Documents

Analyzing Mobile Cellular DNI in XKS

Jul. 1 2015 — 1:51p.m.

/17
1/17

SECRETHEDMIHTHFEEL USA, AUE, CAN, GER, 23 ii Li- XKEYSCORE May 2009 - -- SEERETHEOMIHTHHEL LISA, nus, BAH, GER, 23

TD USA. RUB. CAN. Mobile DNI I Mobile DNI can be described as people using their Cell Phone or cellular technology to access the Internet and E-mail There are essentially two ?types? of collection: I Collection within the GPRSI3G network (i.e Abis link) . Collection within the public Internet USA, HUS, BAH. GER, HEL

TD USA. ALIS, CAN. GER, NIL Mobile DNI I: Mobile DNI Collect comes in two main types: Eonvergenoe of DNR r34 DNI seleotors! from FE oolleolion [1315135. 150 be "near" the infrastructure Looks like regular DNI hut 1.ririth "hints" that the source is oell ohohe Colleotion could he FE, BSD. FISA TDPEEGRETHUDMIHTHHELTD USE HUS, BAH. GER, HEL

TO USA. ALIS, BAH. GER, NIL HTTP Activity a HTTP activity comes in two types: enmeem Server Client-te-Sewer "requests" Server-te-Client ?responses? User TUPEEGRETHEUMIHTHHELTU USA, HUS, BAH. GER, HEL

TO USA. ALIS, BAH. GER, NIL Mobile DNI: HTTP Activity 5 HTTP activity comes in two types: srigins Publislpr?xy} addresses sf DMR E: DNI Usuallyr private IP addresses TUPEEGRETHEUMIHTHHELTU USA, HUS, BAH. GER, HEL

. I Mobile DNI: Converged (action Examples of ?converged? collection: - GPRS by F6 . by SCREAMIN (OTRS) - . All ?converged? collection is put into the ?Cellular plug-in of XKS which gives you the ability to query for DNI traffic based on DNR selectors (IIVISI, IMEI, MSISDN, etc) where applicable USA, HUS, BAH, GER, MEL

TD USA. RUB. CAN. h_\rrJL w?a Mobile DNI: Converged cojlg. - DNR DNI mete-data will be together: sewer te :Een: :lh?i??ei?-LIF? leggedin (aniD El 513?56101353354??f?3} with meehme TI ?hew Ii?) seen with meehmc-IJ 311-311(2) Values El preteen: :lb?lge-flcf-TLLIT' ICE USA, HUS, BAH. GER, HEL

TO USA. A115. BAH. GER, NIL Mobile DNI: Converged collectio Cellular DNI plug-in allows you to query on the DNR selectors for Persona Analysis El 5 A-Ilrl TUPEEGRETHEDMIHTHHELTU USA, ALI-S, BAH. GER, HEL - EMF rota-ride Query Name: - fame . . i {El?lmk?eny Em Additionallustifitatiun: 1r E?al Lugs Emma-Err DH Hiranda Number: Era-n5: nnil ?al?anma: Erarl': LIJEJJ amp: omens-13% air-u . 5 Elbccurnor: Motonjatn . Tagging . i EEn-Hlladorassaa EEm-aded Files EFu'Ich EHI EHWP Iaot'u'ity I El?n earn ann nratirn HT: 2 IE and Elhmorop ug'l Matt: 31:31:: 11.151; HCII

Mobile DNI 413056? 415-154- 413056- 413m? 41mm- 413-15:- 413056- 41mm- 413056- 41505!? mm? 4mm? muss- emu-5!? 41mm- 413056- 413m? Irrln 1 Enni?a?r nn TD USA. A115, CAN, GER, HEL if Converged colle'c l-lr-rull'fl .p pm Hui-1L:- g-m huh-?r h?nInL-simn I'll'tui'eau-H'iamlm'nl ii?i- ?i'nl'na-rn-E Fr-nn'l' Pane Fruit-I11: Page Mali Hall Ill-rill In'lnil Hall I?l-?ll Hall Hall Mail Hail Hall Ill-nil Mail Hail Ilil-rill Mail n1 I'l'l l'l'l n1 n1 I?l'l l'l'l n1 ailfwelt-mniyahe-J I'l?l l'l'l n1 l'l'l ailiweIJ-malymbu n1 I'l'l mthebmal.3.mlmu at 5e uttw nmilr'wehmiilijmhm mnilr'wehmiilijmhm nlnilfwebntail?nlm-n mailiwehmailmlm-c nlnili'wehnliil?pnlmu .- 'l I By taking the IMSI we found in MARINA we can identify all cfthe DNI traffic web?surfing etc.) that originated from that same mebile subscriber

TD USA. A115, CAN, GER, HEL if Mobile DNI: Traditional a After the DNI traffic exits the Gateway, it will travel over the public Internet and can be collected through ?traditional? DNI accesses like FORNSAT, F6, 880, FISA etc. USA, AUS, BAH. GER, HEL

HIM US: ll'll. 21H 1i :01. 1ill I 1~ Sometimes its difficult to tell if your target is using obil NI T10 5000. m. @0000: I I a cell phone to access his E-mail MARINA currently provides little or no ?hintslI' T0L 1101010T0 0100100. 1100.10}. 110101030 0:001:10 00010111101010 000100 000005051000000 0000000 001000 -0011000= 00 000005051000000, -0000: 10000001001001 -0000: 0.0 00000505 1000000 -0000: 1001300 0. {001003. -00110055 00000500 1000000, -3r011000 1003000: 11001001 -000000 00 000005001000000, -0000: 1000000. (001001 -0000: 00 0000050010000001 0100000 501'1'01' -0000:- 00 000005001000500, 0000 000 0000100 110 00000000000000.0000001000 000010000000010000001000 -0000: 0.0 00000500 1000500 -0000: 0000 000 0001000 00 00000000000000.0000001000 000000000000010000001000 00 00000500 10005000 00001000 L0 000010001000000110000000000 -000000 00 00000500 1000500, 01001; 1:0 0010.0 000010000000010000001000 -0000: 0.0 000005001000500, 001100:- 100300 0-. {010003. 00000011001100 00011000000100:- -001100:- 00 00000500 1000050 0001 000 000000 00 00000000000000.0000001000 000000000000000000001000 -0000: 00 00000500 1000050, 01-00000 00.1000 000100000000000000000100 -000000 01: 00000500 1000050 00001000 :0 000000000000010000000000 -0?011000= 00 00000500 1000050, -0000: 100000 0.1001001 000010000000010000001000 -0000: 0.0 TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL

"Mobile DNI Search Fur ll$?f??nl? ll?'?'fl'l?l'l'lli" ll?tl?l'lil'l?' lIEli'Brl'l?l'l'lE llEEfl?l?l?l'lE': llEEfl?l?l?l'l'E: TD USA. AUB. CAN. G?l?r?z I I . LI Traditional Coll; -. lull..- .- I - X-KEYSCORE ?User Activity? provides some hints Note the fingerprint of browserfcellphone/nokia Search Liana [email protected] mum min-c- mum- [email protected]'m Applicaiinr ill-yam mnilr'w-z-Ii-n'i-iilyilm maili'weli-miilr'yil I-J-J- mailf'ur-ali-niailryilm maiIM'aII-I'Iuilr'gnilm ApplD [+Fingerprint3] I1 IiminhI-c run-hi: mrila'welimniliynlm-u- rut-hie muhir: muhI-E milMEIi-mailyalm-u- brains arr-caliili-nn-EjnuJ-liia null] IE n1 Inc-w Is- I ni: a l?ilii-nu-aihci-li in ali- ?n 9 er I-5 USA, HUS, BAH. GER, HEL

T0 USA. ALIS, BAH. GER, NIL Mobile DNI: Traditional Collecti X-KEYSCORE Activity? also provides some hints! Note the hestname ef intl.m.yahee.cem and user agent of: Series60f2.8 HTTP Type Heel -. LIHL 5:311 URL Arge qet Cu-Jhie- EIr-Jwi'er SP-ur Saar w-u-mn- jam-m1 IEEgsa? [Ia-2:11 Sui-r meme Con?gLIr-atmfw C4 .1 TUPEEGRETHGUMIHTHHELTU USA, HUS, BAH. GER, HEL

TO USA. ALIS, BAH. GER, NIL Mobile DNI: Tr The content also provides some ?hints? IE1: 9923_nrig_pmc Type EFF F'rinlnz' Finn-3h.- vermin?: I Display I RawDala I Ella ?Hi :35 IF [tr-1 SET Su=23444?439 Huh i:LL1:rrL Accept tex?jaugucrignh muhml. wapshlunl :5 mart-huech vm?smptu a?p-licamn-?java. applicant-1:15:- jam-archive, 3:45:11]: a?cm?md mm?nn appiisulim-?miwap mm?rneasage. .3113 {Ed 1-3111; :emljmas Evils-l; Accept-Chars 3t: wing; 39. r:rI Sac-1:2: 3F ulf?E. Lam?IDEiE-ucg-l; {1:116 i=3 il?i '11-?35 Gill??'! unlit, Birth 3'1: 11364? Past-11 [1121! Ewan :=14 Earl-US Euglirill I USA, ALI-S, BAH. GER, MEL aditional CcallectiQI

T0 USA. ALIS, BAH. GER, NIL HTTP Activity Examples The content also provides some ?hints? I-Iin-at: Ame-pt: tex?jav amp-t, texh?ecnzascript, texh?hm?, 3 multip art-?minted? texb'vndwapwml, a}:th ?ppjl?'ti??h?ld?iip?m??tfiph appli-z atim?javaq applicatimf'x?java?ar?uiva, appli-z Mic-maid atiuzwm'imd. nma?d 24ml, t?x?jma?cript, wap pm?le: TUPEEGRETHGUMIHTHHELTU USA, HUS, BAH. GER, HEL

T0 USA. ALIS, BAH. GER, NIL Mobile DNI: Traditional Collecti Sometimes there are even more ?hints? hare-I. In?ll-Ha 13:; Yahae Cookie earl-?rm wag: 3'93 EETEU 37-39333 3-1? 53632 User-Agent Talia-EMS El ?EymE-iew??Cm?qurel: ELL: Gttk-tfl Se?u?i?ll} I-?ixap-pre?lc: K-lirr-kia-Illusuz ep- crate-n: Eh Lap-Bearer Eei'em ineffnew? El?'e. tm: E-MEJP-AG- 565 AFN: mp K-Mrsp-[szJl-Jca-IP- Iii-r1313 MSISDII. E-MEP 19:. 395%? H-MSP 113:5: IE1. 1 K-l?a-I 3P -UG. Erie. Siumsns TUPEEGRETHGUMIHTHHELTU USA, HUS, BAH. GER, HEL

IPhone Users! Emil-?e: Thar?Agent: TDF SECREWMDMIHTHHEL TO USA. HUB, BAH. GER, NIL HTTP Activity Examples Emwaer iPh??E [5H11l 11:1 n=573c? 'ciE i311 1= ilk?J I: Gender: [92111-11113, Birth 3:331: 1971?: Purim] uncle: - jb=34 32 9 [Imlustr? Job: Network Aihrdnistratur, 5119 F33 Lzujgungeftunheut: English 111d=113 Comm-F: Unite-i Stat-25 rip-=1 11' THE TirMi] ad?AE sb??rfm?idn?dd?' kFMpEl_ animus d=c EWE URTFCI E;in URNEEQEYFDE UTEEVQ [Eva-- path I Eli-main F?hCDj?m Eli-$113 Mai 1] TDPEEGRETHEDMIHTHHELTU USA, HUS, BAH. GER, HEL

Filters SVG