Become A Member

© THE INTERCEPT

ALL RIGHTS RESERVED

Terms of Use Privacy
Documents

XKS Search Forms

Jul. 1 2015 — 9:52 a.m.

1/49
Download
Page 1 from XKS Search Forms
USA, AUS, CAN, GER#h?rrt?earch March 2009 DERIVED --.- - BUMINTHRELTD USA, nus, CAM, GER, NZL DECLASSIFT cm: 20320103
Page 2 from XKS Search Forms
USA, AUS, CAN. b. "Standard search fields? i Wildcards I - multiple characters anywhere in word I - single character anywhere in word I Some fields are auto-wildcarded - the field name will have a before and/or after it Operators - Boolean ANDthe same field I NOT ljoe) - - comparison 300080) - regex: - regular expression - Enter to require a field to be non-empty TD USA, AUS, CAN, GER, NZL
Page 3 from XKS Search Forms
TD USA, AUS, CAHIGB, HEEL ll-text) ?eld: ,Special (fu - Google-like syntax - just list your terms and the query will return sessions that match any of them - Wildcards only allowed at the end of a word Search terms must be at least 4 characters Use or - to require that a word must or must not be present - Use to find an exact phrase Use for grouping You can still use ?classic? syntax - we convert it for you TD USA, AUS, CAN, GER, NZL
Page 4 from XKS Search Forms
USA, AUS, CAN. .- ll-text) sea Special (fu Exam pies: Search terms Returned apple banana contain ?apple? or ?banana? or both +apple +juice contain both ?apple? and ?juice? +apple -macintoah contain ?apple? but not ?macintosh? +apple +(turnover strudel) contain ?apple? AND either ?turnover? or ?etrudel? apple? contain words like ?apple? or ?apples? or ?appleaauce? or ?applet? ?apple juice? contain the exact phrase ?apple juice? TD USA, AUS, CAN, GER, NZL
Page 5 from XKS Search Forms
USA, AUS, GER, This plug-in has no ital Under development - Menu items and search forms may show up before a plug-in goes ?live? in the field Limited deployment - Some sites run different sets of plug-ins Populated by front end I Some plug-ins simply database metadata provided by the system that feeds XKS, and not all sites are set up the same way TD USA, AUS, CAN, GER, NZL
Page 6 from XKS Search Forms
USA, AUS, CAN, GERII-ql?qSlmle 'l II. I .
Page 7 from XKS Search Forms
USA, AUS, CAN. GER, NZL Full Log NI One record for every session processed Collection fields I SIGAD - Casenotation - Session ID (UUID) Protocol fields - MAC addresses - IP addresses - Port numbers TD USA, AUS, CAN, GER, NZL
Page 8 from XKS Search Forms
USA, AUS, CAN. "Full Log NI I . Application ID fields - Application Name full application ID - Application Type top level of application ID - Application Info extra info - Appid+fingerprints full application ID plus any matching fingerprints Example: - Application name: mail/webmail/yahoo - Application type: mail - Application info: viewFolder_webmail TD USA, AUS, CAN, GER, NZL
Page 9 from XKS Search Forms
USA, AUS, CAN. GER, MEL Full Log NI Fields populated by other plug-ins - Username (from User Activity) - Category hits (from Category DNI) - Client lP/X-Forwarded-For (from Web Proxy) 2 Most Full Log search fields are available on every other search form TD USA, AUS, CAN, GER, NZL
Page 10 from XKS Search Forms
USA, AUS, CAN. GER, NZL .- Email Addresses - Anything that looks like an email address Searchable fields - Email username the part before the only! - Domain the part after the - Subject email subject, if present 1 Example: Sender: userl@yahoo.com MIME-Version: 1.0 Subject: check this out Date: Tue, 02 Jan 2007 13:27:31 -0000 massage-ID: From: ?User One" {user1@yahoo.oom} To: ?User Two" {userZEhotmai1.oom} TD USA, AUS, CAN, GER, NZL
Page 11 from XKS Search Forms
USA, AUS, CAN. GER, NZL Logins Passwords Anything that looks like a login or password Searohable fields - Username - Password Examples: {input name=?username? {input name=?password? value=?asdf123?} USER badguy BASS asdf123 TD USA, AUS, CAN, GER, NZL
Page 12 from XKS Search Forms
USA, AUS, CAN. GER, NZL I. Phone Numbers in Nl ;3 Anything that looks like a phone number Searohable fields - Phone number I Number type (fax, telephone, mobile, etc.) Example: John Smith Executive.Assistant Phone: 555-1234 Fax: 555-2345 TD USA, AUS, CAN, GER, NZL
Page 13 from XKS Search Forms
u; - USA, AUS, CAN, GER71:! Scan I - .0 If.
Page 14 from XKS Search Forms
Alert Log of sessions tipped to TRAFFICTHIEF Searohable fields - Target (strong selector) - Weight (confirmed/unconfirmed) Other fields - Permutation that triggered the tip (DECODEORDAIN) - Copy of XML document sent to TRAFFICTHIEF TD USA, AUS, CAN, GER, NZL
Page 15 from XKS Search Forms
USA, AUS, CAN. GER, NZL Category NI Category hits from CADENCE and other dictionaries Searohable fields - Dictionary - Category - Keywords - Target (TRAFFICTHIEF) TD USA, AUS, CAN, GER, NZL
Page 16 from XKS Search Forms
USA, AUS, CAN, GER, NZL Willy .4 i
Page 17 from XKS Search Forms
USA, AUS, CAN. ser Activity 1-. . Metadata from applications with a strong selector webmail, chat, webcam Searchable fields - Active username (?search value?) - Activity what the active user was doing - Attribute type type of metadata - Attribute value metadata value I Source which plug-in provided the data TD USA, AUS, CAN, GER, NZL
Page 18 from XKS Search Forms
s'er Activity Ueernerne USA, AUS, CAN. GER NZL Example: Activity Seuree ?u Attribute type Attribute value bedguy@yehee vieerldeLwebmeil epp_preuider Yehee bedguy@yehee uieerldeLwebmeil wehmeil bedguy?yehee vieerldeLwebmeil direetien elient bedguy@yehee vieerlder_webmeil previeue_ueer user@yehee bedguy@yehee vieerlder_webmeil ueer_reelm yehee bedguy@yahee vieerlder_webrneil via equidi2.5 bedguy@yehee uieerlcleLwebmeil x-fenmarded_ip 10.0.123.45 bedguy?yehee vieerldeLwebmeil zxev1234 bedguy?jyehee uieerldeLwebmeil eedf1234eedf eedf1234esdf vieerldeLwebmeil user_reelm yeheeGSB eedf1234eedf vieerldeLwebmeil TD USAI AUS, CAN, GER, NZL yahee bedg uy@yehee
Page 19 from XKS Search Forms
USA, AUS, CAN, GER, NZL I. Ii?. 0 I I 4"
Page 20 from XKS Search Forms
USA, AUS, CAN. GER, NZL Extracted Files Log of files transmitted as email attachments, web uploads, etc. Searchable fields - Filename - File extension - File type/MIME type TD USA, AUS, CAN, GER, NZL
Page 21 from XKS Search Forms
TD USA, AUS, CAHIGB, HEEL piccument Tagg i ng Document bodies and email bodies are labeled with hits from a custom second-level dictionary Idea: ?embassy? by itself is not so interesting, but inside a Word document, maybe it is i Searchable fields - Filename - Tech name (tag/category) - government, monetary, proliferation, satellite, wireless, etc. - Tech value - word or phrase that hit i Note: also called Tech Strings search TD USA, AUS, CAN, GER, NZL
Page 22 from XKS Search Forms
USA, AUS, CAN. .- "ocument Metadata Metadata from Office docs, videos, etc. Searchable fields - Filename and extension, document type I Author, organization - Language - Unique ID - Creation/modification timestamps - Hash of the entire document and any embedded images TD USA, AUS, CAN, GER, NZL
Page 23 from XKS Search Forms
USA, AUS, CAN. GER, NZL PF Metadata Metadata from PDF documents Searchable fields - Unique ID - Filename I Title I Author, creator, producer - Version - Language Also available in Document Metadata search TD USA, AUS, CAN, GER, NZL
Page 24 from XKS Search Forms
USA, AUS, CAN, GER88m 1.: Ilva I I- I Ill ?01- an H, *0
Page 25 from XKS Search Forms
USA, AUS, CAN. GER, NZL Blackberry Id numbers and payload info from Blackberry devices Searchable fields I Source and destination PIN and BES - Direction - Payload type and encoding TD USA, AUS, CAN, GER, NZL
Page 26 from XKS Search Forms
USA, AUS, CAN. GER, NZL Cellular NI Metadata from DNI over cellular modems Searohable fields - IMSI, TMSI, IMEI, MCC, RAC, TLLI, etc. - Cell ID, Tunnel ID, Access point - Latitude, longitude - Spotbeam, direction Limited deplyment - populated in SOTF by front end TD USA, AUS, CAN, GER, NZL
Page 27 from XKS Search Forms
USA, AUS, CAN. GER, NZL Cisco Passwords Logs Cisco router passwords Searohable fields - Password - Decoded password (simple obfuscation with known key) TD USA, AUS, CAN, GER, NZL
Page 28 from XKS Search Forms
USA, AUS, CAN, GER, Metadata from HTTP traffic Searchable fields - Host, URL file path, URL query string - Search terms - parsed from URLs for common search providers (Google, Yahoo) - Language, character encoding - Referrer - User-Agent I - Server type (Apache, etc.) - Via - proxy info . Geolocation info - e.g. city names from weather reports TD USA, AUS, CAN, GER, NZL
Page 29 from XKS Search Forms
USA, AUS, CAN. GER, NZL IKE Metadata from IKE (Internet Key Exchange) sessions Searchable fields - Version - Vendor ID - parameters - key length, field size, group curve, etc. - Cookies - Nonce TD USA, AUS, CAN, GER, NZL
Page 30 from XKS Search Forms
USA, AUS, CAN. GER, NZL I. RC Cafe Geolocation QUIT messages from IRC - Internet cafes often configure their IRC clients to advertise the Gates street address Searchable fields: - Username - Nick name - Cafe address (the QUIT message) I Example: QUIT :Quit: HainStreet Internet Cafe, 350 Main Street, P4 Hebeam,IMP3, 123Kbpe TD USA, AUS, CAN, GER, NZL
Page 31 from XKS Search Forms
TD USA, AUS, CAN, GBRAHZL Passport detection Detect images of passports (code from R6) - OCR machine-readable information - Searchable fields - Original filename - Passport detection score - Info from machine readable area - name, passport number, issuing state, DOB, expiration, etc. - Under development TD USA, AUS, CAN, GER, NZL
Page 32 from XKS Search Forms
USA, AUE, CAN. GER, NZL dqu Radius Logs Metadata from RADIUS sessions for dial- up authentication and IP assignment Searohable fields - Username - Phone number - IP address - Account information TD USA, AUS, CAN, GER, NZL
Page 33 from XKS Search Forms
USA, AUS, CAN. GER, NZL RBGAN Metadata from RBGAN satellite internet terminal collection Searchable fields - Username - IMEI - Latitude and longitude - Spotbeam and direction Limited deployment - populated by front end TD USA, AUS, CAN, GER, NZL
Page 34 from XKS Search Forms
USA, AUS, CAN. 1" i - Metadata from RTP audio and video sessions Searohable fields - Payload type - SSRC - Number of bytes and packets - Timestamps and sequence numbers - The RTP formatter in the session viewer can decode certain payload types into playable audio or video TD USA, AUS, CAN, GER, NZL
Page 35 from XKS Search Forms
TD USA, AUS, CAN. GBRAHZL Metadata from SIP (Session Initiation Protocol) used for VolP setup, etc. - Stored as multiple type-value pairs per session - Searohable fields - Message type - Attribute type (call-id, content-type, from, to, user-agent, via, etc.) - Attribute value - Subsession ID TD USA, AUS, CAN, GER, NZL
Page 36 from XKS Search Forms
USA, AUS, CAN. GER, NZL SSL Metadata from SSL sessions Searchable fields - Version - parameters key length, modulus, exponent, etc. - Signature info - Certificate info TD USA, AUS, CAN, GER, NZL
Page 37 from XKS Search Forms
USA, AUS, CAN. GER, NZL TR Log Logs any identified TOR routers used for anonymizing Internet traffic Searchable fields - TOR from server - TOR to server - Router nickname TD USA, AUS, CAN, GER, NZL
Page 38 from XKS Search Forms
USA, AUS, CAN. GER, NZL Web File Transfer Log of uploads and downloads from public file- sharing sites (rapidshare, depositfiles, etc.) Searchable fields - Filename I File size I Number of downloads - Uploader - Username and password Under development TD USA, AUS, CAN, GER, NZL
Page 39 from XKS Search Forms
USA, AUS, CAN. GER, MEL 'Web Proxy Log of X-Forwarded-For IP addresses and other leaked public/private IP Currently contains XFF plus leaked info from STUN and Google Earth Searohable fields - Internal from IP - Internal to IP I External from IP - External to IP I Source - plug-in that provided the info - Network path - Chain of XFF addresses TD USA, AUS, CAN, GER, NZL
Page 40 from XKS Search Forms
USA, AUE, CAN. GER, NZL dqu I. Wireshark Metadata from various protocols processed by the wireshark library Protocols - Routing - BGP, OSPF - VolP - H225, Skinny, Clarent, Megaco, SCTP I Net management - SIVIB, SNMP - Tunneling - GTP Searchable fields - Protocol - Field name - Field value TD USA, AUS, CAN, GER, NZL
Page 41 from XKS Search Forms
USA, AUS, CAN. GER, NZL WLAN Metadata from WLAN collection Searchable fields - Channel - SSID . BSSID - MAC addresses - Username - Private IP Limited deplyment - populated in SOTF by front end TD USA, AUS, CAN, GER, NZL
Page 42 from XKS Search Forms
USA, AUS, CAN, GERMisc aneu? hg?..nd?iv' a I?f'
Page 43 from XKS Search Forms
USA, AUS, CAN. GER, NZL Call Logs DNR metadata from JUGGERNAUT, CERF, FASCIA, DURT, etc. Searohable fields - Phone numbers - Signaling type - OPC, DPC, CIC, IMSI Limited deployment TD USA, AUS, CAN, GER, NZL
Page 44 from XKS Search Forms
USA, AUS, CAN. GER, NZL Network Logs Network metadata from MOONSHINE logs Searohable fields - Net type - ESSID, BSSID - Channel - Carrier - Latitude and longitude Limited deployment TD USA, AUS, CAN, GER, NZL
Page 45 from XKS Search Forms
USA, AUS, CAN. GER, NZL CNE data from TAO Searchable fields I Project name - Collection technique - Filename and extension Limited deployment (xks?one) TD USA, AUS, CAN, GER, NZL
Page 46 from XKS Search Forms
USA, AUS, CAN. GER, NZL Registry Windows registry data from TAO (CNE) Searchable fields - Collection technique I Hive - Key, subkey, value Limited deployment (xks-one) TD USA, AUS, CAN, GER, NZL
Page 47 from XKS Search Forms
USA. AUS, CAN, GERFrh?r - I I ?all511%: Ii]. i' I 1+3. '31 Alli ill
Page 48 from XKS Search Forms
TD USA, AUS, CAN. GBRAHZL "Simple Search Simple way to search for usernames, IP addresses, and machine ID cookies Just enter your search term and select what type of thing it is, and the form sends it to User Activity or HTTP Activity as appropriate TD USA, AUS, CAN, GER, NZL
Page 49 from XKS Search Forms
TD USA, GR, mu 3 ea Problem: XKS may have info about ?badguy@yahoo? in Email Addresses, User Activity, Logins Passwords, etc. - Solution: submit multiple searches from a single form Enter the username and select which databases to search, and the form translates that into the proper queries Similar MultiSearches for IP addresses and MAC addresses Optional: merge results into one table TD USA, AUS, CAN, GER, NZL