20081119 074357Z
20081119 07435SZ
20081119 074358Z
20081119 074358Z
20081119 074358Z
20081119 074511Z

ACW'TTY USER B

emailAddr> legged in (email) 116
emailAddr> logged in (email) 116
^mailAddr^ logged in (emad) 116
emailAddr> logged in (emad) 116
emaiLAddr> logged in (email) 116

DONE EP_ADDRES\S USERID

1

UIUUIJUL

•I'-’

Addr> logged in (emad) 116
A logged in (emad) 116
-emailAddr-’ logged in (emad) 116
'emailAddr> logged in (emad) 116
CemailAddr3, logged in (emad) 116
emailAddr ? logged in (emad) 116
emailAddr> logged in (emad) 116
emailAddr* logged in (emad) 116
emailAddr^ logged in (emad) 116

PHONE MAC ADD

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p37-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//2029U23

XKS SIGDEV: HTTP Traffic «

Now make that into a workflow

X-KETSCOPE ESAILEP

QOETiy NASI: Vas h’TFP For iegn_GoogletB
current tin«: 2008-11-20 01:15:15 GKT
submitted at: 2008-11-20 03:SS:03 (HIT
hat) 14 result (a}

SEARCHES

wv. google ■ row

115

116
116
US
116
116
US
116
116
US
116
116
US
116

1 2008-11-19
2008-11-19
2008-11-1»
2008-11-19
2008-11-19
2008-11-1»
2008-11-19
2008-11-19
2008-11-1»
2008-11-19
2008-11-19
2008-11-1»
2008-11-19
2008-11-19

1Bi54i20
07:36:49
07:37:07
08:03s17
08:05:51
08:06:52
15:01:00
15:14:13
15:33:1»
04:24:44
04:24:59
04:29:29
04:30:04
04:31:51

s al qaida |en, en-GB| |1)

: The al-lfchlas network (cybertrans from Arable) (1)

: deleter) the al-IWUas netvorK (cybertr«u:s trout Arabic) (3)

: Fdiu» bride/1 Arus (cybertrans from Arabic) (1)

: Fon.u» love/gram (cybertrans from Arabic) (1|

: deleter) torum love/gram (cybertrans Iron Arabic) lit
: The hills Jihadist vithout inflicting (aybertrans front Arabic) (10|

: (referer) the hills jihadist without inflicting (cybertrans fro» Arabic»
: »azinstau (cybertrans Irom Arabic) (1)

: Scandals |cybertrans front Arabic) (2)

: (referer) scandals (cybertrans fro» Arabic) (l)

: Nevs (cybertrans 1 roa> Arabic) (1)

: Forum sail (cybertrans from Arabia) (1)

: (referer) forum soil icybertrans from Arabic) (1|

sg in

Workflow Values Workflow»!.

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123

(6)xks-as-a-sigdev-tool-p38-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

X-KEYSCORE SIGDEV

• EX: Targets pass links to videos, use XKS to
discover new targets who have viewed those
videos

In HB 00215-09. he promises that the newest video will be ready very soon, and then sends these two links:

http //www.ioad to;
http://www.fi les to/a<

Datetime:

2 Weeks v Start: 2003-12-23 G 00:00 •V

Stop:

2C09-01-06 G

23:59 £ W

HTTP Type:

Hast:
URL Path:

V

wwv/files to

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p39-normal.gif:
TOP SECRET//COMTNT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

X-KEYSCORE SIGDEV

TS A

Datet

2008 20031231 224606Z
20031231 22A949Z
20031231 22494 9Z
20081231 22^949Z
20081231 224952Z
20031231 224952Z
20081231 224952Z
20031231 225018Z
20081231 225021Z

IISFRID PHONF USER A

emailAddr^
iemailAddr>
ier;iaulAddr>
ercailAddr15
eniailAddr>
eir.ailAddr*
emailAddr >
emailAddr>
emailAddr2»

ACTIVITY USER R
logged in (email) 59
logged in (email) 59
logged in (email) 59
logged in (emaiT) 59
logged in (email) 59
logged in (email) 59
logged in (email) 59
logged in (email) 59
logged in (email) 59

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p40-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123

X-KEYSCORE SIGDEV

How to find technical documents of interest

One Idea: Take advantage of the properties
exploited as meta-data by X-KEYSCORE like
the Author and Organization

Lets look for all documents where the
organization field is the company we're
interested in, ex: Warid Telecom

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p41-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 23

Fitensn#

Eslenaon

Aj;Iw

L«Sl Author

PAR MPGII GUJ Totrouhtoshoot MPBII Mtdfor DSC?J.«k»c
PAR MPOII GUJ To1roul»l«8howpfor bl>s trouM66ho<>tin{| 30-1?-M.dOC
v*|>for hhstrouMtdwolkig 39-12-M.doc
FkNO SkptsJds
Hoxo Skjms.x!s

LCH Wiiiul f«x 3443 .»ml 3444 ShoitcoLd WaiiO to« 3443 aixl 3 444 Shoitcories.doc
■ioli.nl MaliK.xls

OasMiKwn
Waikl Telocom
Waikl T«l«com
Walk! T«l*(om
Waiki T«toeom
Warkl Telecom
Waixl lelecom
tvaixl lelecom
Waixl lelecom
Waixl lok-com

(Pvt.) LUL
(Pvt.) LUI.
(Pvt.) LUL
(Pvt.) LUI.
(Pvt.) LUL
(Pvt.) LUL
(Pvt.) LUL
(Pvt.) LUL
(Pvt.) LUL

Many of these files may have not been
selected, because either there was no strong
selector associated or the strong selector(s)
weren't tasked for collection

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p42-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//202911 2.1

Questions?

^^^^|@nsa

xkeyscore@nsa

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p43-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//2029U23

HTTP Activity

I RcCcece: [http: //3caEch.btoc.co.uk/occrch?tob-UEdu£3EclCE-30EEl:cth6Ci-iau3hQEroC&3tOET>2«.3Ccpc-uEdu I

B 1 kccept-L&quagel...g'5'"T5.1 9

Accepc-EncQr;in.1i ffiUB« flfClftl/

UseE-AjfentlHoríIla/^OjcoiigatjüJie^ISI^^G^O^^Jíindowsjr^^^JjVl^^^^

H-5t;E5Lvh,tok'lVVttilil —

Cookie! BBC-UID=b479a5E4ad230a53063d513630203acbZ2634634a0eCbl64c45E96eEc054cE95O11ozilla%2E4\2e0*2D%2Bcc

czche-mmn uu-jmu-u

Connection:

¡X-BlueCoat-Viaj 66808702E9A96546 |

Host URL Perth URL Args

search.bbc.co.uk /search tab=urdu&order=sortboth&q=musharraf&start=3&scope=urdu&link=next

Search Terms Language Browser Via

musharraf en Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 66808702E9A98546

Referer

http: //search .bbc .co ,uk/search?tab=urdu&order=sortboth&q=’nusharraf&start=2&scope=urdu

Cookie

BBC-UID-b479o5f4«d230«53063d€13630203acb22S84634oOeOb164c4Sf96efc054cf950Mozilo%2<4%2ee%20%28com
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123xks-as-a-sigdev-tool-p44-normal.gif:
TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123

Query Hierarchy

TOP SECRET//COMINT//ORCON,REL TO USA, AUS, CAN, GBR anc NZL//20291123


Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p1-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p2-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p3-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p4-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p5-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p6-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p7-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p8-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p9-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p10-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p11-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p12-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p13-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p14-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p15-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p16-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p17-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p18-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p19-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p20-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p21-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p22-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p23-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p24-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p25-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p26-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p27-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p28-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p29-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p30-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p31-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p32-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p33-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p34-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p35-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p36-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p37-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p38-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p39-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p40-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p41-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p42-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p43-normal.gif)

Download Document

X-KEYSCORE as a SIGDEV tool (xks-as-a-sigdev-tool-p44-normal.gif)

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh