Become A Member

© THE INTERCEPT

ALL RIGHTS RESERVED

Terms of Use Privacy
Documents

Unofficial XKS User Guide

Jul. 1 2015 — 9:52 a.m.

1/27
Download
Page 1 from Unofficial XKS User Guide
TDP TD USA, HUS, CAN, GER, US The Unofficial XKEYSCOHE User Guide E92 ABET Cansultant, EDGE. Allan Hamiltnn The Unnfficial Usar Cr?ating Classic Multisaarch: Classic Cr?ating a 1 Saarching - Tips and Tricks 24 Which Quay Is hast fur 25 Darivad Pram: NSAICSSM 1-52 Datad: 2UUTUIHS Daclassil?y Du: 203201US TCJP HUS, CAN, GER, NZLHEUSEUI US
Page 2 from Unofficial XKS User Guide
TDP TD USA, AUS, CAN, GER, Creating Queries Clieking en Seareh at the tap ef the sereen will bring up a list ef searehes in the Nauigatien Menu: tral [:11 Search 55,. -- Help Heme Users Weritflew Ce suits Statistics if Herigetien - - El El .- a Classic aauutisesreh IF addresses l-i'lee Address Userneme Fields 1* AduancedFe-atures 1' Si Seareh: Full Leg an Query Easr and was uses a Mart Justlf EEHaeitElern.f additienal Justif CHE ca? LUBE Miranda Ceteger'r DHI Cellular DHI Cisea Passwergs Deeumerrl l-i'letetiele Deeumerrt Tagging Da Client tE?anards Email ?ag-dresses Earsesa Files 5E Full Dl-il . . - sen? Legins anti Passwords El Classic: at: - H: gr The Seareh sereen has easeading menus ef different Searehes: Classie, Cemnien, Dietienary Hits, File Trans fer, Multiseareh, Netwerk Management, User Aetiuity, and Wireless. Classic Queries: Within the Classie Menu there are three felders: MultiSeareh, Classie A-M, and Classie Multiseareh: Espancl the Multiseareh felder by elieking en the plus sign: TDP USA, AUS, CAN, GER, NZLHEDSEEH US
Page 3 from Unofficial XKS User Guide
TDP TD USA, AUS, CAN. GER, [ll-l Hevigetinn Menu e: Hevigetien Menu Search '33 333ml I. .. - i MuftiSeerch lF' . lv'lee Address Llserneme Clesslc l'vlultzisearcll Address: The Multisearch IP Address query allews yeu te search en an IP address inte seven different searches. Think cf it as a federated query using an IP address. The l'vlultisearcli IP Address query searches en: User Activity Phene Number Estractcr Email Addresses Estracted Files HTTP Activity Full Leg Web Presy Refer tc scme cf the individual searches belcw fer mere inf crmaticn abcut specific queries Creating a MultiSearcli Address Query: When ycu have filled in ycur query name, justified it, entered an IP address, selected ycur search engines and sites the last thing is tc submit the query. If ycu select ?Merge Results?, then all c-f ycur individual queries will be merged intc- cne censclidated result. ?Why wnuld I want: tn merge my results?? If yeu wanted te see all cf the activity tegetber te get a ?big picture? leelt at the IP address. regtu?dless cf the activity er applicalien that is en the IP. The New GUl?s results screens allew yeu te filter yeur results easily which may make viewing yeur results mere intuitive. See ?Viewing TeurEesults? in this Guide. ?What: wunld I want: tn NDT merge my results?? Viewing the results individually allews yeu te fecus en apm?ticulm? activity er lesult Decuments er email addresses). TDP USA, AUS, CAN, GER, [ll-i
Page 4 from Unofficial XKS User Guide
TDP TD USA, AUS, CAN, GER, [ii-i Multisearell MAC Address: The Multisearell MAC Address query is esaetly the same as the IP address query eseept it duly allews yeu te seareh en a MAC address. Fellew the same instruetieus as the Multisearell IP Address query abeae but replaee the IP address with yeur MAC address(es). Fields 1' Shaw Hidden Search Fields IClear Search 'u'alues FLelead Last Search 'u'alues Multiple Search: Mae Address Query Name: ustifieatien Additierial Justifieatieri: Miranda Number: Datetime: lDey v Start: seas-eras ease - multls??mh Mfg?: - - Address leeksjust @ddress: ?hi [hi IP Address query Claritth Must Eslst: y?u must El Mas Results fer a Single DB, seareh en a MAC User Activity Phune Number Eatraetur 533m" Email Addresses Fun? Ei-rtraeted Files activity Full Lug Wei] Pres-5r Save in my Faaerites Me if Lead Frem_ my TDP USA, AUS, CAN, GER, [18
Page 5 from Unofficial XKS User Guide
TDP TD USA, HUS, CAN, GER, US Mullisearell Username: As you may have guessed, the Mul?seareh Userneme query is exeetly the as the IP Address Query and the MAC Address exeept, it enly ell-ewe yeu [e seereh en a target?s Userneme. Fellew the same instruetiene as the Mul?seareh IP Address query ebeve but the IP address with your Userneme(e). Fielzls Shel-a Hidden Seem =ields Clear See?zh 'u'alua Relnad Last Search 'u'alJes Multiple Sear-eh: User-name ?uent Marne: thljihen Justifimtien: Citergetin efgenieta? Additienal P-lirar'ea Humjer: Datetirne: :usm v, Start: 3309-31-22 El new: Type in the userneme and {?le-main (witheut the symbel) ehuiihee Firm-lam: I Clarita-?t Eeiat: A - A Herc Single EIE: Search User ?etiuity Farms IFI nddresms Elgar Full Lug Lngins and Password: Save ir?: mg.? Famritge N: Lee: Frern my 1., lu'l ?Wth is a Username?? A ?Userneme? in queries?; 15 the pertien befere the symbel in an email eddrees. For example: Abujihed?iil hetmaileem: Userneme ebujihed Due-main TDP HUS, CAN, GER, NZLHEUSEUI US
Page 6 from Unofficial XKS User Guide
TOP TD USA, AUS, CAN, GER, Classic Searches (A-Z) There are 32 different searches between the A-M and N-Z searches. This guide will ccyer scme cf the mast searches. Ynu will nctice that must cf the fields cf the searches are the same and each indiyidual query will be unique because hased c-n its query name. Fer esample, the Extracted Files search has fields that are nnly applicable tc file attachments file names, file estensicrns) and the Email Addresses query has fields fer email addresses username and dnmains). All cf the Classic queries will haye cummun fields like Parts, IP addresses, Cuuntries, SIGADS, and CaseNntatiuns that ?311 USE =idd3 1' educate: Fc:i:l_rcs Hearch: I mail addresses Here are twe Classic queries: Email Addresses and Phcne Number Extractcr. CJLI N-EI .Iu sti? es: en: A?citiu'al Justi?cs: en: hen Enteti?Ie: I-idccn Search ds '5ch Search Les: Search Fm=n subject: The fields between Datetirne and the IP Addresses are the plug- ins unique tn each query. IP address: :LILIrees: Pr: PD '12: ("in .ni'ry: ?n .ni'r'r: I1h1:rnt' uI sun: senses-sq 3 cats $3 Stun: ems i I Frerr I ?rI Tc_rl The Email Address query is catered tn querying an email addresses ?as sum-dreams ?wear The Phune Number Query has Hearth: wnrr-rmr Fawn-m phnne numher fields new I I I eddirirnal Isrifinat rm: 1 33:33 $3 arm: steam-es Fanr?: min": I I Humi'nr Type: I I Emir-r:- I I ere-r: I I Address: I I I FICA, 4,.rI AJLII Fin: '1 ?fl 'Inr: I I I USA, AUS, CAN, GER, NZLHEUSEIHUS
Page 7 from Unofficial XKS User Guide
TOP TD USA, HUS, CAN. GER, Email Addresses Query: Due ef the mast eemmeu queries is (yeu guessed it) an Email Address Queryir searehiag fer an email address. Te ereate a query fer a speeifie email address, yeu have te fill in the name ef the query,justify it and set a date range then yeu simply fill in the email address(es) yeu want te seareh an and submit. That weuld leek semethirig like Fields advanced Features 1' Shaw Hidder Search Fields Clear Search FIelcsd Last Eesrd?: Search: Email Addresses Query Hams: ahinhed Justfieatidr: stisrge1 in efries edditdnallustfieatidr: Mir-2 de Number: Harerimsi l1 I'uinnih arl Rrar'l': 2333-12-24 ElElilIl EmsilUssrnamE: ahsiihed @Dcmsir: NOTE: Yeu DD NOT have te knew an email address te use the Email Address Query. Yeu earl alse seareh an an IP address*, demaiu name?, eeuritry, pert, easenetatieri, SIGAD, MAC address, and mere. If yeu seareh e11 semethiag ether-than an email address an IP address), yeur results will be all ef the email addresses seen as these IPs. The IF must he husletl ??eyes euunlries ii?? The Dtimain MUST be itireign Cheek WHDIS and fur initi {In dtrruain USA, HUS, CAN, GER,
Page 8 from Unofficial XKS User Guide
TOP TD USA, HUS1 CAN. GER, Ex?eet?ed Files Query: 1. Te find a sneeifie file if veu already knew the file name): Fer example, if veu netieed a file name in veur target?s i?bmt and yen never aetuallv get the file attaehment. This is 1iv?ER?lf eemmen fer wehmail eelleetien heeause the attaehment is eften net put inte PINWALE with the email. Fielcs Mvencec Features 1 Sacdeden Search Fieds CIeerSeerth 'v'elues Seemh: EaereLed Files line-rt- Marne: ?ddizienel Jtszifieeitien: Miranda humher: Detetirne: Eetl'eetee Fileneme: Eatensien: File Tape _vp:i: Is thuseatedIvesmni: Fc'eal File Eatensien: I?lln I-ill-Ii? nu- Fteleed Lest Seerd'l 'v'elues Iranienleuee?lee Cue1e?e Start: 2003-01-24 I3 Step 2. Te seareh fer all files er speeifie file tvpes en a partieular area er en a netvverlt. IP address). This is a GREAT querv if veu have a fereign mail server and want te see what files are eelleeted en that IP address. 1! adea?ceulee-amres Ir Search: Eat-acted Files Cuerv Heme Jush?rlsetlnn ?dditiensl Justifisetinn Mrenda Hunse' Date?inn: IZIeer Eeare'n vaLes Reine: _ast Ens-err: 't'eIJes leFieseerzh llrenier ?l ulse files r-r-u? sees-:1-24 enacted lensme File Tvee il-?Ill-?lE Is thussetedfvesf'ei Fteel Fi Extensinn File e1 Disk Ilene Fi Created Fi Last Ifittees File Lest Me dified lF' esd'ees I If veu leave the Eatraeted Filenames field blank, veu are vvildearding the seareh te leek fer ALL files names The IP Address ef the mail server veu feund using NSLeeltup in Featrail er veur nen-attrih Airgap gees in the Address? field TGP USA, HUS, CAN, GER,
Page 9 from Unofficial XKS User Guide
TOP TD USA, HUS, CAN. GER, Legi?s and Pesswerds 1. If yeu already knew the legiu audfer pass werd. Fields I .I'Idea?nted FeatLres 513w Hidden Sear-:1 Fields Clear Search 'faIJes Pele-an: Lad: Sear-zl- Eel-Irell: rIntJ hams: lLuuirIeiu?'uhuuF? I Jestifieazien: lAfgI'enisten netweriar mei If yeu knew the legius er passwerds, query e11 them as leug as they are unique Weeds ?was? and will eemply with Additienel JLetifieezieh: 'Ilelnruh start: 2326-12-24 F1 sees-mesa Leerrseme: swerd: Dun-din: IDs?duets: Fun: I?Ajercse: Ie Fr m. Te ?Where weuld I find passwerds te use in this query?? Passwerds can he feuud iu TUNINGFDEK FeggyEettem]. passed in the eeuteut ef' emails er test messages. er ?'em preyieus queries. 2. Trying te diseeyer legius and passwerds en a uetwerk? NOTE: Legius and pass werds are yaluahle teels te euahle Tailered Operatieus (TAO). ?Wth teels weuld I use te get the netwerlt infermatien like a Mail Server, er Name Server?? NS Leekups teels eu NSA uet sueh as and Dpeu Seuree teels sueh as rehtes.eem_. eeutralepsmet. and uetwerlt-teels.eem HIE a GREAT START. They preyide yeu with IP addresses fer demaius. Teu can then query en the feleigu-hested IP addresses. USA, HUS, CAN, GER,
Page 10 from Unofficial XKS User Guide
TDP TD USA, HUS, CAN, GER, US Fiele Adv-a FecLues Sluw SearLl Fl:le Clear SearLII'Ii'alues Rule-all Seartll'y'aluss Hearth: I egins and Passwerds Query Name: Justfiestijn: Afghanistan newterla: mail sewer easswerds ?rlrlii'inr'ial 'Ilisi'finsi'i?in: Number: Datezime: liarlenth Start: 2003-12-24 I3 Step: 23159 #3 1'lil" JserName: If yeu are trying te FIND legins and passwerds Dwain; and yen knew the IP address fer the netwerk, then seareh en the Yeur results will LUGINS and TF II: edd?ess: Ell] Phena Ne mber Entree far The Phene Number Estraeter query leeks threugh the eentent ef an email fer phene numbers. This is yery similar te a PINWALE DePhene query eseept the traffie that finds may be suryey unseleeted, nen-tasked data) and might net be in PWALE. XKEYSCCIRE may be yeur enly hepe at finding an email address fer a target where yeu enly have their phene number as lead infermatien. 1. Already haye a phene number?.i If all yeu haye te start with as lead infermatien is a phene number, yeu may find it useful te query en that phene number and see if anyene sent an email with that number in the signature line. Fields 1' Fidyanced Features Ehew Hidden Search Fields Clear Search 'Ii'alues Ralead Last Search 'Ii'alues F'l'l?l'IE Query Name: Afghan Justifieatien: Afghanistan ehene number ettarqeii ?dditienal Justifieatien: Miranda Number: Datetime: iiyienth Start: 2003-12-24 El 1 Step: 1" Phene Number: Number Type: Ceuntry Cede: area: IP address: Frem IP address: Te 1U TDP USA, HUS, CAN, GER, US
Page 11 from Unofficial XKS User Guide
TDP TD USA, AUS, CAN, GER, 2. Liz-01(ng far any phuna numbars on a n?twurk?? Quite y?u knuw mail saver IP address and cauld usa 50mg telaphune numbars in task? FEIHE I Adwancad Features I Show Hdden Search Fialds Clear Search Reload Last Eaar?' ?ashes Search: Dhune Number Extract-3r LLIEW Name: Afgha?l JJStif catiun: Afgha?liman phnnE number cttarget Miranda uateume: rammh 533:: lama-1324 Inna]: 5mg: Romain-23 23:59 ii F'I'unne HLJ?nlzner: I I HumterTgpe: I I CLILJH: Art-cl: ?3 Addrn?: Ell] AddraagTDP USA, AUS, CAN, GER, 11
Page 12 from Unofficial XKS User Guide
TDP TD USA, AUS, CAN. GER, 3. Leeking fer a phene number witheut the eeuntry eede linen-nermaliaedfl'iI It?s pessible a target will pass their phene number witheut the eeuntry eede (eg. a signature line with ?Tel: 5354658?). In that ease, XKEYSCORE will net find the number with the eeuntry eede se yeu must ereate a query that leeks fer fewer digits but still eemplies with USSID-IB. This is net a mess selutien* but ANDing yeur query with a eeuntry er IP address weuld eertainly he mere eempliant. See esample belew: The number yeu enter here isn?t Number nermaliaed beeause yeu espeet te see :Euntw it in traffie witheut the eeuntry eede. mi: Te make this Cempliant yeu must AND this with semething Frat? like a eeuntry er IP address. .?ddrcec: Te Frurn This esample shews traffie infeut ef pm: ID Pakistan QHTWI F's: Or NUHEEFTWE: This esample shews traffie 03th Cum: infeut ef apartieular netwerlt?P Address ?res: f? IP address: m- 1: Either ?ddress: Te *lf' yeu aslt te give. yeu all Pakistani traf?c, it?s deing an NEE leeltup en all Pakistani registered IP addresses. Geeleeatien ef' IP addresses is net l?fl?: aeeurate at this time. Unef'f'ieial estimates say asking fer all ef' Ceuntry X?s traf?c will ?nd between ef' the aetual traf?c. [That?s mere than tbeugh, right?) 12 TSP USA, AUS, CAN, GER, NZLH 313
Page 13 from Unofficial XKS User Guide
TOP TD USA, AUS, CAN, GER, HTTP Parser The HTTP Parser query leeks fer web setiyity (remember, HTTP web) en 3 psrtieulsr link. This query is useful fer seyersl ressens. if yeu knew psrtieulsr website and went te see ifs fereign target yisits it (eg. an estreniist web feruni URL, er this query ensbles yeu te query en 3 netwerk IPfs), essenetstien, er eeuntry and see what websites we den?t knew sbeut (suryey-type query). Here are twe essniples 1. If yeu knew the psrtieulsr website the target yisits. Fer this essniple, I?ni leeking fer eyeryene in Sweden yisits psrtieulsr estreniist web feruni. Search: HTTP Activity Query Marne: Justifieatien: Additieeal Justifieatiee: The website URL (sks ?hest) is entered in with wildesrd te fer and ?mail? Miranda Number: Datetiree: 1Week Start: El [It ether hests. Type: Te eeniply with yeu C: niust AND that with senie Serell dewn te enter 3 eeuntry eede (Sweden is se er - ether infernistien like an IP er @Intry: 5+ feLIr?Itry: Ie 13 TGP USA, AUS, CAN, GER,
Page 14 from Unofficial XKS User Guide
TOP TD USA, AUS, CAN, GER, 2. If yeu den?t knew the website but yeu knew the infermetien (IF). Fer this eseruple, I?ru querying eu netwerl: bleelt te see ell ef the websites the terget yisits. Seer-eh: IITTP Activity Quesytdeme: IWebUselreniene Justifieetierl: Websites: Fur Additienel Justifieetierl: 1' Mireesle DeteZime: - . - -ee El etee i stem: Type: Hest: I I-'eth: Ares: The website URLs (hests) ere left blank te wildeerd these fi?lda Seerd'n Ter'rs: I I Cbereetcr Erleedlrl . :eetert Ete?t: I I ELLILI: I I Zieetert Intel: Ftefe?e r: Fer: I I Te eeruply with El yeu AND that with serue ether like an IP er eeuetry <1 IP Address: Ell] Either IP Address: if: Pert: Frern F'ert: Te Results freul an HTTP Parser query This shews whet the results freru query leelt like fer an HTTP Perser query: I-st: seiner ties1r the i3? Lifts: Dete'rrsE'd I-w. ml 1 11:35:25 EHiESI-llr?l-?i' '11:?:25 pest f-gsmin?st-m is 2 pest Mum 3 El 3 sea-memes: est ,1 El 5 mseemess pe mephnm metatphp 5 a i pest .nemrapsl-iets 5 5 pest mmhsuru I pest mmhuru .rll'statphp 3 respunse Eseruple ebeye shews persee wes 1risitieg Hesl: f-geruiugeeru URL Path 14 TGP USA, AUS, CAN, GER, NZLH QUE 20108
Page 15 from Unofficial XKS User Guide
TOP TD USA, AUS, CAN, GER, Doonmoat Motodoto Dooumont Motadata quory allows you to soaroh on dooumont authors, organisation, onoryption?i?, and many othor things about a dooumont. This is ostromoly holpful if you hayo found a filo attaohmont from a targot g. Briok-and-mortar targots, pors on, or Organization) and you want to soo all of tho othor filos thoy hayo sont. With tho Dooumont Motadata quory you don?t hayo to know tho omail addross of tho porson sonding tho dooumont, youjust hayo to know tho dooumonti's proportios. *l'vlost Microsoft Df'f'ioo allows usos to ouorypt f'ilos by clicking Tools Dptious Soourity and password protootiug tho filos. Tho Dooumout Motadata quory looks for that typo of ouoryption. It doosn?t look for PEP or othor 3rd ptn?ty ouoryption. ?How do I find a doonnlont?s proportios?? Tho oasiost way to soo this is to opou a MS Df'f'ioo dooumont and oliok on Filo Proportios. To find tho dooumont proportios for a filo you ttn'got sout, tho oasiost way is to yiow tho filo in Agility and oliok on Proportios. Finding your targot?s filo proportios If you oan yiow tho targoti's dooumont in Agility, oliok on tho Hoportios tab to show tho targot?s Drganisation andfor Author. If tho fiolds aro uniquo or random onough you oan quory on tho torm itsolf. If tho Organisation or Author aron?t onough to oomply with USED-18, thon you must AN that quory with supporting information (IP or Country). 15 USA, AUS, CAN, GER,
Page 16 from Unofficial XKS User Guide
TDP TD USA, HUS, CAN, GER, US Displaying MS Ward d?cmnenl: in Agility: ?l?l?r up; r-n T111 H11 :IFI I'il :i Fir'l Ty? LI Lawmamum sum-5L w: JM 1 tend-Tn rt: Icr-Hmwm Fi? Er:- 12-:3' J: an actet?strear has Dir?n, Fm. 'L?jgg'gi?i :cnr? :22] 9: ha? Cnmpanyr Hiddun?lida?uunt LinaCnunt Manager MhiElipEuunt Nate-Cnunt Paragraph?nunt t-i PreaenlatinnTarge-t Scale-Eran Slide?aunt If twat-I- Auth-L'Ir - We" Quantum-anti Date?re ?ied 3:13:11 Auth?r ?ecuritth-vel tun-5- Last Autlmr Lammer LastI-?rlmeu Igtu?? .42le To create a [lumenir in XKEYSCORE this infurmatinn: Search: Dnnumenr Metadata Query Mama: Justi?cation: Fiwnriim If'lT ?ndcitijnal Miranda Hummer: Putt-Eek, i Dncumgnt Type: Corrupted? Filename: Ek-ctensujn: "abject": *CI'EatiDn Time?: *Last Madi?cd Time?: ?Ll?ique 121* ?ut?nr: EDGE: LaSt MW 16 TDP HUS, CAN, GER, NZLHEUSEUI US
Page 17 from Unofficial XKS User Guide
TDP TD USA, AUS, CAN, GER, NZLH 203 2111103 1'bi'iaaw of {imminent pruperlies 0f PDFS in Agility: Fla Eli: 13:15 111"we 112121151121! um;- - . I "mu-{11? 1 imam .155 1 _'remg_1 1 i 1:31-31 1 is: 1 iamm :35 1 i tying-1 Lt: 1 r?gegi . A 'r I lFawl [mm Tleisll 3mm HII f? a Him-yams hit-?an: I'i'nni miw ?rm AH rin- Cream Autll?l? Fwni'wtw lug/f To create a query,F in XKEY SC ORE using this information: Search: Dncument Meta-data Query Name: Juati?catiun: Swedish ET Target hdditimal Justi?catinn: Miranda Numhnr: I Datetime: 1Waek Etert: Stnp: Type: pd' Curmpted Fi [Htenainm *SLbj::t*: *I?Z?reatiun I Mnrli?nrl Tm=a*: *Unque ?112]: ?uthnn - I) . I 17 TSP USA, AUS, CAN, GER, NZLH 21513
Page 18 from Unofficial XKS User Guide
TOP TD USA, HUS, CAN, GER, Creating a WerkFlew are periedie queries yeu ean set up that run at speeified times. They are great fer sustained targets beeause they query the database fer yeu (eg. eyery night) and yeu ean easily yiew the eelleeted traffie witheut haying te ereate a new query eaeh day. They are alse yery helpful if yeu are target disebyery en a netwerlt and hayen?t seen mueh traffie yet an a seleeter. A wbrk?ew fer an email address ean bridge the gap between when ye-u diseeyer the seleetbr (and yeu task it be UTTfCadenee) and when it aetually makes it tn the dietibnaries). It?s impertant tb understand that a nbrmal (ad hbe) query is submitted when ybu hit Submit. en the ether hand, are ereated then submitted tn the XKEYSC ORE team fer review. The XKEYSCORE team dues net reyiew it far USED-18 ebmplianee (that?s up be ybu); they enly reyiew it tb ensure ybur query wbn?t strain the system with tea ebmples a query. The first step in ereating a is elielt en Wbrk?ew Central: EHETECDHE Heme Us@atk?aw Central earth it": Ftesults Statistics Preferences #3 Help Hevigatiun Menu Histe: Query Type - Ela?esuits Clear Selectien Then elielt en Request an the left tn start the Werk?ew Request Wizard, and then elielt Nest. 18 HUS, CAN, GER,
Page 19 from Unofficial XKS User Guide
TDP TD USA, AUS, CAN1 GER, US Werk?ew Central Request Heard x? li'll'eleerne te the HEYSEDRE Request Wizard. 'is valid will 'EuirJe yeti Uiif_iLl:lii line Ui a We ltllew. 'J'Jerxf ew is an standiqu emery tsat will execute at a seesifie: time er interva . 1e ae-jltlee, a werlr'lew can execute fel ew?ee aetleris ?ee quay has te?nrile?ei?l. Fe .ertiere a'e sti'irl?rs ?l'ia' riei'iei'n' l'H?i'Flil'l tasks Filth as sensing email er ailing a summery at the results li?ireugh SQL queries. Lhee eernsletiee e: t'ls the all I he stintritteel fer Cares-I -. Frau Ii Next Next, seleet the seareh type yen want te ereate freni the pnll-dewn menu. Fer this, I?m seleeting an Extracted Files query. These queries are essentially the Classie let-M and N- queries yen have seen in the Classie Seareh sereens. The enly differenee is an Extracted Files werk?ew will start leelting fer extraeted files in the future and an ad hee Extracted Files query will seareh in eelleetien. Lentrel iterpest Wizard Please a Search Type- l alert 1 .33: 'CalLegs Categery HI Flt-ll Cise: Fasswertls ENE LIe:Lirrent Hetajata Erral xejresses ExtraLleJ =ile: Ful Leg Wiresharia Activity Cat Eeeleeat en 19 TDP USA, AUS, CAN, GER, NZLHEDSEUI US
Page 20 from Unofficial XKS User Guide
TDP TD USA, AUS, CAN, GER, Nest, fill in the name ef yeur query (?AfghanFiles?), the auditer-eenipliant justifieatien, and hew nften yeu want the query tn run. I effsetting the time freni the default ef midnight (24111111) by a few heurs (befere ef after). Fer this, I?m seleeting {l4{l{l. Then hit NEXT. Central Earnest 'Illullzard Eds-in. Dunn's Herc: A?uhzn?l? LI :srgat :ustl?lcatnn: I IE .r Nu Ill I-r: Fm Ems-rs 24 1* qurs - at nurturri'nq Search II the Tine Eeartl? I Basic Feature Het- .n [and ?a Dre-I li? Nest In the Add Search Fields windew, yeu will seleet the seareh eriteria that yeu want tn seareh en. In this example, I?m leaking fer speeifie file attaehnient (DDC er PDF er XLS er PPT) en a speeifie Afghanistan IP address. Yeu niust hit the green tn enter the seareh eriteria. 2i] TDP USA, AUS, CAN, GER,
Page 21 from Unofficial XKS User Guide
TDF TD USA, AUS, CAN, GER, 20108 Wurlt?nili Central Request Wizard ?Add Search Fields Search Field Seeret Value Hemese Estersitn or tr HLS tur Frem Addees es Te 203? i LJatetin'e ll Single Field Search Field Search I Search 'Il'alue Help C-zii i_el 'il ll" Nest Chek Nest Single Field Search GIan searches in ene field File Estensiens] Multiple Field Search sllews yeu te sesreh en several fields Ts JP AND Free: ?.i1i.dd Search Fields Seereh Field Esteneien I From IP Address CIR Te IP Address 2 File Ft'IZIr'r'i lF' Ad El res E: TIZI lF' Ad El FEE: E: Frem Peri TI: Peri Single Field Search Multiple Field Search Search Help Nest, yeu will seleet the sites where yeu want yeur query te run. Serell deem in this windew te use the ?Select All? er ?Uneheek All? butteris. NGTE: It" yuur selecter is 017011151 you must DESELECT sites that are 2ndi'3rd party. 21 TDF USA, AUS, CAN, GER,
Page 22 from Unofficial XKS User Guide
TDP TD USA, AUS, CAN, GER, US Tosas TIMEERLINE ltimhorlino:ss_woh_clhl sits onion 1 [shaminto?l sits yoio 2 EskSyoicIEmEIl ?raltlma systom Eontont must assist :ho:lt AI Jnchock All ?uoiL Ftdlurua Holy 1' in Cancel Pray Clio}: Host Follow- on Aotions toll to do things aftor it runs your quory. For osaniplo, it oan on1ail you with tho rosults, or it oan soncl thoni to Agility, or any oomhinatic-n of tho two. For this osan'lplo, I want to omail mo tolling 1no I hayo rosults and I want it to download my rosults to Agility. Mako suro you soloot Soncl to Agility if you want tho san1o. Central Rom-est Wizacl Follow-on Actions Would you like to add any on actions a: T5 Ll Surinl Aluur or iI FiHssiI IIJ haw-t Lorna-rut: Lio chock Agili'y My man ROWE: I~.aturn Unly HosuE Fllo?crno: "-1ai T: Aoil'rty Concol ?11 Pros Clio}: tho Groon Add symbol, and thon oliok nost whon finishocl. Dn tho nost soroon, ontor any oommonts you wish (optional) and oliolt Host TDP USA, AUS, CAN, GER, US 22
Page 23 from Unofficial XKS User Guide
TDP TD USA, AUS, CAN, GER, NZUIEUSEGHJS Lastly, click SUBMIT. Y?ur query isn?t active y?t. XKEYSCORE taam will raviaw it and 3901.1 will ham tn Ch??k back l?t?l' and turn th? quay ON {11' OFF as 19011 wish. HairluaIJnn'I-IEnu I ?aw-whim Cam-2 - El??u?i Hep- ?r 3. Emvyg?rtTD-m I Gumtr- I L551 H?dfi?d lEitctI: FijianEmu-igur . I-I ?1 . I. '?hgnan?I-..-. .5 4 3 'i'lig'f-s - It- in- Fill in. i 5' Fill: ,5 ,5 . ??l?aa?ii a: El 23 TGP USA, ALIS, CAN, GER,
Page 24 from Unofficial XKS User Guide
TDP TD USA, AUS, CAN, GER, US Searching - and Tricks The Frequently Asked Questiens page is leeated here: Here are EDITIE ether that may be useful 1. Underseeres in usernalnes: If yeur seleeter has an underseere in it, yeu must the underseere with a baeleslash. Fer eaanlple: abujihad weuld searehed as abuLiihad. If yeu leave the underseere in the query witheut the baekslash, yeu are wildearding a single eharaeter (see belew). Te seareh en: Bad query: Abu_jihad Geed query: AbuLjihad If yeu seareh en ?abu_jihad? (witheut the baekslash}, yeu eeuld bring baek ?abu 1jihad?, ?abuTjihad?, ?abquihad?, ?abu?jihad?, ete. .. beeause yeu are wildearding that eharaeter and therefere yeu weuld be pulling en an entirely different seleeter. 2. Te seareh en a range ef IP addresses: IP Address Range: this Query (entered in the IP Address as Te, Free], er Either}: OR OR 3. Beelean Search Deseripliens (Wildeards, ANDs, 0R5, ete}: DPERATDR DESCRIPTI 0N USAGE Net Equal Cemparisen beginning efwerd (Le. ljee and lsam} er DR (Stealth far mumple between werds (Le. esania er laden} and Legie'al (Search fer between werds (ie. $esan1a* and Aladen?i?} takes eemblnatlen yalue matehes} eyer DRs Multiple Charaeter Wildeard anywhere in werd (Le. ?E?esam?i?bin?i?ladem Single Charaeter Wildeard anywhere in werd (Le. _sa1n_bin_laden} Greater Than Cemparisen beginning ef werd (Le. and {Hill 1 1} Less Than Cemparisen beginning ef werd (Le. regea: REGEX Eapressien (Le. te retrieye enly numbers: regea: [ll?9F} TDP TC.I USA, AUS, CAN, GER, [ll-i
Page 25 from Unofficial XKS User Guide
TDP TD USA, HUS, CAN, GER, US Which Query is best for me? Quite efteu the must difficult part ef using is deeidiug whieh query in use at whieh time. Here?s a reugh guide te- help yeu deeide. Du yuu have an IP Address and want tu learn mere abuut that netwurk [Which XKEYSCCIRE Query is Best fer Mes Evan. 1 For a Mail?l'u'eh Server [e.g.r'rer1 a H5 Ie-zlkuu} and need fr? ?1 Hathe ?mm-gm Flu-It: bsl? {sas- 5'9 H'ss} nr a?srhments Luglns an: Fasswerds ?Nth the 1 Lhe Is? fur the sewer fer TAD n" the ?Ht-"k 1? I leg. sung: rams, ms Furumsj . I 'r'i'IJ'll USE I.mlu'll use {?u'tl use I I I I s'Ju'll use If 1-. I The Er-uuL suu sEss Query umst The HLE qugr, Th: and 53m" the IF query an: Esari an the IF :qu heelelr url ms IF 59m? IF :11an Search Dr 53's admin er the sewers nusn' usluatls parts Ilka 21.13TDP USA, HUS, CAN, GER, US
Page 26 from Unofficial XKS User Guide
TDP TD USA, HUS, CAN1 GER, {18 De yeu have an Email Address er Fereign Demein And want te learn mere abeut it? [Which XKEYSCORE Query is Best fer Ihevem.? afen! Emaiil Add res-5 er Demain [fureignj and need Le knew [Which ?3 the] Which Sites tellect][ Are We re?ecting tar-93': the the user er demaian? yenW?uee- The EMAIL ADDRESS query and search en the email [in ueernenme]: and darn-aim {in domain]: 26 TDP USA, HUS, CAN, GER, NZLHEUSEUI US
Page 27 from Unofficial XKS User Guide
TDP TD USA, HUS, CAN, GER, US De yen have a phene number fer yeur target and want te learn their email address? [Which XKEYSCD-RE Query is Best for Me? .. Ewen,- Number and need te- knew [The target's email address] El'l EJ5- The PI-EUNE EETRECTEIR [leer-1..r and search can the FHDNE HFLIHEEHIISJ. 1 TDP HUS, CAN, GER, NZLHEUSEUI US 27