Documents
HTTP Activity in XKS
July 1, 2015
TCIP T0 USA, AUS, CAN, GER, NZLH20291123
KEYSC
March 2009
-
TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER, NZLH20291123
TCIP T0 USA, AUS, CAN, GER, NZLH20291123
KEYSC
March 2009
-
TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER, NZLH20291123
To USA, Alla, ?rm, GEL
Activity
. HTTP Activity is essentially all web-based
activity from a user?s internet browser (with
some exceptions)
It includes, web-surfing, Internet Searching
(like Google), Mapping Website (Google
Earth/Maps) etc.
Most of this data will not contain a strong
selector like E-mail address
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
To USA, Alla, ?rm, GEL
Activity
. HTTP Activity is essentially all web-based
activity from a user?s internet browser (with
some exceptions)
It includes, web-surfing, Internet Searching
(like Google), Mapping Website (Google
Earth/Maps) etc.
Most of this data will not contain a strong
selector like E-mail address
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity
HTTP activity comes in two types:
cnn.cem Server
Client-te-Server
?requests?
Server-te-Client
?responses?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity
HTTP activity comes in two types:
cnn.cem Server
Client-te-Server
?requests?
Server-te-Client
?responses?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, E. @339 Ml.
tivity i
A
How do you know which side you?re looking at?
. Client-to-Server requests are generally small in
size and are computers talking to other
computers
Server-to-Client responses larger and are what
web-pages look like at home
So if you?re looking at something that looks like
a web-page its Server-to-Client
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, E. @339 Ml.
tivity i
A
How do you know which side you?re looking at?
. Client-to-Server requests are generally small in
size and are computers talking to other
computers
Server-to-Client responses larger and are what
web-pages look like at home
So if you?re looking at something that looks like
a web-page its Server-to-Client
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity Examples
CIient-to?Server request:
I
ID: 3933_nrig_prnc
Type: HTFP-GET Printer Friendlv Ltflarsiurt
Displayr If Haw Data DNI Fnrmat]
Services 1-
GET 1. 1
User-Agnew: Mmzillsu?j? Wind-owe NT 5.1; art-US} ApplaWebKiu'?j 19 1111::
Crack-D} Chr?mefl?l??l??
Referar: mgla- b??ks r311 t?zb
Dept: lit: applil: Eiti-D . 9 (FD. 5
511311?115 ar?id=P 1 QP 1PUTQ5
?ccept?La?guagez
Accept?Charsat:
H931: mm
D?llE! KB lip 1%th
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity Examples
CIient-to?Server request:
I
ID: 3933_nrig_prnc
Type: HTFP-GET Printer Friendlv Ltflarsiurt
Displayr If Haw Data DNI Fnrmat]
Services 1-
GET 1. 1
User-Agnew: Mmzillsu?j? Wind-owe NT 5.1; art-US} ApplaWebKiu'?j 19 1111::
Crack-D} Chr?mefl?l??l??
Referar: mgla- b??ks r311 t?zb
Dept: lit: applil: Eiti-D . 9 (FD. 5
511311?115 ar?id=P 1 QP 1PUTQ5
?ccept?La?guagez
Accept?Charsat:
H931: mm
D?llE! KB lip 1%th
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity Examples
Server-to?Client Response:
ID: sess_orig_proe
Doeument Information Type: Ea Printer Friendly Version
DHI [l'isIJ-lajlr I Haw Date I DNI Format 1
El Heatler Information Content Type:
Services 1--
A
[Ea Earea reinstates E5, Isfahan to
.
'l E-Eoint lead etdnh1t
otter Real expressionist at
Latest News
11111 I?lwait government *l'esigtst over eeonolnjr
Mon, 1e Mar teens GMT :5 Emmett?
1mg eeonoIn
The Kuwaiti government has submitted its Ch?dh??'d dim?
Lebanon resignation to the county's ernir arniel a
Turk-EH Egg?the premrer 5 handling ofthe eoonorrnt: :El
Shield fgw'
"The resignation has been submitted formally and Jud??s ?,th
US it's up to the emir {ruler} to Reuters
. - - - eon?seated
Agi?am?c quoted Nasser al-DuwallahJ a oarIamentanan, as
Africa M'I'li'jalf- Leader pardon:
The reelgnatltn would further delay the approval of billion dlnars 5.11 book
Arneneas billion} resoue oaokage whioh is t: he injeoted to the Persian Gulf natior's L.
sch-Tech eoonomy to ease the imoaot of the global ?nanoial orisis. IE email We?
din
The ouernment has not oommented on the re ort -
'3 Er?! Idteiheent
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity Examples
Server-to?Client Response:
ID: sess_orig_proe
Doeument Information Type: Ea Printer Friendly Version
DHI [l'isIJ-lajlr I Haw Date I DNI Format 1
El Heatler Information Content Type:
Services 1--
A
[Ea Earea reinstates E5, Isfahan to
.
'l E-Eoint lead etdnh1t
otter Real expressionist at
Latest News
11111 I?lwait government *l'esigtst over eeonolnjr
Mon, 1e Mar teens GMT :5 Emmett?
1mg eeonoIn
The Kuwaiti government has submitted its Ch?dh??'d dim?
Lebanon resignation to the county's ernir arniel a
Turk-EH Egg?the premrer 5 handling ofthe eoonorrnt: :El
Shield fgw'
"The resignation has been submitted formally and Jud??s ?,th
US it's up to the emir {ruler} to Reuters
. - - - eon?seated
Agi?am?c quoted Nasser al-DuwallahJ a oarIamentanan, as
Africa M'I'li'jalf- Leader pardon:
The reelgnatltn would further delay the approval of billion dlnars 5.11 book
Arneneas billion} resoue oaokage whioh is t: he injeoted to the Persian Gulf natior's L.
sch-Tech eoonomy to ease the imoaot of the global ?nanoial orisis. IE email We?
din
The ouernment has not oommented on the re ort -
'3 Er?! Idteiheent
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, NZL
HTTP Activity a: ,9
XKS HTTP Activity Meta-data differs
greatly depending on which side of traffic
we?re collecting
In nearly all cases it?s better to have client-
to?server traffic
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, NZL
HTTP Activity a: ,9
XKS HTTP Activity Meta-data differs
greatly depending on which side of traffic
we?re collecting
In nearly all cases it?s better to have client-
to?server traffic
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity Client-to?SerV
GET nl . start=
Accept:
A: I: apt?Language
I -
User?Agent Hazillaf?.? (compatible; HSIE Windows NT 5.1;
HDSE:
Eache? an EU max?3 a e=l
Connectinn: Ee-a?1 -
E?Elue?uat?via
Hn?t UHL Path LIHL ?rga
Hearth
Search Terma Language: Elrnwaer ma
mLJEharraf an Mozillam? (compatible; MSIE Window NT 5.1;
Heferer
CDDME
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity Client-to?SerV
GET nl . start=
Accept:
A: I: apt?Language
I -
User?Agent Hazillaf?.? (compatible; HSIE Windows NT 5.1;
HDSE:
Eache? an EU max?3 a e=l
Connectinn: Ee-a?1 -
E?Elue?uat?via
Hn?t UHL Path LIHL ?rga
Hearth
Search Terma Language: Elrnwaer ma
mLJEharraf an Mozillam? (compatible; MSIE Window NT 5.1;
Heferer
CDDME
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity Server-to?Clien
application Infua Type
Press Kuwait 'reaigns' mar resp?nse
ID: aeaa_arig_pnac
F. Illic-nnaII-z-n Type- E: Z?nter F?iencl'; Fara tn
Display E'a'n' lat-a I DH 1
Cl Ilentler Ini-t-rma?-an Emten: Type:
Ir
1
:5 T3: area reinstates Tj Isfahan It}
'7
I It- p-a-mt Jan-:1 earlulm:
{?rcr Jical cam-magmas: art
LamatH-E'm
IE lulwail gm'umntm 'l'caigna' aver mummy
Eadie East MHZ, lamaana am :5
in; Elf-111C121
The Kuwaiti qnunrnmunt has submitth its
ml Hrrlir .-I FIIW
. . . .
THEE premier 5 of the economic: .[T??umm 11H
Ijema? m?f ?shialrr1 rut-w'
'Tha resignatinnlhas tee-F: fjr?na lg and ?5 31.1-
t's u: he narrlr {Mar} - Brad
?iaJ-Pmi? :ILIate-j 15.3559" aI?LTLIwailah a parliamentarian as
Alan- aayi?lg Ian rar?uanjayr :5
The I'esignatinn WEIJIEI further dalag.r appraual :11: 1.5 Jillicn dirars 5 ll ??til?thl-Et?
marina rescue Facaagg which DE tn the F'ar'SIa?n :qu natlm's
bcfiech l5! I:de Ir If": "t Hall:
.
II I -
?ea-1:1-
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
HTTP Activity Server-to?Clien
application Infua Type
Press Kuwait 'reaigns' mar resp?nse
ID: aeaa_arig_pnac
F. Illic-nnaII-z-n Type- E: Z?nter F?iencl'; Fara tn
Display E'a'n' lat-a I DH 1
Cl Ilentler Ini-t-rma?-an Emten: Type:
Ir
1
:5 T3: area reinstates Tj Isfahan It}
'7
I It- p-a-mt Jan-:1 earlulm:
{?rcr Jical cam-magmas: art
LamatH-E'm
IE lulwail gm'umntm 'l'caigna' aver mummy
Eadie East MHZ, lamaana am :5
in; Elf-111C121
The Kuwaiti qnunrnmunt has submitth its
ml Hrrlir .-I FIIW
. . . .
THEE premier 5 of the economic: .[T??umm 11H
Ijema? m?f ?shialrr1 rut-w'
'Tha resignatinnlhas tee-F: fjr?na lg and ?5 31.1-
t's u: he narrlr {Mar} - Brad
?iaJ-Pmi? :ILIate-j 15.3559" aI?LTLIwailah a parliamentarian as
Alan- aayi?lg Ian rar?uanjayr :5
The I'esignatinn WEIJIEI further dalag.r appraual :11: 1.5 Jillicn dirars 5 ll ??til?thl-Et?
marina rescue Facaagg which DE tn the F'ar'SIa?n :qu natlm's
bcfiech l5! I:de Ir If": "t Hall:
.
II I -
?ea-1:1-
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, NZL
tiv i ty TT
HTTP AC
Meta-data will also tell you which side of
traffic you?re looking at
Client-to-server has two main types:
Type WIDE
HE:
Server-to-Client has only one:
Type
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN, GER, NZL
tiv i ty TT
HTTP AC
Meta-data will also tell you which side of
traffic you?re looking at
Client-to-server has two main types:
Type WIDE
HE:
Server-to-Client has only one:
Type
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN. GER.- NZL I [El
HTTP Activity Get VS
A is you requesting data from the
server (most web surfing)
A is you sending data to the server
signing in, filling out a form, uploading
a file etc.)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN. GER.- NZL I [El
HTTP Activity Get VS
A is you requesting data from the
server (most web surfing)
A is you sending data to the server
signing in, filling out a form, uploading
a file etc.)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CARI-GER
SIGDEV: Tif??ii
Example: Lets look for all Arabic font Google
queries coming out of the tribal areas of
Pakistan
Information needed is contained in HTTP
Activity meta-data
'?uerr Marina for IP: llE._
3 hours
Fm Country
PH
[Ill-i Cancel
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CARI-GER
SIGDEV: Tif??ii
Example: Lets look for all Arabic font Google
queries coming out of the tribal areas of
Pakistan
Information needed is contained in HTTP
Activity meta-data
'?uerr Marina for IP: llE._
3 hours
Fm Country
PH
[Ill-i Cancel
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
-. I .1 1 211. -
.15311?1 . A .
H11: ?llh?v!
-I
I
?n
01111111 Rig-? it --.
11 111 {?11 3
11110111111 . . Jl
1
a_ 1 legu', 1:
FUJI
T5: at PHD-HE ACTWITT USERJEI
2111131113 11132532, ?c:em3113331:: Eggedm 1311131131 1115..-
2111131113 11132523 ?:3m31E3312 1333333113331). 113-
2111131113 111431133 13.333113113133111 1111-
2111131113 11233132, ?c:em31111333:= 1113;331:1111 1311131131
2111131112 111113133 ?==3m3111331:= leggedi? 13331:. 113-
EEDEHIE [217431152 ?ams??dd? 1113151111 31113111 115-
til
DURATION
2111131113 11131313 2111131113 111323413 113111511111 11111:: 113-
I ll
I I I
?33m3133332 133333 3113133113: 1113-
?=:3ma1121331:= 133233 3113313131 113-
133333 31133311 113-
?33m313333:= lagged 121 13111311]: 1113-
?=:3m31131331:= 13%33 311313313. 113-
?=:3m31333::= 13,3333 311331311 1113-
2111131113 11133532, ?c:em313331:= legged 1111:3111311} 1115..-
2111131113 111113533 ?=:3m3111331:= legged 311313313. 113-
2111131113 11233113 13.3333 3113133111 113-
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
2121031119 UTEESTE
211113311153
EDDEHIE WEBSTZ
21211331119
213031119
EEDEHIE [17?43532
-. I .1 1 211. -
.15311?1 . A .
H11: ?llh?v!
-I
I
?n
01111111 Rig-? it --.
11 111 {?11 3
11110111111 . . Jl
1
a_ 1 legu', 1:
FUJI
T5: at PHD-HE ACTWITT USERJEI
2111131113 11132532, ?c:em3113331:: Eggedm 1311131131 1115..-
2111131113 11132523 ?:3m31E3312 1333333113331). 113-
2111131113 111431133 13.333113113133111 1111-
2111131113 11233132, ?c:em31111333:= 1113;331:1111 1311131131
2111131112 111113133 ?==3m3111331:= leggedi? 13331:. 113-
EEDEHIE [217431152 ?ams??dd? 1113151111 31113111 115-
til
DURATION
2111131113 11131313 2111131113 111323413 113111511111 11111:: 113-
I ll
I I I
?33m3133332 133333 3113133113: 1113-
?=:3ma1121331:= 133233 3113313131 113-
133333 31133311 113-
?33m313333:= lagged 121 13111311]: 1113-
?=:3m31131331:= 13%33 311313313. 113-
?=:3m31333::= 13,3333 311331311 1113-
2111131113 11133532, ?c:em313331:= legged 1111:3111311} 1115..-
2111131113 111113533 ?=:3m3111331:= legged 311313313. 113-
2111131113 11233113 13.3333 3113133111 113-
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
2121031119 UTEESTE
211113311153
EDDEHIE WEBSTZ
21211331119
213031119
EEDEHIE [17?43532
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
XKS SIGDEV: HTTP m;
Now make that into a workflow
NAHE: Mee_NHFP_FDriegn_Gng1ere
current time: GHT
submitted at: 2008?11?20 03:55:03 GMT
has 1% reeult?ej
EDDE?ii?ig e1 qeide (en, en?GE) [13
The ai?Ilthlas 111211111012}! {cybertrana flit-m Arabic}
[refererj tbe el?Ikhlas netwerk [tybertrana frem Arabitj i3)
EDGE?ii?ig Fbrum bridef'nrue [cybertrene frem Arebiej
2nne-11?1e ne:n5:51 Ferum levefgrem {eynertrene frem Arabic}
2008?11?19 [refererj fbrum levefgram {cybertrana frem Arabia) (11
EDDE?ii?ig 15:?i:?D The hille jihediet witheut inflicting [cybertrene frem Arabia) (in)
20ne?11?1e 15:11:13 [refererj the bills jihediet mitbent inflicting [e?bertrene frem Arabic]
15:33:19 Haziriaten [cybertrana frem Arabic]
EDGE?ii?ig Seendele [cybertrene frem Arabic} (3)
2nne-11?1e Uq:24:59 [referer] seenee1e {eyhertrene frem Arabic}
2008?11?19 Heme {cybertrana item Arabic] [13
EDDE?ii?ig Ferum eeil [cybertrene frem Arabic]
20ne?11?1e Uq:31:51 [refererj fernm ee11 [e?bertrene frem ireniej 11]
It" Il_l_n?
EML
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL
XKS SIGDEV: HTTP m;
Now make that into a workflow
NAHE: Mee_NHFP_FDriegn_Gng1ere
current time: GHT
submitted at: 2008?11?20 03:55:03 GMT
has 1% reeult?ej
EDDE?ii?ig e1 qeide (en, en?GE) [13
The ai?Ilthlas 111211111012}! {cybertrana flit-m Arabic}
[refererj tbe el?Ikhlas netwerk [tybertrana frem Arabitj i3)
EDGE?ii?ig Fbrum bridef'nrue [cybertrene frem Arebiej
2nne-11?1e ne:n5:51 Ferum levefgrem {eynertrene frem Arabic}
2008?11?19 [refererj fbrum levefgram {cybertrana frem Arabia) (11
EDDE?ii?ig 15:?i:?D The hille jihediet witheut inflicting [cybertrene frem Arabia) (in)
20ne?11?1e 15:11:13 [refererj the bills jihediet mitbent inflicting [e?bertrene frem Arabic]
15:33:19 Haziriaten [cybertrana frem Arabic]
EDGE?ii?ig Seendele [cybertrene frem Arabic} (3)
2nne-11?1e Uq:24:59 [referer] seenee1e {eyhertrene frem Arabic}
2008?11?19 Heme {cybertrana item Arabic] [13
EDDE?ii?ig Ferum eeil [cybertrene frem Arabic]
20ne?11?1e Uq:31:51 [refererj fernm ee11 [e?bertrene frem ireniej 11]
It" Il_l_n?
EML
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, ALIS, gin. gamma;
tivity
AC
Many targets use Free File Sharing
Websites to pass messages.
- Example we may see a message like this:
From: badguy@yahoo.com
To: someotherbadguy@yahoo.com
Hey dude Check out this file:
gojft
Lets use X-KEYSCORE to find who else
might have viewed that file
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, ALIS, gin. gamma;
tivity
AC
Many targets use Free File Sharing
Websites to pass messages.
- Example we may see a message like this:
From: badguy@yahoo.com
To: someotherbadguy@yahoo.com
Hey dude Check out this file:
gojft
Lets use X-KEYSCORE to find who else
might have viewed that file
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN. GER.- NZL I [El
HTTP Activity URL
XKS breaks up into their components:
=terrerism&start=10&ea=N
is the ?host?
aka everything between the http:/I and the
firs??earch is the ?url path? everything after
and before the
is the ?url argument? aka everything after the
terrorism is the ?search term?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
TU USA, AUS, CAN. GER.- NZL I [El
HTTP Activity URL
XKS breaks up into their components:
=terrerism&start=10&ea=N
is the ?host?
aka everything between the http:/I and the
firs??earch is the ?url path? everything after
and before the
is the ?url argument? aka everything after the
terrorism is the ?search term?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
XKS SIGDEV: HTTP
EX: Targets pass links to Videos, use XKS to discover
new targets who have viewed those videos
In HE 00215-09, he promises that the newest video will be ready very soon. end then sends these two linlts:
httozifitiwirti les .toioe_
sses ti
Stop: isms-mos
1r
Detetirne: EWeeI-ts Start: 2005-12-23 1
Type:
Host: wwtilesto
URL Path: sis?st?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
XKS SIGDEV: HTTP
EX: Targets pass links to Videos, use XKS to discover
new targets who have viewed those videos
In HE 00215-09, he promises that the newest video will be ready very soon. end then sends these two linlts:
httozifitiwirti les .toioe_
sses ti
Stop: isms-mos
1r
Detetirne: EWeeI-ts Start: 2005-12-23 1
Type:
Host: wwtilesto
URL Path: sis?st?
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
I it} u;
SECRETHCUMINTHHEL TD 3.9.522.91 19222929 91999119 292292_2 22229299 1992219
23:299912912249992 _.9m922449:= 149g94919m99) 99-
299912912249492 _em912499:= 1499949199199) 99-
299912912249492 _em912499:= 1439949129199) 99-
299912912249492 _em912499:= 1999949129199) 99--
299212912249922 _em212499:= leggedinliema?j 99--
299912912249922 _em912499:= 1492949129199) 99-
299912912249922 _em912499:= 14929491999199) 99-
299912912299122 _em912499:= 1499949199199) 99-
299912912299212 _em912499:= lagged?lliema?) 99--
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
I it} u;
SECRETHCUMINTHHEL TD 3.9.522.91 19222929 91999119 292292_2 22229299 1992219
23:299912912249992 _.9m922449:= 149g94919m99) 99-
299912912249492 _em912499:= 1499949199199) 99-
299912912249492 _em912499:= 1439949129199) 99-
299912912249492 _em912499:= 1999949129199) 99--
299212912249922 _em212499:= leggedinliema?j 99--
299912912249922 _em912499:= 1492949129199) 99-
299912912249922 _em912499:= 14929491999199) 99-
299912912299122 _em912499:= 1499949199199) 99-
299912912299212 _em912499:= lagged?lliema?) 99--
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
ICOI
I ID i '23: :00: 02:: i f?il??-EJ lul?'i?t,
I
1m girl
I?j'l1 .u I
a i. - fail - 3" -
1 I a 3119?" .b .
1
Wilt!?
.
l'
.omi
10
in
1
I TO USA, AUS, CAN, GBR, NZL) During
his Internet session, 'Atiyah queried on himself, "Shaykh
'Atiyatallah," and on the name "Khalid al-Habib."
(3/00/7878-08)
TO USA, AUS, CAN, GBR, NZL) During
his session on 16 September, 'Atiyah used a U.S. search
engine to search for information on himself and a possible
associate. 'Atiyah submitted Arabic queries for an alias of
his, "'Atiyahtallah", and his real name, "Jamal Ibrahim
lshtaywi". 'Atiyah also queried for Revealing View."
(COMMENT: This is likely a reference to the book he
recently wrote entitled "Lebanese Hezballah and the
Palestinian Issue - A Revealing View") 'Atiyah also
queried for "'Ali 'lwad al-Harabi" (no further information).
On 17 September, 'Atiyah searched again on the title of his
book. (3/00/7151-08)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
ICOI
I ID i '23: :00: 02:: i f?il??-EJ lul?'i?t,
I
1m girl
I?j'l1 .u I
a i. - fail - 3" -
1 I a 3119?" .b .
1
Wilt!?
.
l'
.omi
10
in
1
I TO USA, AUS, CAN, GBR, NZL) During
his Internet session, 'Atiyah queried on himself, "Shaykh
'Atiyatallah," and on the name "Khalid al-Habib."
(3/00/7878-08)
TO USA, AUS, CAN, GBR, NZL) During
his session on 16 September, 'Atiyah used a U.S. search
engine to search for information on himself and a possible
associate. 'Atiyah submitted Arabic queries for an alias of
his, "'Atiyahtallah", and his real name, "Jamal Ibrahim
lshtaywi". 'Atiyah also queried for Revealing View."
(COMMENT: This is likely a reference to the book he
recently wrote entitled "Lebanese Hezballah and the
Palestinian Issue - A Revealing View") 'Atiyah also
queried for "'Ali 'lwad al-Harabi" (no further information).
On 17 September, 'Atiyah searched again on the title of his
book. (3/00/7151-08)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
1% Fl '13: ii: "m gi??t?h?wemr a us. s.
:1 I HM Ion! ?mom25;! -1
Hill
?on 30 (2. Hill mm: on!
11}
In?
- USA, AUS, CAN, GBR, NZL) During the
10352 to 11432 online activity, 'Atiyah down-loaded the
application Skype to his private computer. During an earlier
online session from approximately 09022 to 09352, either
'Atiyah or his wife,Jamila, also down-loaded Skype onto her
private computer. (3/00/10570-07)
USA, AUS, CAN, GBR, NZL) Although
much of 'Atiyah's online activity is communication, he is also
a "news hound." While located in Sanandaj, 'Atiyah daily
visited several online international news sites, such as
Qatar-registered al-Jazeera news website, and Arabic
language versions of U.S.-based and U.K.-based news
organizations. Also, 'Atiyah frequently visits religious sites,
such as the Saudi Arabia-registered islamtoday.net.
(3/00/21045?07)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
1% Fl '13: ii: "m gi??t?h?wemr a us. s.
:1 I HM Ion! ?mom25;! -1
Hill
?on 30 (2. Hill mm: on!
11}
In?
- USA, AUS, CAN, GBR, NZL) During the
10352 to 11432 online activity, 'Atiyah down-loaded the
application Skype to his private computer. During an earlier
online session from approximately 09022 to 09352, either
'Atiyah or his wife,Jamila, also down-loaded Skype onto her
private computer. (3/00/10570-07)
USA, AUS, CAN, GBR, NZL) Although
much of 'Atiyah's online activity is communication, he is also
a "news hound." While located in Sanandaj, 'Atiyah daily
visited several online international news sites, such as
Qatar-registered al-Jazeera news website, and Arabic
language versions of U.S.-based and U.K.-based news
organizations. Also, 'Atiyah frequently visits religious sites,
such as the Saudi Arabia-registered islamtoday.net.
(3/00/21045?07)
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
-hw.10mm .39_ 101 man
If, .33.: LE:
.uImrLL 1r
E-
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL
-hw.10mm .39_ 101 man
If, .33.: LE:
.uImrLL 1r
E-
TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL