Documents
Email Address vs User Activity
July 1, 2015
TCIP T0 USA, AUS, CAN, GER, NZLH20291123
- June 2009
-
TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER, NZLH20291123
TCIP T0 USA, AUS, CAN, GER, NZLH20291123
- June 2009
-
TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER, NZLH20291123
TU USA, AUS, CAN, GER
Email Addresses
?u
The Email Address search allows you to search
on:
. Full Email Address
Do not search on/wildcard JUST the username, always
include a specific domain
. Foreign-hosted domains (eg. @cnc.cn)
The query searches within bodies of emails,
webpages and documents guessed
it). . . Email Addresses
I To, From, CC, BCC lines..
I ?Contact Us? pages on websites
I Signature blocks
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER
Email Addresses
?u
The Email Address search allows you to search
on:
. Full Email Address
Do not search on/wildcard JUST the username, always
include a specific domain
. Foreign-hosted domains (eg. @cnc.cn)
The query searches within bodies of emails,
webpages and documents guessed
it). . . Email Addresses
I To, From, CC, BCC lines..
I ?Contact Us? pages on websites
I Signature blocks
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
.
Ill 1 I
Eail ddress
Email Addresses are found in many parts 0
traffic
Eihll Display Haw Data DHI Farmat
Subject: RE:
Fram:
Ta:
Cc:
Data: LJE Jun 23 12:41:25 GMT
miaa mama
XKEYSCORE has picked a
up traffic with email
addresses in it..
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
.
Ill 1 I
Eail ddress
Email Addresses are found in many parts 0
traffic
Eihll Display Haw Data DHI Farmat
Subject: RE:
Fram:
Ta:
Cc:
Data: LJE Jun 23 12:41:25 GMT
miaa mama
XKEYSCORE has picked a
up traffic with email
addresses in it..
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Email Address
TU USA, AUS, CAN. GER.- NZL -- Ill
'a
Subject:
Frem:
Te:
Ce:
Date:
lenisplay I eaw Data DHIFermat
Attachments:
RE: Malaysia Tax
Tue Jun 23 12:41:25 GMT EDDEI
[Illirr?raaelillillipa [12013 lattes];
EEC Seesinn viewer
- 's 1*
Detetirne Netetien Frern Te
entrees-ea 12:41:2e lee?[E United States} 219_ (E Malaysia} sees? a
TD
til:
433E
Header l3] attachment 53?? Meta
EV
teeh.html applieatinn_id.sml phnne_numher.html
email
LJei ermetter
XKEYSCORE parses out everything it ?thinks? is
an email address, so don"t be fooled by mis?hits
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Email Address
TU USA, AUS, CAN. GER.- NZL -- Ill
'a
Subject:
Frem:
Te:
Ce:
Date:
lenisplay I eaw Data DHIFermat
Attachments:
RE: Malaysia Tax
Tue Jun 23 12:41:25 GMT EDDEI
[Illirr?raaelillillipa [12013 lattes];
EEC Seesinn viewer
- 's 1*
Detetirne Netetien Frern Te
entrees-ea 12:41:2e lee?[E United States} 219_ (E Malaysia} sees? a
TD
til:
433E
Header l3] attachment 53?? Meta
EV
teeh.html applieatinn_id.sml phnne_numher.html
email
LJei ermetter
XKEYSCORE parses out everything it ?thinks? is
an email address, so don"t be fooled by mis?hits
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL I
1 Creating Email Address Queries
Enter usernames and domains into query
Search: Email Addresses
ecii in item sample
Query Marne:
Justi?eatien:
?dditienal Justi?eatien: 1r
Miranda Number:
Datetirne: l?ay Start: senses-as IE3 aa:an amp: 2
Email Use@ badge}! er baddudei er badguysernail
@Demain:
Mulitiple usernarnes frem
Subject: SAME domain can be
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL I
1 Creating Email Address Queries
Enter usernames and domains into query
Search: Email Addresses
ecii in item sample
Query Marne:
Justi?eatien:
?dditienal Justi?eatien: 1r
Miranda Number:
Datetirne: l?ay Start: senses-as IE3 aa:an amp: 2
Email Use@ badge}! er baddudei er badguysernail
@Demain:
Mulitiple usernarnes frem
Subject: SAME domain can be
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Creating Email Address Queri?
BE VERY CAREFUL of OR?ing domains
Search: Email addresses
Justi?cation:
additional Justi?cation:
Miranda Number:
PEPE: in 3 la
When working with multiple
domains, create separate
EmailAddress queries for
each. i.e. Group your
queries by domain names.
"ii"
Datetime:
[Slayr
Email Usarname:
Start; loosens?23
A.
loops Etc-p:
padguy or baddudei or padguysemail
@main:
Subject:
or hotmailoom 2 I
Mulitiple domains means
either badguy@yahoo.eom
or badguy@hotmail.com.
Are both your targets?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
Creating Email Address Queri?
BE VERY CAREFUL of OR?ing domains
Search: Email addresses
Justi?cation:
additional Justi?cation:
Miranda Number:
PEPE: in 3 la
When working with multiple
domains, create separate
EmailAddress queries for
each. i.e. Group your
queries by domain names.
"ii"
Datetime:
[Slayr
Email Usarname:
Start; loosens?23
A.
loops Etc-p:
padguy or baddudei or padguysemail
@main:
Subject:
or hotmailoom 2 I
Mulitiple domains means
either badguy@yahoo.eom
or badguy@hotmail.com.
Are both your targets?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Email Address
Sample Search: baku@huawei.com
Search: Email Adar-655125
Query Narnia:
Jus??ca?an:
additianal Juati?catian:
Miranda Number:
Datatima:
Email Uaarnama:
@Damain:
1 Weak
Start: El anal: St
baku
huawaiaam
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Email Address
Sample Search: baku@huawei.com
Search: Email Adar-655125
Query Narnia:
Jus??ca?an:
additianal Juati?catian:
Miranda Number:
Datatima:
Email Uaarnama:
@Damain:
1 Weak
Start: El anal: St
baku
huawaiaam
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Email Address
Email Addresses are found in many parts of
ESE
traffic a
DNI [lisp-lay,r Haw Data UNI
a HTTP Header lnferrnatien CnntentTy'ne: HiTF'iHTltilL
Services 1
Fax: 13533
Vie-1111a, Austria
Baene Of?ce Building, 4th Fleen? Tali T, Brnet- Caapian Plaza llCentre ,blaeli
It], l?li] ?i-Tieinia, Hnatria Azerbaij an. 32112165
m" i? 1 1 mm? Tel:
Results here are from Faa: ??99412-51?-5944
30 30 ewi r] a we [33 ail:
that contained the email
ad resa
Iii-611, J.Jahhar1?.r St. Bale
aln'ain, aln'ain
Building 1547, Read 23113eef Dietriet 4231<lingtleni ef Bahrain ?i-Tilla Hill, Ii-Iehanletlia Garden, Gate N?j??ead
Tel: Ne.3431,Bleele
Fax: UUQTJ-ITEEBTUI Tel:
Dhaka, Bangladesh I'ilelir-ili, Belarus
Centereli?nil gulelian Avenue Gulellan Mariel Kerelya atr._.51_. Hear-2, effiee-EE, Ii-ilinel-aBelanie
T?li-rais-n 1"}1 I nn 1'7:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
Email Address
Email Addresses are found in many parts of
ESE
traffic a
DNI [lisp-lay,r Haw Data UNI
a HTTP Header lnferrnatien CnntentTy'ne: HiTF'iHTltilL
Services 1
Fax: 13533
Vie-1111a, Austria
Baene Of?ce Building, 4th Fleen? Tali T, Brnet- Caapian Plaza llCentre ,blaeli
It], l?li] ?i-Tieinia, Hnatria Azerbaij an. 32112165
m" i? 1 1 mm? Tel:
Results here are from Faa: ??99412-51?-5944
30 30 ewi r] a we [33 ail:
that contained the email
ad resa
Iii-611, J.Jahhar1?.r St. Bale
aln'ain, aln'ain
Building 1547, Read 23113eef Dietriet 4231<lingtleni ef Bahrain ?i-Tilla Hill, Ii-Iehanletlia Garden, Gate N?j??ead
Tel: Ne.3431,Bleele
Fax: UUQTJ-ITEEBTUI Tel:
Dhaka, Bangladesh I'ilelir-ili, Belarus
Centereli?nil gulelian Avenue Gulellan Mariel Kerelya atr._.51_. Hear-2, effiee-EE, Ii-ilinel-aBelanie
T?li-rais-n 1"}1 I nn 1'7:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA, AusUser Activity query is based on APPRO
collection (such as chat, webmail, etc)
Allows more flexible search criteria than
Email Address query
- Can search on: Cookies, numeric logins
web forums OSN), VolP selectors, webcam
first images, Webmail profile information from
registration (birthdays), general usernames
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA, AusUser Activity query is based on APPRO
collection (such as chat, webmail, etc)
Allows more flexible search criteria than
Email Address query
- Can search on: Cookies, numeric logins
web forums OSN), VolP selectors, webcam
first images, Webmail profile information from
registration (birthdays), general usernames
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Creating User Activity uerie
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL I
The fields in a User Activity query can be
Datetime: Start: El Stup:
Bearer: For:
Search value:
Realm:
Attribute Type:
ettriljute t#alue:
activity:
Enurce:
IP
Frern tr
Enter target
selecterslidentifiers here:
-Phene Ne
-Ceekie
?UsernamefE V AD (then
add REALM)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
Creating User Activity uerie
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL I
The fields in a User Activity query can be
Datetime: Start: El Stup:
Bearer: For:
Search value:
Realm:
Attribute Type:
ettriljute t#alue:
activity:
Enurce:
IP
Frern tr
Enter target
selecterslidentifiers here:
-Phene Ne
-Ceekie
?UsernamefE V AD (then
add REALM)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU use?! we;
. I .
reati 9 Act i vi we ti
The fields in a User Activity query can be
00 nfu 3 9
Health Fer Seetehtielue l?ltltiltute Tyree etlriltute iielue
ueerneme Eyeltee eelnntunieente ?eeiltlee :ietl'lei'
ueerneme agent-tee eenteet_liet ELSHW :15
ueerneme ?yehee {lireetien eewer-te-elient i
ueerneme gem?me rem
"?emme Emmi" Notice partial email addresses in the
ueernenle ?gyeltee rew_ netetlete ?Search Value" field"
ueerneme ?yeltee i
ueerneme tj?gyeltee leer_reelnt
ueerneme ?yehee whee
ueerneme Eltl?iI-Fttlilr ?njyeltee i
ueerneme
?yehee ttll??
TDP
GR HCDMIHTHRELTD USA, AUS, CAN, GER, NZL
TU use?! we;
. I .
reati 9 Act i vi we ti
The fields in a User Activity query can be
00 nfu 3 9
Health Fer Seetehtielue l?ltltiltute Tyree etlriltute iielue
ueerneme Eyeltee eelnntunieente ?eeiltlee :ietl'lei'
ueerneme agent-tee eenteet_liet ELSHW :15
ueerneme ?yehee {lireetien eewer-te-elient i
ueerneme gem?me rem
"?emme Emmi" Notice partial email addresses in the
ueernenle ?gyeltee rew_ netetlete ?Search Value" field"
ueerneme ?yeltee i
ueerneme tj?gyeltee leer_reelnt
ueerneme ?yehee whee
ueerneme Eltl?iI-Fttlilr ?njyeltee i
ueerneme
?yehee ttll??
TDP
GR HCDMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
Creating User Activity neg:
a Scenano:
You have a target?s email address:
- _@h0tmail.com
Known: One email address
:1 Unknown: Alternate lD's, lPs, Location, Photo,
(lots of stuff)
Where do we begin?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN,
Creating User Activity neg:
a Scenano:
You have a target?s email address:
- _@h0tmail.com
Known: One email address
:1 Unknown: Alternate lD's, lPs, Location, Photo,
(lots of stuff)
Where do we begin?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
lwant
have an Email Address and want to see if it?s being collected?
I Do an Email Address query on username and domain
Email Uaemame:
@Domain: huaweicom
- Do a User Activity query on the email address in the ?Selector Value?
Search Value: hakur?huaweiw
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, NZL
lwant
have an Email Address and want to see if it?s being collected?
I Do an Email Address query on username and domain
Email Uaemame:
@Domain: huaweicom
- Do a User Activity query on the email address in the ?Selector Value?
Search Value: hakur?huaweiw
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
I have a Cookie and want to see what other accounts access this
computer
I Do TWO separate User Activity query on the cookies
attribute Li-ialue:
Search For
usernanle
SECRETHCUMINTHHEL TU USA, AUS, CAN,
"IWant to. . ..
b.
.
dg?a?od4u?h4
lue
Search
rlg?utiorlziuifilizi
_ymnw
Egon-Hie
y?ltoo?coohie
yaltooEc-ool-Iie
E_coohie
E_cookie
H_coohie
yaltooElic-oolrie
TDP
Brings back THESE
Attribute yalue res?
tlg?u?mldu?lid
tlg?q?mldu?lid
lg?uumldu?lid
tlg?uumldu?lid
tlg?u?mldu?lid
Notice redundancy. So you MAY miss traffic
if you select ?B_cookie? or ?yahooBcookie?
(don?t know why)
I have a Cookie and want to see what other accounts access this
computer
I Do TWO separate User Activity query on the cookies
attribute Li-ialue:
Search For
usernanle
SECRETHCUMINTHHEL TU USA, AUS, CAN,
"IWant to. . ..
b.
.
dg?a?od4u?h4
lue
Search
rlg?utiorlziuifilizi
_ymnw
Egon-Hie
y?ltoo?coohie
yaltooEc-ool-Iie
E_coohie
E_cookie
H_coohie
yaltooElic-oolrie
TDP
Brings back THESE
Attribute yalue res?
tlg?u?mldu?lid
tlg?q?mldu?lid
lg?uumldu?lid
tlg?uumldu?lid
tlg?u?mldu?lid
Notice redundancy. So you MAY miss traffic
if you select ?B_cookie? or ?yahooBcookie?
(don?t know why)
TU USA, AUS, CAN. GER.- NZL I [El
,lwant to
have a Cookie and want to see what other accounts access this
computer
I Do TWO separate User Activity query on the cookies
- Eeereh yelue: dgaq?odaluljliai
Brings back THESE
Search For Search y'alue Attribute Type 1 Ihute yelue
yahoo
userllanle t-lg?alilot-ldulillid yahoo
username yahoo
username t-lg?a?ot-ldu?lid yahoo
userllame yahoo
userllanle t-lg?a?ot-ldu?lid yahoo
yahoo
if you select ?B_cookie? or ?yahooBcookie?
(don?t know why)
TDP
TU USA, AUS, CAN. GER.- NZL I [El
,lwant to
have a Cookie and want to see what other accounts access this
computer
I Do TWO separate User Activity query on the cookies
- Eeereh yelue: dgaq?odaluljliai
Brings back THESE
Search For Search y'alue Attribute Type 1 Ihute yelue
yahoo
userllanle t-lg?alilot-ldulillid yahoo
username yahoo
username t-lg?a?ot-ldu?lid yahoo
userllame yahoo
userllanle t-lg?a?ot-ldu?lid yahoo
yahoo
if you select ?B_cookie? or ?yahooBcookie?
(don?t know why)
TDP
SECRETHCUMINTHHEL TU USA. AUS, CAN, GER. NZL
Iwant
have a Cookie and want to see what other accounts access this
computer
I Do a Marina query on the cookie as well (why not)?
Specify D313: E31136 "e {a
{?rva [hlumnss]}: Date
Fer User Streng Selectera (Emma, IDS. Elena-Meg, Mail Taker?is, Prue-rue
emaetljf mat-eh
121'?: dgEl
Iit is neweat data if ra?w 111etatlata result limit)
'where value is
filter
L: unitli?nn lBrit-aria
*Elu'ivelunveut ?ll-?eas: C3 All Meme Helen:
Quei?v Insti?eatie? iranian la ir?I eefahar?i
Submit I I
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA. AUS, CAN, GER. NZL
Iwant
have a Cookie and want to see what other accounts access this
computer
I Do a Marina query on the cookie as well (why not)?
Specify D313: E31136 "e {a
{?rva [hlumnss]}: Date
Fer User Streng Selectera (Emma, IDS. Elena-Meg, Mail Taker?is, Prue-rue
emaetljf mat-eh
121'?: dgEl
Iit is neweat data if ra?w 111etatlata result limit)
'where value is
filter
L: unitli?nn lBrit-aria
*Elu'ivelunveut ?ll-?eas: C3 All Meme Helen:
Quei?v Insti?eatie? iranian la ir?I eefahar?i
Submit I I
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
I. lwant to.
I have a Cookie and want to see what other accounts access this
computer
I Do a Marina query on the cookie as well (why not)?
USEILA ACTIVITY
_?.rahoo13* ans-E11 with machine JIJ
seen with ma chine JIJ tlg?q?otlmi?iiwiyahooBcookie?)
-?.rahoo13* seen with ma chine
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
I. lwant to.
I have a Cookie and want to see what other accounts access this
computer
I Do a Marina query on the cookie as well (why not)?
USEILA ACTIVITY
_?.rahoo13* ans-E11 with machine JIJ
seen with ma chine JIJ tlg?q?otlmi?iiwiyahooBcookie?)
-?.rahoo13* seen with ma chine
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GEIR, MEL
Want to. . . .
So let?s put the cookie query all
I Between Marina and XKS, I should have an idea of all the accounts.
a Results pulling on ngqOed4uO i4 as a Search Value
Search Far Search Value Attribute Type Value
usernaln-e yell-1e ?cl'lj.rallee
Ilsernalne yalme ?tyalme
ll?i?l'll?l'll? Et?il?t?
a Plus my Marina results
ACTIVITY USERJE C??-I?ll
Iyahee?? .en with maehine 1D
seen witl'l 111aehine JIJ
?=It_iraheei=? seen with maehine JIJ
RESULTS: Three users an the a computer..
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GEIR, MEL
Want to. . . .
So let?s put the cookie query all
I Between Marina and XKS, I should have an idea of all the accounts.
a Results pulling on ngqOed4uO i4 as a Search Value
Search Far Search Value Attribute Type Value
usernaln-e yell-1e ?cl'lj.rallee
Ilsernalne yalme ?tyalme
ll?i?l'll?l'll? Et?il?t?
a Plus my Marina results
ACTIVITY USERJE C??-I?ll
Iyahee?? .en with maehine 1D
seen witl'l 111aehine JIJ
?=It_iraheei=? seen with maehine JIJ
RESULTS: Three users an the a computer..
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, MIL
I want
have an IP address and want to know what users/accounts are
collected in that network? a Cafe?s IP address, or mail/web
server for an organization)
- Do an Email Address Email Usernarna:
query on the IP address
Subject:
address: From
CFarrth
I Do a User Activity query
on the IP address
attribute Tyne I
Li?alue
I
address:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, ALIS, CAN, GER, MIL
I want
have an IP address and want to know what users/accounts are
collected in that network? a Cafe?s IP address, or mail/web
server for an organization)
- Do an Email Address Email Usernarna:
query on the IP address
Subject:
address: From
CFarrth
I Do a User Activity query
on the IP address
attribute Tyne I
Li?alue
I
address:
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, NZL II 3'
Moral of the story
Email Address query looks for the symbol in
traffic
User Activity search allows you to query on
more than just an email address
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, NZL II 3'
Moral of the story
Email Address query looks for the symbol in
traffic
User Activity search allows you to query on
more than just an email address
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL