Documents

XKS Intro

Jul. 1 2015 — 1:52p.m.

/30
1/30

TDP SECRETIICDMINTIIRELTD ALIS, CAN, GER, HZL r" 25 Feb 2008 [email protected] 4 .1-52v DATED: momma" DERIVED TU LISA, AUE, CAN, GER, NIL GIN: 2?3201?? i

iVVhat l. 5. TOP SECRETHCOMINTHREL TO USE, AUS, Clem @3330 is XKEYSCREI DNI Exploitation System/Analytic Framework Performs strong email) and soft (content) selection Provides real-time target activity (tipping) ?Rolling Buffer" of N3 days of ALL unfiltered data seen by XKEYSCORE: I Stores full-take data at the collection site indexed by meta-data I Provides a series of viewers for common data types Federated Query system one query scans all sites - Performing full?take allows to find targets that were previously unknown by mining the meta-data TOP SECRETHCOMINTHREL To USA, Aus, CAN, GER, NZL

TOP SECRETHCOMINTHRELTU USi?i, AUS, Ci?iN, GER, Methodology - Small, focused team - Work closely with the - Evolutionary development cycle (deploy early, deploy often) - React to mission requirements - Support staff integrated with developers Sometimes a delicate balance of mission and research TOP SECRETHCOMINTHREL To USA, sus, CAN, GER, NZL

TOP SECRETHCOMINTHRELTD USE, AUS, CEN, GER, System Details - Massive distributed Linux cluster - Over 500 servers distributed around the world 0 System can scale linearly simply add a new server to the Cluster - Federated Query Mechanism TOP SECRETHCOMINTHREL TO LISA, Aus, CAN, GER, NZL

TOP SECRETHCOMINTHRELTD AUS, GER, NZIL uery Hiera lg User Queries XKEYSCORE web Server F6 HQS F6 Site 1 QUEW F6 Site 2 Query Query FORNSAT site TOP SECRETHCOMINTHREL TO LISA, ALIS, CAN, GER, NZL 880 site

TOP SECRETHCOMINTHREL TO USE, a Where is X-KEYSCR Approximately 150 sites Over 700 servers TOP SECRETHCOMINTHREL TO USA ALIS CAN GER NZL

TDP SECRETIICDMINTIIRELTH ALIS, CAN, GERFz?53; I .. XKEYSC - .0 If.

TOP SECRETHCOMINTHRELTD AUS, GER, NZL General Capabilit Processing Speed XKEYSCO RE TOP SECRETHCOMINTHREL TO LISA, ALIS, CAN, GER, NZL

TOP SECRETHCOMINTHRELTD USi?i, AUS, Ci?iN, GER, NZIL Why do shallow - Can look at more data - XKEYSCORE can also be configured to go shallow if the data rate is too high TOP SECRETHCOMINTHREL To LISA, ALIS, CAN, GER, NZL

. 1' TOP SECRETHCOMINTHREL TO USE, AUS, CEN, GBIR, . Why go deep - Strong Selection itself give us only a very limited capability A large amount of time spent on the web is performing actions that are anonymous - We can use this traffic to detect anomalies which can lead us to intelligence by itself, or strong selectors for traditional tasking TOP SECRETHCOMINTHREL To LISA, AUS, CAN, GER, NZL

TOP SECRETHCOMINTHRELTD AUS, GER, NZL -1 KS does with the Plug-ins extract and index metadata into tables [sessiens] a. [presessing engine] (database}H (user queries) [r phnne numbers Database metadata email addresses tables 3* leg-iris TOP SECRETHCOMINTHREL TO LISA, ALIS, CAN, GER, NZL

I I ll it ?3 1'3: P: no: mo mTo as immanuaee Iwil?l?l?IOIU ?3g '03 I i - n. Plug-in DESCRIPTION E-mail Addresses Indexes every E-mail address seen in a session by both username and domain Extracted Files Indexes every file seen in a session by both filename and extension Full Log Indexes every DNI session collected. Data is indexed by the standard N?tupple (IP, Port, Casenotation etc.) Parser Indexes the client-side traffic (examples to follow) Phone Number Indexes every phone number seen in a session address book entries or signature block) User Activity Indexes the Webmail and Chat activity to include username, buddylist, machine specific cookies etc. TOP SECRETHCOMINTHREL To LISA, aus. CAN, GER, NZL

. 1' TOP SECRETHCOMINTHREL TO USE, AUS, CEN, GBIR, Can Be Sto red?fii?'. ?What - Anything you wish to extract - Choose your metadata - Customizable storage times - Ex: Parser locep 1mage'g1 1mage-x?x-1 map, image/jpeg, imagefpjpeg, appiication/vnd.ms- a-aiication-maword a-uiication-x-5hockwave-fiash, tit 'e erer: oo e.com. . . No username/strong selector u: I (compatibie; MSIE 6.0; NT 5.1) . V1a: 1.0 proxy X-Forwarded-For: l- 5! Id- u= a:-I 1: U: I :3080 Connection: keep-aiive TOP SECRETHCOMINTHREL To LISA, ALIS, CAN, GER, NZL

- . . - I. I ar - TDP SECRETIICDMINTIIRELTD ALIS, CAN, GERXKEYSC RE I t. \If - .. ?01- r'

TOP SECRETHCOMINTHREL TO USE, AUS, CEN, GER, II . Finding Ta I?gets it? - How do I find a strong-selector for a known target? a How do I find a cell of terrorists that has no connection to known strong-selectors? - Answer: Look for anomalous events I E.g. Someone whose language is out of place for the region they are in i Someone who is using - Someone searching the web for suspicious stuff TOP SECRETHCOMINTHREL To USA, nus, CAN, GER, NZL

TOP SECRETHCOMINTHRELTD USi?i, AUS, GER, NZIL [In [at gin-u r: [rm ?n'nn Hg ln-lel- ? 1n ?lilj ?Lac.? ole?n.? 5-H ngsJ'eiu'u haw-d me all 1? documents 0 Show me all . will: ?1:53 G: ?lter-bail Ha'oad' - 53% . g4 5:1? JEHJIQQIES and him: gigg?alwia ogol? tau-Li - Jliold' 39333.9 In; E?ldi?n?aa?j-?l?iafdg?lqadl ale-sales 354.51 mam 7- - 5 go? rim-'9 all-El" age-r.? de?ls?lud?gdl - Can perform mgmemm. . H'L'Sfill gin-ri?ed EH E?a?l f?lj??ja?f??j?ilg Irina-.iml- ?rn I from site as required 1 TOP SECRETHCOMINTHREL To LISA, ALIS, CAN, GER, NZL

.J TOP SECRETHCOMINTHREL TO USE, 'Technolo DetectijG - Show me all the VPN startups in country X, and give me the data so I can and discover the users 0 These events are easily browsable in XKEYSCORE - No strong-selector I XKEYSCORE extracts and stores authoring information for many major document types can perform a retrospective survey to trace the document origin since metadata is typically kept for up to 30 days I No other system performs this on raw unselected bulk traffic, data volumes prohibit forwarding TOP SECRETHCOMINTHREL To USA, AUS, CAN, GER, NZL

TOP SECRETHCOMINTHREL To USA, ALIs, lean, Persona Session tr: - Traditionally triggered by a strong-selector event, but it doesn?t have to be this way 0 Reverse PSC from anomalous event back to a strong selector. You cannot perform this kind of analysis when the data has ?rst been strong selected. - Tie in with Marina allow PSC collection after the event TOP SECRETHCOMINTHREL TO LISA, ALIS, CAN, GER, NZL

TOP SECRETHCOMINTHREL TO USE, AUS, CEN, GER, Lan - ua Trackin - l5. - My target speaks German but is in Pakistan how can I find him? - Activity plugin extracts and stores all HTML language tags which can then be searched - Not possible in any other system but XKEYSCORE, nor could it be I volumes are too great to forward - No strong?selector TOP SECRETHCOMINTHREL To USA, nus, CAN, GER, NZL

TOP SECRETHCOMIN target uses locations can I 5 determine his en?; web-searches suspicious? . XKEYSCORE extr? i .. including all web-based searches which can be retrospectively queried No strong-selector - Data volume too high to forward TOP SECRETHCOMINTHREL To LISA, ALIS, CAN, GER, NZL

TOP SECRETHCOMINTHRELTU USi?i, AUS, C?l?l, GER, Docume ?le Erli mew 1rs=ri Farmer F: Elzl'E' J3 ll has nurw anc' 1 lPatEii'l Eenerell Destriptien I User De?ned I Internet I Statistics I Type: LDEEUDH: Size: Created: MediFied: Digitally.? signe Last printed: Tetal editing Flevisien numl .33pr use: Template: are? *s??lE -1 {?e-3191i a: ?43: .esale M5 Werd IIEenereI I User Defined I Internet I Statistics I [itle a L. ?ubjett I Eeywerds I Eemments I I Cancel ?elp ?eset ?new ee'e?l a we? e?e'w' :Ie?aul: lime. l:rise' Imp QHJIJE lid .e?i?r?l wu?eed F-r aid-Ed aag?'l tar-Wail gJ?Ji-Jl f?rjl sat-?g E?j?dl E- TOP SECRETHCOMINTHREL TO LISA, ALIS, can, see, NZL

TOP SECRETHCOMINTHRELTD AUS, GERIllL. . $1311: {Ell ?lial ,l II ?ldidtautlmr-Ia' -- _d . ilangmage??rabici?a a: $11135 IE I .I: I Natal i]L the blocks in 3: Type- Submit w'jad-maLL I: . .1.ij Ed; {nguag? :s?J'abici, First Ham-E 1? Middle Ham-e 2rd Middle Mad?I ?3 - imataltemb ciPI-Dma I _1 {Pm I: E: aging?" - I Fly-411 'T'r-i'hnl Name L'Iljt??f'? H?f{hill Einh Date Cityu'?aumry nfEijIm. Nminndlity' Race Reiligi?n ?I'm dbl?Ltd H5 4?3th mild gm? m?l Tron Mam-m? a ?nding; "'I'Ta'diLm Iraq-kut-?nr Iran Aral: IE-Iusllm 0 3 i Gander m?hmema'le} Marita] Status Number Cd" childran Ml Iii??h.? 1151; grid}. malt: slug-IE nun {113.5115- 5 . h' hh'II". :3 TOP SECRETHCOMINTHREL TO LISA, ALIS, CAN, GER, NZL

"ididrEi'? ElErEllhE i i Ella Edt 13H [n-Jar: Ital: [gate '?rdm Hap Clam?: Juwu?j 5:?ch EL HE frEfIJ-qulunirutimw. Inc. KEEN {Tm-Equ Um: amt-n! Silu ij? HurrIH-?Eily: - 1m: Jeigutrlginual?l HurrIH: I-uncti-zun PUL gig-4'3 Lquipmant Shippmant Data: ?443:: lulu-1: lull-?ll?- lay-?u Dnllunmd Flam: tug: lam-I31: l?ft?c Elli: F'm-Cummlaslunnd Dam: fut! lit-[M41 l:Lll-I: EF .ij h.'i uml; Sill: Dulu: ?ll ?l-l?rllilf F'Llwul Ships Usud; 4 Ed 'IJf-Ji?lu i143 MHLHIE ui 333 Meter: Cunl'dirlul Harding Cilia ill-=13 - Show E?ll'lEu?rll! maar?hmm?Dmm ?'37-th CO WI i?l'll'l?i Hetl'l'lntlem: - Him: Ural-14:5- I ?l'l?l Firm-ml" Switch II LII PUIlEfl?ahua*ijrassembly - I-LI 'Ill'uip MN: Mdluni r?udul Hurrlhul F3 ES FH ?nu?mm?m Furnlahm?l Fqulpm? n'r Hnrd?r?uald ?nrlal Hurnhr. r_ I'I'lnriFel I .-.T Luigi- l??wdmh .3 JiuhIlLl LIEII lype 3 5E rial Number ILi'jr-nilur Serial I 0 .11 Jae lj?wniu-d Layman: rig: I 1: aiming; cumin jaw-."aLUSIIJmErHccuptf i MulwiTOP SECRETHCOMINTHREL TO LISA, ALIS, CAN, GER, NZL

. 1' TOP SECRETHCOMINTHREL TO USE, AUS, CEN, GBIR, . TA - Show me all the exploitable machines in country - Fingerprints from TAO are loaded into application/fingerprintID engine - Data is tagged and databased - No strong?selector - Complex boolean tasking and regular expressions required TOP SECRETHCOMINTHREL To USA, AUS, CAN, GER, NZL

TDP SECRETIICDMINTIIRELTD ALIS, CAN, GERivIf.

TDP SECRETIICDMINTIIRELTH ALIS, CAN, GER, NZL . I intelligence generate from XKEYSCORE .r I 0" I '1 1 mqt? moqu [Finn TU LISA, Aus, CAM, GER, NZL

moE'c- WHEEL no Iml mm um ?cm 1m mm?; u; In '01 "3?10. 1: in? .o DI l-r' "?5?Ill [in minim-Imqu Customer: CounterTerrorism (CT) I Provides near real?time tips to TRAFFICTHIEF server in operations in coordination with coalition forces in Iraq 24 hours a day - Currently producing hundreds of confirmed alerts per day on over 3000 user accounts Afternoon of- 2004 coalition detained individuals below: TOP SECRETHCOMINTHREL To use, nus, CAN, GER, NZL

lellull(ED321st miles Tssn1 (353211] 21' Jl. 1' Fruit-mulb- in 311 .111 Hm 3.: "'rbif'hu' Inf-l:II ??il?n'i J: 3' TEEN-IE :1 FEW-3113133 113.1111 2-3 [11 L: 1.1111?; uzu In [he IN MI: 21' but F-s cuss 9:11.11 'Juul L'i as mes-.112- l' a1: we Ills,- 1r 'sre'i" 3: err-rel. {villi-i? 1eu.? L1: s' ea I1an1-1 1.1:I'i= r's. 1-1-1= 1111111 111.:- r.1l- anfe 1nIJ=.i=. MT 1r.- Tr. 11111. rr. '1nrr.'. r.r I'l' 1-r ?1235: Fial'r'lili?l Hell-3 13" ?31'1l?? i: 311] I can. 'Ilrcr-?n In r113:- nr; fer-?The pen-3.11.1? 51.1 1.111 .11: -.1 nr_1 11:: In 1121. ?Jar r: rlul u- serve-"J large. E'Ilj'l'r'lfl'f 'quldli'J' Ens-.5152- ui 5. ?1 - i-?eh?su est-.1 cf till I. drum IIF 1 1.1 11-11 :11 r. i .'Il.i FE -I--1-r-Er 3-1'3 T's hm Fi??star?. r1 1r.'J 31-1-1 II were I EH 11-21-21 [1-3 HEEBI cll'J Ihc i: use- 3. '.ill i-?eh?szu Han-11.11: dl 1 Jl's ul s'n sI1-1 n1 r. s: "m hear 21' 'I's ?1311'.? - r. 11rl.1'. TOP TOP SECRETHCOMINTHREL TO USE, a NEIL s; - I l-JI{"311le I I: in clues I F. blc-g May 2006, Wealth Cluster2 and X-KEYSCORE Installed sh -Ec1nnectec te Meenshine precessing ef wireless cellectien IEnahlecl near-reaI-time tipping IEnahlecl full-take SIGDEU Un-lecatahle caf?s were geelecated: melamine" -Feur Either Cafes Being Develeped Acquired impertant targets: rHSAIGeergi-s Tips 1With Precise Lecetiens Teels In New- - Reacquired -Lest 1When Zarkenet Went Dewn Terrerists were captured: memhm uf the? -Men1hers ef the? fofREL TO USA, ALIS, CAN, GER, NZL

TOP SECRETHCOMINTHRELTD USE, AUS, CEN, GER, 'Innovann j; - High Speed Selection 0 Toolbar - Integration with Marina - GPRS, WLAN integration - SSO CRDB - Workflows - Multi-Ievel Dictionaries TOP SECRETHCOMINTHREL To LISA, ALIS, CAN, GER, NZL

TOP SECRETHCOMINTHRELTD USi?i, AUS, GER, NZIL I Future - High speeds yet again (algorithmic and Cell Processor - Better presentation I Entity Extraction 0 - More networking protocols - Additional metadata - Expand on googIe-earth capability - EXIF tags I Integration of all CES-AppProcs - Easier to install/maintain/upgrade TOP SECRETHCOMINTHREL To LISA, ALIS, CAN, GER, NZL

Fetching more

Filters SVG