Documents

SOCIAL ANTHROPOID Briefing

Sep. 25 2015 — 9:35a.m.

/26
1/26

SOCIAL ANTHROPOID SECRET STRAP1

2m WNW I><m .UW. mmn?md. Wag?u.?

mx_m._._Zm M. I Ibfm. me>n< m>r>z>zn> mm mmn?md. Wag?u.?

I SCALING HUGE VGLUMES EIF EVENTS, EXISTING SYSTEMS ARE BREAKING. I GGNVERGENEE. I DESIGN. BUT STILL NEED I ENRIEH I VISUALISE I MERGE WITH NSA DATA SGUREES SECRET STRAP1

.2 m>r>Z>Zn> m__U IMNM. ZZW Am?mm cum; mmn?md. Wag?u.?

We. GCHQ QUERY SCREEN Search UERSION 2.o4 L?gged in as: fouery input Results- -- . .I. Search type Selector Selector Pair Locator {not Selector search %5aued queries You have 1 saved queries. Saved query functionality has been temporarily disabled. I .. IQueries will be automatically submitted to all instances of and SOCIAL I For bulk queries enter multiple selectors {one per lineRelatlye Date . - If allow wildcards Is ticked, in Is treated as a multI-character wildcard pault: ma llESEh-otmall. com}. Llnlilce other and have no special meaning {to query for a literal =3 sign, unchei II By default, results will be returned in which your input selector appears in either he Use 1 Dayisj all] To return results in which your selector appears only as the active user, tick the Querye I Updated: The system will automatically retrieye records containing the normalised yers In?ll-Ida Tlme as suehJ there is ne lenqer a need te her-r :ulice 'u'nln- ruler-1r teen-It: Ill? enr?l?' Searches on Yahoo! email addresses will If in doubt, or for further details, consult Set Date MIXED - Miranda 2D14EI JIC Priority 8; Purpose HRFI. Justification sting Search period {optional}: I v! Filter results by matched selectors prior to display IJLIEISEFS Ell-I QUERY BY USE START AND END, RELATIVE DATES

SECOND STAGE QUERY SCREEN SOCIAL ANTH ROPOID mum in iQuery input Results-3?: FLesults:- if Result5:- ?I'eur input terms matched 3'3 euents frem 23:36:45 GMT te FriI 21 Jan 2311 33:33:49 GMT. Teu may restrietthe seleeters metehing yeur ingutterrns by selecting frern the values heluuiJ grierte te yeur query results. highlighted seleeters ere nermelisetl uersiens ef yeur eriginel guerir seeds. I. 3eleet all De-seleet ell gmeil.eern (emeiLeddressl 2 grneil.eern (Unknewn) 1 hetrheil.eerh (Unknewnl lire.se (miner) 3 liue.se (Sender) 3 EIPTIEINAL liire.se 33 Cenhnuel ?a Filter results leg matched selecters Drier tn: distilling SECRET STRAP1

m- RESULTS WILL BE BETTER WITH i?l SOCIAL Selector search Mozilla Firefnx Eile Edit Eiew History Bookmarks Iools Help A A I I in Most 'v'isitecl Discover eLilzIrarv iTime PhoneBook Weather SDEIAL Selector search TDP SECRET STRAPZ EHDRDAL Logged in as: yQuerv input .5 Results:? Results_ "7 Results?' 5_ Results?" User A User Filter criteria User A User . 4! User A type User A User A value User type User User value role role To filter this result set name name choose some criteria 3" I: I L: 30?Nov?2010 1?:43:29 tele hony event 11?. 5 selectorsII duration: 0W an Active user irnsi) . app"! I Action: voice Action type: call User 1:5 calls User A voice call irnsi - Select all De?select all ?Ema? 'ms' HEADER BUN IAINS KEY INFCI ShowI only events . . . I these voice call Imsl . technology types: A I telephonv even1l voice call voice call And these voice call I I actions: cancel_location netw-i Locators: net-A. Source Polnt?Eode: 20 ocat on_rnessage ne message (101 message! 30?Nov?2010 1?:4?:21 . sms_submit rnessagE' IV a Action: voice Action t} l:l unknown call (164 ?Dice '35? . update_ ocation netw- I I voice call (152 event voice call imsi ?4 . Operator . . . I I Bearer ?ltering voice call Imsl language Ternporal filtering voice call . I TDI filtering 1 =v . -- Participant count Page 1 Of 4 First Displav Summary I Export filtering Ki- in?Fo-?r-rn ati n- is lie-tic n.

4r 4.. RESULTS MEIRE METADATA SOCIAL Selector search - Mozilla Firefox Eile Edit Eiev-iI Historv ?ookmarks Iools Help a '42. Most Discover eLibrarv iTime PhoneElook Weather SDEIAL Selector search TOP SECRET STRAPZ EHDRDAL SOC IAL ANTH ROPOID riQuerv input Results: Results:- Results_ Results_ User A User User A User I User A type User A User A value dIspIay I User type User User value display ro ro name name 30?Nov?2010 1?:43:29 telephony event . 5 selectorsl duration: A Active user: Action: voice Action type: call voice call imsi Called-MSG voice call imsi caller tel_numl:ier voice call imsi Called?MSRN voice call tel_numl:uer Called-MSG voice call tel_numl:ier Called-MSRN voice call tel_numl:ier caller tel_numl:ier I I Locators: SPLAY THE Source Point? INFEI IN QFD SPEAK 5:11: I Bearer: SigAd: Pooc: om THE ETADATA Source: BLACK HULE filename: Key: Plugin: v2 Additional meta?dataNormal Telephone call, E, I, 234, o, cIRcu1T_Io_cooE 39, 1, RJ, GLASGOW, 20215, R, :44, I, 000132, I, 1, n, L, MSRN 20032, ummeas4en1, a, 24cc1, 25 Page 1 of 4 F-?ir?sT Premous 1 2 3 4 Last Go Change Sort Order Display Summary Export Next This information is exempt under the Freedom of Information Act 2000 FOIA and ma be exem under other UK. information legislation. . Transferring data Fru? Filter criteria To filter this result set choose some criteria below and then click Fir-pl? Event type filtering Select all . De-select all Show only events these technology types: telephony eveni And these actions: cancel_location netw- insrt_sul::scril:ier location_message ne message {101 sms_de iver message sms_submit message snd_routing_info netI. subscriber_info netw- unknown call (164 ev update_location netw voice call (152 event a? Bearer filtering Temporal filtering TDI filtering Participant count filtering

FILTERS, SUMMARISATIEIN AND SEARCHES SOC IA A NTH ROPOID Query Input Results_ Results:- User It Use User it User it User User User A. rule User it displav User tvpe User tvpe value rule value name nam 93-Dec-2919 tele event -. 1 selectpr. duratian: 99:99:99 native men?imam Actien: unknewn nctien tvpe: call unknewn ca irnsi net_avai ah e not available Lecaters: Spurce Origin-Paint-Cnde: 2914? Spurce Destinatien Dest-Ppint-dee: 69432 EIMnre 93-Dec-2919 99:95:13' telephenv event 1 selecter. dur Active user=_imsii Action: upclate_ ecatien Action tvpe: netwerk ims SUMMARY CIF TARGET BEHAVICIUR upclate_ ecatien netwerk Le caters: Saurce Spurce EIMnre 93-Dec-2919 99:94:39 event - 1 selectpr. duratian: 99:99:99 ?ctive user: (imsij ?ctinn: unknewn nctipn tvpe: ca unknewn ca irnsi net_avai ah e not available Lecaters: Drinin?Pnint?Fn?e: Destinatinn nest?Pnint?Cnrle: snare? .1 Page 1 cf 59 Farst Pre~.rieus Next Change Sert Orcler Display Summary CSU Expert Last (59) Ge SECRET STRAP1 Legged in a3: Filter criteria Te filter this result set cheese serne criteria helew and then click apply I Participant ceunt filtering Shaw enlv events in which the participant ceunt: Is greater than Bearer filtering Temperal filtering TDI filtering Participant ceunt filtering

BCZUK DU .2 ENTIHZMN mmn?md. Wag?u.?

GCHQ REDIREETED BALLS la) SOCIAL AHTHROPOID: Selector search - Mozilla Firefox l: lF! trill mew ?nnkmerkc I_nn c ?eln 6" 1.: IL Most Discover eLibrory iTime PhoneBoolt. Weather SOCIAL ANTI IROPOID: Selector scorch TOP SECRET STRAPZ UK CIIORDAL Logged in as: - User A User Filter criteria User A User . .. User A type User A User A raw ualue User type User User ram value I name FDIC name TLI Filter resulL seL some criteria helnw enrl Then click Apply 28?0ct?2010 14:36:02 telephony event 2 selectors. duration: 00:00:00 ALliun:vuie ven ype I ellng VOICE Ba? ?Sr tal?numbar . BEIGESllulwI unly event: I Source Cell technology types: telephony.r {1102/1 events} Mnre (4F: events) ODN EXI IN SOCIAL Active usel :1an these Actlon: VDIC rtreefe funnel (451 euenrc) -- El location messoqe network (109-4 event? voice coil I lleI' tel number A I message (305 events) voiee eoll H'Edirewon' sms_de iver message (503 events) Number El message (203 events} Lucaturs: Ilnk'nnuun hell-(HIHH events) 9 . 40545 t. t. . 40103 El uoclote location network (-40 events) ource oln e. es Ina Ion oln e. VOICE ca? ?206 events) 5R1: IIKti-Vlli'l l-I'l Source: BLACK HOLE filenarne: 20101028 140000 SALAMANCA Key: Plugin: 5 v2 Addiliuudl ADDITIONAL NUMBER 1 ADDITIONAL NUMBER 1 CALL ANSWERED STATE U. CALL DIRECTION MT. CALL END STATE: E. I. 02. o. c1ncu1T_ID_coDE 320MUMBHIKISCS. 1401.03. GRIP-1580401.. O. TIMESLOT 09 28-Oct-201 elephony event (Upip). 2 selectors. duration: 00:00:13 Artlue user: Tel_n rnherj INDICATOR DiverLeIJ. ALliuu: true: uell unknown ne 4 Locators: Bearer Source Polnt-Cocle: 40235 Source ?394? Destlnatlon IP94- m? I I Iernperal filtering Pnoe of 160 Find. 1 2 3 4 5 if: QNUXL (160) GU Order Display Summary CSU ExuurL TDI ?ltering LFUUIIL I'iILeriIIu i3 uquIIuL ul? ALL FOIA and Illcl uLlII-_-r UK luuiblaLiull. Rural FOIA ugELi-Fb LU eCH-gueu (Iii

mmn?md. Wag?u.?

mj. .1 A .3. mx>z_urn onIO I I .MIZU I I mmn?md. Wag?u.?

a. LEAKY GATEWAYS JQJ SOCIAL Selector search - Mozilla Firefox Eile Edit ?iew History Bookmarks Iools Help @vcx LI. g. Most Discover eLibrarv iTime lj PhoneBook Weather SDEIAL Selector search - TEIP SECRET STRAPZ Logged in as: yQuery input Results-. User A User User A User A User User User A type User A User type User role value role value name name lilMore .A UD.11.J.F event Active user?UserId) _MaehineId) Action: send Action type: message From Unknown From Unknown Locators: Source Destination ww? HARD ASSCIEIATIDN Bearer: SigAcl: PDDE: HM Source: BLACK HOLE filename: Kev: Plugin: A v4 Arlrlifinnal arfius- User agent: SAMSUNG-GT-SSESSAIIE SHPIUPPIRS Nextreaming profileHMIDP-El eonfigurationg?CLDC-ll I Additional Ineta?data: Action SendEmailJ Actor?Context ate Protocol Est?- ?n Etre=m Dst?Port 330J Stream?Src?Port 1.7'06 'H'ia infoH Gatewayr Huawei Technologies MEIRE USEFUL INFCI 24?0ct?2010 06:10:16 event {yahoo}. 5 selectors Active _MaehineId) ?H-huawei- Action: send Action type: message From Unknown From Unknown Em Locators: Source Destination More 24?0ct?2010 06:10:16 event {yahoo}. 5 selectors Active ?I:MaehineId]I I-unn- - . Page 1 Of 1 First F'i'evmus 1 Meant Last :1 Change Sort Order Displayr Summaryr CSU Export This information is exempt under the Freedom o'F In'Formation Act .2000 (FOIA) and Irnai,I be exempt under other UK in'Forrnation legislation. Refer. e'T'J-f FQI.A FlHtariSS ?3

SOCIAL ANTHROPOID User A User A role User A type LIN Loading:- in; Loading-. Results:_ s, Results: User A User A display value name Logged in as: Results:? User User type User role 19?Nov?2010 22:33:49 event 3 selectors Action: save Action type: message Locators: EILess From Unknown FULL RANGE EIF TRAFFIC TYPES SRI: Bearer: PDDE: HM Source: Additios Action SaveDraftEmail Stream-Dst-Port Stream-Src-Port 64??6 BLACK HULE Actor?Context IClwnerJ Eaid EventState COMPLETE, Protocol Route: Key: Plugin: A v4 19?Nov?2?l? 22:15:33? webmail event [windo Active use Action: save Action type: message From Unknown Locators: Source Destination More 19?Nov?2010 22:06:32 webmail event 3 selectors Page 1 of 1 First Previous 1 Next Last CEINTEXT RICH AETIEIN TYPES Unknown SECRET STRAP1 iv .I. . I Change Sort Order Display Summary Export Fvsuhts- Filter criteria To filter this result set ohoose some oriteria below and then oliok Event type filtering Show only events with these technology types: SOCIAL ANIMAL (544 events) ehat {4638 events) El pop3 {2 events) El {Eu events) webmail (243 events) El aooept friend (2 events) El alias user events} El ohat message {4808 events) El download message {2 events) El message (1 events) El list friend {15? events) El login user (125 events) El logout user events) El observe friend (33 events) El photo message {3 events) El remove friend {2 events) El reguest friend events) save message {45 events) El send message (153 events) El message {32 events} El view folder {9 events) El view message {13 events} E-earer filtering Temporal filtering TDI filtering Participant oount filtering

FEATURES ARE WE GETTING SCALE GEQ INCLUDING NEW FILTERING SELEETQR PAIRS QUERY BREAD DAK ENRIEHMENT LQEATQR QUERY EMAIL DEIMAIN QUERY TDS DISPLAYNAMES SECRET STRAP1

GCHQ GED INC. FILTERING Results:_ Results:_ Results: Results:_ Results: Results:- Results: Results:? User A User A User User Filter criteria User A User User A type User A raw:I User type User To Filter this result set choose some value nan1e value name criteria loelow and then click Applv Source Destination IP94: FIMore Event type Filtering Mon. :13 Jan 2:111 05:45:13 GMT socIAL ANIMAL event [Yahoo] chat message. 2 selectors Bearer ?ltering Active PESHAWAR. PAKISTAN GED ?ltering Unknown Yehoo-unarne Unknown Yahoo-uname Select all De-select all lac-atom: Source IP94: only euenis geo-Iocated to tt following countries: Kazakhstan [1 events] Pakistan (39 events] 2 United States [4 events] Unknown [3?1 events] 16 Dec 06:00:13 GMT SDEIAL [?I'ahoo] chat messageI 2 selectors Active PESHAWAR. PAKISTAN Unknown Yehoo-unan?e Unknown Yahoo-uname {iit'a?l??r?i we Fl More 11'luI 16 Dec 2010 06:00:10 GMT ANIMAL event ['I'ahoo] chat messageI 2 selectors Active PAKISTAN Unknown Yehoo-unarne Unknown Yahoo-uname - l;l More SECRET STRAP1

Select-3r F'air' Email clan-Iain 20140 . F'IJr'pujsEe HFLFI. Justificaticun preparing sliI:lEes fur training Search period licuptiujnal?l: Filter rF-sults pr'iujr' tn: Saue Queryr Submit SECRET STRAP1

GECHQ EMAIL DDMAIN QUERY I ANTH ROPOID mm? 3'03 BETA Query My IQuery input Results- Results: - Results: Results: - Results: SECRET STRAP1 earth t'll 'I'our input ten-I15 matched 14e'uen15 from 'l1'luI Jan 2011 09:12:53 TueI [ll Feb 2011 15:42:20 GMT. You may restrict the selectors matching your input terms by selecting from the yalues below, prior to proceeding to your query results. salectc' Any highlighted selectors are normalised yersions oF your original query seeds. Select all De-select all brandon.com.ua [Unknown] 2 occurrences brandon.com.ua [Account?wner] E- occurrences brandon.com.ua [Hccount?wnerj E- occurrences ?T?ou ha randon.com.ua (email_address:l 1 occurrences brandon.com.ua [Account?wner] 1 occurrences I Que Con?nue Domair l? or ri d? pti null: chlillr'EEIll 12:41:13" to 030252011 12:41:12 JIC F'riority EiF'urpose 1H3 Filter results lay matched selectors prior to clisplay HRA Jugtl?catl?n Query actiye users only Target Enrichment Save Query 'l Submit Query SECRET STRAP1

LDEATDR QUERY Search type Selector Selector F'air Locator Email domain Locator search Saved queries ?T?ou haye 1 sayed queries. I lQueries will be automatically submitted to all instances of SOCIAL but NOT to SOCIAL ANIMAL. 1' For hulk queries, enter multiple locators [one per line]. - If allow wildcards is ticked, is treated as a multi-character wildcard. Unlike other IOFOs, and?-. haye no special meaning [to query for a literal sign, uncheck Iallow wildcards' rather than IescapingI the wildcard. I By default, results will he returned in which your input locator appears in either the Source or Other locator column Use the checklookes below to change which of the source, other and destination columns you query. 1' Selecting "Search all typesII will return all matches regardless of the locator type. 'y'y'hen IISearch all typesII is False, you must select at least one type. Locators haye to match one of these types to be returned. ?r?ou can only pick the types that are ayailalole For the database columns (source, destination and.u"or other] you haye selected. Locators: Types to query: A Cell-Global-Identifier Miranda Oest-IP-Address F'rIorIty S: F'urpose 1HS Flight'i?iumbe" HRA Justification testing Search period [optional]: to -:'1'Lllow wildcards IQuery For source locators Search all types IQuery for other source locators Save Query Submit Query Target Enrichment IQuery for destination locators

. isplayr Name Summary Summarl,l IIiisplaI,I Names Export under other UK information loisle Jn. n'spla? Name summary Summar',I of all selectors with clisplal,I names within this result set. [Unknown] "rouTuloe Seruice 1 occurrences TDS GENERATION [email protected] [Unknown] r??ticl 2 occurrences hotrnaiLcom [aner] hotmai .com 24S occurrences WDRK DN A hotrnaiLcom [Unknown] ?1occorrences hotmaiLcom [Unknown] 1 occurrences 7-: I In 'I.com [Account?wner] 21 occurrences =Ihotn1a il .com [Unknown] - hotmai .com 1 occurrences SECRET STRAP1

a? Heme Data Fusien lei"? Analysis - Communications between identifiers 1.1VISUALISATIDNS Q51. 7] Date Time 01-Sep-2010 20:39:42 01-Sep-2010 20:39:42 01?Sep?2010 20:39:42 01-Sep-2010 20:39:33 01-Sep-2010 20:39:33 01?Sep?2010 20:39:33 01-Sep-2010 20:39:33 01-Sep-2010 20:39:20 01?Sep?2010 20:39:20 01-Sep-2010 20:39:20 Data Seurte SOCIHL ENTHROPOID SOCIHL ENTHROPOID SOCIFHL SOCIFEL SOCIFEL SOCIFHL SOCIFEL SOCIHL ENTHROPOID SOCIFHL SOCIHL ENTHROPOID Fl. Type Fl. Email address Email address Email address hetmail.tem Email address live.se Email address live.se Email address ive.se Email address live.se hetmail.tem Email address Email address Email address SECRET STRAP1 -: MEI caravan-:n'qre rsati 0 20 1 0-00-01 20 :30El: items Send instant message - $10-11"- 2010-00-01 20:30: rm 5? ?3 '73:?x?ydk? {?01k a REG-awed 42.0 Send instant message 2010-00-01 20:40:41.0 Send instant ITIESSEQE 0' 2010-00-01 20:39:20.:13 El ?.393 A

Barr TIME L. I TIME m>r>z>zn> mmn?md. Wag?u.?

CONTACTS Senior Users: Business Change: SECRET STRAP1

Questions? SECRET STRAP1

Filters SVG