Become A Member

© THE INTERCEPT

ALL RIGHTS RESERVED

Terms of Use Privacy
Documents

XKS as a SIGDEV Tool

Jul. 1 2015 — 9:52 a.m.

1/44
Download
Page 1 from XKS as a SIGDEV Tool
x-no.mmimm mHmUm< 30? .
Page 2 from XKS as a SIGDEV Tool
What is
Page 3 from XKS as a SIGDEV Tool
A (NI) SIGEV Tool It gives you the ability to discover things that you otherwise wouldn?t have seen TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 4 from XKS as a SIGDEV Tool
I . 1 I: .. 11aJlrli XKS gives unique access to terabytes of content and meta?data Typically sites select and forward to PINWALE less than 5% of the DN1 they?re processing The rest of that data used to be dro ped but is now being retained temporari and made available to through As an exam Ie, at one our sites XKS sees more ata per day than all of PINWALE TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 5 from XKS as a SIGDEV Tool
- . . set. as use scat, muffs [15% I n- Meta-data a subset cf tasked rafficthie Centent selected frem dictionary tasked terms pinwale ?User Activity? meta-data with frent end full take feeds and back-end selected feeds Unique data beyend user activity end full take feeds MARINA Lew High TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 6 from XKS as a SIGDEV Tool
I. E. .. i; i; To) USA absXKS goal is to store the full-take content for 3-5 days, effectively ?slowing down the Internet" so that can go back and recover sessions that otherwise would have been dropped by the front end Meta?data is saved off longer, with the goal of 30 days retention A lot of analysis can be done through meta-data only (MARINA is meta-data only) TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 7 from XKS as a SIGDEV Tool
lJ-Ll . I: 3T.- :2 Front end storage is limited by resources and policy restrictions and wil vary by site At some sites, the amount of data we receive per day $20+ Terab tes) can only be stored for as ittle as 24 ours based on available resources Other sites have legal or policy restrictions that limit the amount of time we can store data (if we can at all) It?s a rolling buffer where new data comes in and pushes the oldest data out TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 8 from XKS as a SIGDEV Tool
. i r; u. z. I, .1 Tail(off? ata 0 Content that is ?interesting? can be pulled out of X-KEYSCORE and pushed to Agility or PINWALE or any other database for longer retention - Workflows can be set up to automatically harvest content out of XKS before it ages off 0 The goal, however, is to use to discover new things, that will end up on tasking for future collection TOP SECRETHCOMINTHORCONEEL TO USA, AUS, CAN, GBR and NZLH20291123
Page 9 from XKS as a SIGDEV Tool
. .. r: REL To MealIt?s important to know that XKS queries meta-data tables only Results from the meta-data tables are then linked back to the original piece of content Goal of the system is to extract a wide range of meta-data for users to query TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 10 from XKS as a SIGDEV Tool
.. i'ail-El: and Mata-:iata 3 HEIWIZIFH alert 3' E1 Matadata CHE 3 Prime Number Extractor Eall Laga REGAN I Category DHI EallLilar Bill a Radiua Laga Dacumarrt Matadata Haall'i?aalia Mata-data Daaumarit Tagging Email Lag . Extract-ad Filaa a Taal'i Stringa in Daaumarrta Lag DNI 1: Lia-ar ?xativin EMF-EN IHC Cafe 3 Wet: Lagina and EWraahark TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 11 from XKS as a SIGDEV Tool
I - ffiflT'Ii man om mm immea- *co'tmmoacoNREL To use! aus, cansum ple Plug-Ins OID I- v. a noun W?Tildml" an - - 1m Han-1' W9- we i411 on "new ?39? lOi'-'tm1I am 2 0. li? .. I ?'71 Plug-in DESCRIPTION E-mail Addresses Indexes every E-mail address seen in a session by both username and domain Extracted Files Indexes every file seen in a session by both .filename and extension Full Log Indexes every DNI session collected. Data is indexed by the standard N?tupple (IP, Port, . Casenotation etc.) Parser Indexes the client-side traffic (examples to follow) Phone Number Indexes every phone number seen in a session address book entries or signature block) TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 12 from XKS as a SIGDEV Tool
.4mgDESCRIPTION -.. z, .11.. 'g'll ?l ?1:311. 2' {1:3 - - . 3.. 1:225#2973. .E-. II.E-.I raw - 1L U-U ILEICZE mag: II: .I . I. 52:3. l?l Wit: 7, ?31 t, . .1 ELL I.r LHJ Ill-1 1g: IRE. - I - .53, IJ ,l [111:2] . .. -. TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 13 from XKS as a SIGDEV Tool
5.51 - A single session may contain entries in multip meta?data tables - For example, if a single session had a user E- mailing an attached word document the following plug-ins would extract meta-data: Plug-in Would have Full Log minimum meta-data like To/From IP address, ports, casenotation, sigad etc. E?mail E?mail addresses seen on that page Addresses (including inside the attached word file) Extracted Files filename and extension of the attachment Document Meta- addition to the filename and extension, any data embedded properties of the word document like Author, last author, organization, date created, date last modified etc. TOP SECRETHCOMINTHORCONEEL TO USA, AUS, CAN, GBR and NZLH20291123
Page 14 from XKS as a SIGDEV Tool
'I'luh?ln?nh? I I. . .. ?tll-I?r-I?hnr' "?lluh- . . .1. . I-l "nun-nun unlu- I 125 Sites TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 15 from XKS as a SIGDEV Tool
.. @9369 ?kr. mug.? 125 Sites TOP TO USA, AUS, [345?ler GBR and
Page 16 from XKS as a SIGDEV Tool
I. r;-i-iytice;rapportigravel'Iiiljl t5 - X-KEYSCORE produces an application id for each session processed 0 Currently almost 1300 Appids in 28 categories 0 An Appid is meant to identify a session as a particular application - Fingerprints are an extensible way of tagging sessions 0 Ex: A session Appid?d as mail/smtp might also contain fingerprints for if used in the email TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 17 from XKS as a SIGDEV Tool
- gLeirzp i 5 Ex: E-Mails with rn rn La 11 Lil" a a a an Haj..- a r'l? rr'a a1 ian" nara 3-13.23: a r: :I1To:? Ea: Subject: Launchpad: Can?rm yaur Hay Hate: Wed. 31 Del: Harainn' U1 :1 Pi 1GH1H11HIIH1 applicatian ?aalD [+Fmgarprinta) 1' mailfwabmailfautblaza mailfwabmailfautlalaza haa_fingarpriat +tha1h1 Nu31 r1wjh3+nalilpxr Fla EU N?kgguki' aM1 a8 [2:1 aTrr'I CIFTIAH E331 +3 Fm PGP TOP SEC Thanks. {0291123
Page 18 from XKS as a SIGDEV Tool
Subject: Frnm: T6: Date: ?pplicatian mailfwebmailfyahm I. .- [Lilli-F?mrprints Ex: Airline E-Tickets Airtime E-Ti?l-Eiet - Airblue Hesewatinns [366132333 132111256 silk-'1 i . 666E [+Fingerprintsj mailfwebmailfyahmj hasjingerprint trawelfairblue 66.66 3: 6.3234335] 21 6336 5643 15E 6.562;? 2' 216376 56-43 I1 ED 613 Peshawar Dubai 2313331333 12:33 326333 15,535-33 DE 13-N6v-2333 Khalaej Expragg- Pew Muhammed Emmamam Branch 331635313 165155350? TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH23231123
Page 19 from XKS as a SIGDEV Tool
. tr 1" THE Attila Ex: Extremist Forum Private Messages El HTTP Heetler Infennetien [lentth Type: 343mm: .1 Accept: imegefgit. imegefH-ebitmep. imegefjpeg. imegefpjpeg. epplieetiem?vnd.me?pewerpeint, applieetienfrnewerd, Reterer: Accept-Language: ert-gt- Cement-Type: eElE gzip. de?ate Ueer?Aeent: Meeillef?l? teemeetihle: MSIE Windewe NT 5.1: eeplieetien eppl? (+Fingererirrte] recipiene beereeipiente title Fe: yi- Let; me Lug?we e?-l?le?liti?? fem [18 L'e'??gtl chin-El cm mewluwl 33;:5 lentil DLa?t-l?lie?i?l?u WESEEQEI Emil}. ml?JWIml?lu??gme?u TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 20 from XKS as a SIGDEV Tool
I. r;-i-iwice;realizesigrate"1.19.23 -X-KEYSCORE workflows are standing queries that run on set intervals during the day (usually once a day) -After action reports can E-mail the results of the workflow, parse out data to mailorder to other databases and more -New Workflow Central makes it easy to create and manage your workflows TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 21 from XKS as a SIGDEV Tool
It. Slag may Tl'iie audit-eel fl: 1E: a rn: Hu me FLiqht-I. Ilia ce - ETSCURE Welcerne: cltetueE switch Lieere Heme Admin ?Lleere ?Werk?ew ICentral Search Fleeulte Statietite Preferentee #3 Help Havigatinn Menu e: I Hammer A Welceme tn the Beta release cf the New Heme EHc-rne Fage! Dim-3min . Sugars If have er tILig reparte pleaee gt: ta New GUI Fartim El ?wDricrlc-w Central EWS EHe-queet All Werir'flewe .: New GLII EIEISeerch . . IS warking en a new GUI that hae new reachte an anen Beta State. Fellcw the link helew tc- try it cut. rcur acct-Lint ancl ereferencee will autcmeticallar t-e Ei-Erwirtiaeerch traneferecl when leg in. F'leaee View trainincl ttI acclimate yeureelf with the El": Addre?e? new layeut anti featuree. Game featuree have net gret been cempletecl but will Still be available Elm": Addre? in the eriginal GUI. the new GUI IfEuetalI! EUeername If ?ncl huge [:Ileaee repertthern in the Farume under the EltiSF mam? ?Elma New GUI eectienJ which can he feuncl here. We will trar te fir-i any titles as quickly as Ewen but when eeneriencing a emblem revert hacl: tn: the eriginal GUI until we can ?e it. Elcme TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 22 from XKS as a SIGDEV Tool
Havigatian Menu El EWerHI-jw Centrel Hequee?t Werhflewe 1111 en Haviga tiun Me nu El Cerrtral Hetqueet 3 Wer1rflewe a Weririlewe II3:31;. 3339 31330 @213331517 3@ qeate! 'u'u'urltilaw [entral Request l?'u'izartl "Ia-i Welceme to the Werk?ew Request Wizard. I My Werk?uws I Help Actions I Queryr Tame lQueryr NEITIE Leei Medified 51e1e a. 3335?1 3?35 1 5: 33:1 3 en (31:31 3335-13-31 15:33:11 en (Hirej Ieheden_Geeglere 3335?11?35 31:35: 5? en (31:31 3335-13-31 15:33:33r en (Hirej teeh Huela_ umpur_1eeh_1ee1ring 3335?11?34 15: 31:33 en (31:31 megeprexgr 3335(31:51 3335?11?3415:31:33 en (31:33 11th:] JJareer 3335-13-31 15:33:43 en (31:51 3335?13?31 15:33:35 en (31:33 fu _ eg 3333-11-35 31:13:33 en (3132] 3335?11?31 33: 43: 41 en (31:33 Guerdeterjrernj??a: 3335-11-31 33: 33: 43 en (erj legin 3335?13?31 15:13:55 en (31:33 teeh DeiILArehiejrern 3335-1 3-33 1 3:53:33 en (erj 3335-13-33155553 en (31:33 daily_w en_1rern_mee 3335(31:31 dailywlenjeiwerk _ eg 3335(Hirej TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 23 from XKS as a SIGDEV Tool
I. r: i. I. ii. REEL TilProvides for the ability to task and scan for terms only when they appear inside the body of documents like Microsoft Office or Adobe PDFs - EX: We want to find technical documents regarding WIMAX networks but tasking the term to Cadence would flood PINWALE with hits. What if we only look for the term within documents? TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 24 from XKS as a SIGDEV Tool
15454;. 542:? 440441: 4? 4:040:74?; HEIEIHI HIE 2005-01-01 2000-01-01 - Ran-char 1 04:55:00 04:55:01 ?Wale? ?"an Line HIE 2005-01-01 2005-01-01 - 2 04:55:00 04:55:01 satEII'tE Line HIE 2005-01-01 2005-01-01 Ran-char 3 04:55:00 04:55:01 Line I. ELIGFtaqu-anty 0 14:: -L LEE-Premiums- El 1313-1153 buds-01:41:45 ETM 04550405551545: TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 25 from XKS as a SIGDEV Tool
.. - REL. We MeetSubject: Fem: m: I i Be: Date: Tue Dee GMT EDDIE HTML F'Iein Text Vent me:? emeil_t Medel: Eugene- Fm Ri?ng Syrup-tern: 41:31:31 Cemmente: ne- feult fennel phene ie werl-dng preperljr kindly; een?rm the fault in detail when and in which eenditien 1'1: ereatee preblem related te- mentien eympte-m TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 26 from XKS as a SIGDEV Tool
. TailIda?."?Ill i . - -Tasking is so flexible that it can include regular expressions (REGEXs) with few or no anchor points -Ex: Can we find documents that have MAC addresses in them? -The following Regex looks for MAC addresses: TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 27 from XKS as a SIGDEV Tool
.- .-. so was-Supports full foreign language tagging and querying -Ex look for common Arabic expressions in E-mails coming from the Pakistan tribal regions: . . . TH . Astiss ussr: h" a s? Windows Live Mail UIS Vi shin 111 Displ t. Em U?kn W11 From- sons) Medium nskYou may:r not know this ssnderssk sis as unsst Slant: Thu 12:07? PM Ta: TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 28 from XKS as a SIGDEV Tool
71?13::f If i - X-KEYSCORE's full take database of meta-data and content make it an powerful SIGDEV tool I Many DNI applications don't contain strong selectors that allow traffic to be collected Web surfing Internet searching - Anonymous file uploading/downloading - The variety of applications processed and meta-data available make X-KEYSCORE an ideal starting point for DNI development TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 29 from XKS as a SIGDEV Tool
. E. tr TEE) 021Scenario 1: Persona Analysis - Goal to identify the ?user session" I Help answer the question What did my target do while he was online? - We may know from TRAFFICTHIEF, PINWALE or MARINA that our target was online at a given time and from a given IP address, so we can then search in X- KEYSCORE for everything that happened ?around? that event. TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 30 from XKS as a SIGDEV Tool
2222222222 22221222 2211:1222-2221:122- 20031222 [3514062 1 [32151106 1- 2002-12-22 11521410? 20021222 0514022: 2222-12-22 22:11:22 20031222 [3511?1022 1 3011343329 $521,411.? 20021222 0514022 1 3913-13-39 25:14:07 22221222 2211122 ?5112? 2003-12-22 23031239 [3514103 1 2222-12-22 22:11:22 22021222 [1514102 1 2222-12-22 22:11:22 22221222 2511112 1 ?mm? 2002-12-22 05:14:02 22221222 221111212m1m mm 22021222 0514152 1 2222-12-22 22:11:22 1 2003-12-22 05:14:02 2222-12-22 22:11:22 20021222 051-12021 2222-12-22 22:11:12 22021222 [1514212 1 31111121333 1151-1411111 20021222 0511222 1 3922-12-29 25:11:12 2222-12-22 22:11:12 2222-12-22 22:11:12 2222-12-22 22:11:12 2222-12-22 22:11:12 TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123 222'; 1:1112112,2122222221 5, 1 011a AnalySIs AC 11*1- Search Fur ll??fll?l?l'l? ll??fll?l?l'l? ll??fll?l?l'l? ll??fll?l?l'l? username userlmme IIEEFIIFIITIE ll??fll?l?l'l? ll??fll?l?l'l? ll??fll?l?l?l? username ll??fll?l?l'l? ll??fll?l?l'l? ll??fll?l?l'l? userlmme 1 PK [22220212 End 2000?12-22 05:14:12 2002?1 21-22 05:1 4112 2002-1 21-29 05:14:12 2002-1 21-25! 05:14:12 2000-1 21-20 05:14:13: 2000-12-22 05:14:13 2000?12-22 05:14:12 20203?1 2-22 05:1 4121 2000?1 21-22 05:14:21 2002?1 21-29 05:1 4121 2000-1 21-29 05:14:21 2002-1 21-25! 05:14:21 2000-1 21-22 05:14:21 2000?12-22 05:14121 2000?1 21-22 05:1 4150 2003?12-22 05:1 4150 2002?1 21-22 05:1 4150 2002-1 21-29 2002-1 21-29 2000-12-22 05:14:50 2000?1 21-22 05:14:50 3222 ch H221222 1,205, c211, GER and 11221122291123
Page 31 from XKS as a SIGDEV Tool
IL E's/Ag, mag (cm is RT a raid Lisis Coming soon: XKS PSC query builder/viewer usornam? 2415:1441? _j?iy:ihoo llS?rll?lTl? il??ala?l? How Actions Housman?m- . ?S?m?r Persona Session Eollection a: userlmr AI ?Samar Justi?cation: F'Iarscuna session collection for ll?srll?r ?clcliticunal Justi?cation: Start Date: a Time: lg?g?m? 33.3.; {ways Hm usarnar ussrnar 5WD Date 3" Tim: E1 05:19 usisrnar (Country Code}: usernar Query 9" llaarnar Hi TD I Ig?rli'lr EFF cur [Iient ?clcl Search: Eatractlacl Filla TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 32 from XKS as a SIGDEV Tool
. 1- lee II: ewes sis Sessiun Eullectiun User List 'ss' User 1 User 2 User 3 El '5 ?Ear 1 HTTP II. I: Ine - i . {1331:3111 cemel-L - - teen-awe .111 Fee 333mm e? ?3333-3 . Imeereme die. eem meme-m Issl ?jlj?rlj? 33 33 43 41 43 43 44 43l45 4T 43 49 wade-mm El 5 Lleer _rh:r 31: use Bhr -. .- I Bra-weer Llsl: In Eeferer Summer";r EI-Itracted Files in I Elreweer I: Referred S'rtee File Meme 1-. Infe M?mam'? [camp?iblei MSIE ED: Mil-?aws NT 5'r ad.rieldmanager.cem [3 Items] El File Extentiun {1 Item} MelilleI-?? [eempetible; MSIE Windewe NT 3 ??ne mmype 2 chatyeheexem [3 Items] I I Cempe?hle?? meme] 2 facehuuk.mm Item?} Gee-graphic 1P Summer'sr Llsername Summary f?t?-m-?il-I?U {3 CW mum? ?aunt Lleernernee 4s haherler.cem {3 Items} '3 Fl'?'l'l'l [3 HDHET EDS El mailg?wehmailfgmail Item} {1 Item} I: 1333 insider.msg.yahee.cnm [4 Items} El Te {14 Items]- .El {2 Items} ?language-[um [1 Item} GENEVIE. CH 2 mail.ramhler.ru Items] MD ".le TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 33 from XKS as a SIGDEV Tool
Coming soon: XKS PSC query builder/viewer - rs: in; l; Aiwg[ii] Iy sis Llsername Eummary Llaernainai a mailg'wehmailg?gmail Item} El mailfwehmailfmailru {2 Items} El Item) mail,? webmailg? rambler ItemEJ mailfwehmailframhlarfpusl: {1 Item} El mailg'wehmailf'fahan {5 Items] .ili. Searches d- Tarina Search Engines El {ii-lune} Item} nune Traffic Summar1.l App": nr Fingerprint I2 adv-imminent 2 I3 h?i? B- .1 I news 2 ancial I: unknawn Damain Summary Euhdnmaina (E Item5] Eldri?l'El'JLl [1 Item} aI-camai.nal: Item] hn5.ru {1 Item] citrEclJu Item} [1 Item} cum.tr Item] faEEhuuk.cum {2 Items} Item} gi5metea.ru [1 Item} gaugle.cum [1 Item} haherler.cnm {3 Items] img?mail.ru {1 Item] macrumediaxum {3 Items} mail.ru Items} TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 34 from XKS as a SIGDEV Tool
. -- IEQIE II: '1 DEAF JESUSE @330 K?Why is he at angle Earth? TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 35 from XKS as a SIGDEV Tool
. . 125;. 552., Aug, wife .gLTraffic rt rt '3 font Goog le queries co. areas of Raw Actlun? Pa .1 'u'iew 5355mm . Iu'iew 5355inn (New Windnw} . Informatlt'._ In HTTP 3: Shaw .1 Mark. Matadatarnw as Impartant Human.r Marina fur 1P: 1 15.55.125.152 D?t?tin'l?: 2555-12-25 [5'21 :42 3 lmurs 1f Fm I:ij DH Cancel PH Eli-?ll . .. LIn-Eheck where: Fm Equals '115- TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 36 from XKS as a SIGDEV Tool
1001 12* . U33, 3113, C319, 1933 and NZLH20291123 TI 11111 mm Ham 1.: 0111111:? 1.11:" Mb" - -l a (Hum; lulu. Id?: LIA-H. .I 1i I I ZLIPHD-HE ACTWITT USERJH 2111131119 11992992, _em3133393 13g33911em391 113-3 2111131119 11932593 _3m31333r:= 13333331133391 113-3 2111131119 11999993 1333333113339) 113- 2111131119 11999132, _em313339:= 13333331133139}: HES-E 2111131119 11939133 _3m31333r:= 13333331133311 113-3 [21743162 31113112911911?? 193111.11 3111311 115 h! DURELTIUH 2111131119 11991913 2111131119 11923913 113111511119 11192: 113. _em313339:= 13333331133391 1119-? _3m31333r:= 13333331133391 113-3 _3m313332:= 1333333113331) 113- _em313339:= 13333331133139}: ?ea-E _3m31333r:= 13%3331133391 113-3 _3m31333::= 1333333113331) 113- 2111131119 11999532, _3m313339:= 13993391 13133111 211931119 111919933 _3m31333r:= 13333391133311 113 29931119 11999113 _3m313333:= 1333333113331) 113- TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123 2121031119 GTJESTZ EUDSHIE [17?4357?3 213031119 [17?43532
Page 37 from XKS as a SIGDEV Tool
-- 1311ng WE, a szzozg 1 123 ffi Now make that into a workflow NAHE: Mee_NHFP_FDriegn_Gng1ere current time: GHT submitted at: 2008?11?20 03:55:03 GMT has 1% reeult?ej EDDE?ii?ig e1 qeide (en, en?GE) [13 The ai?Ilthlas 111211111012}! {cybertrana flit-m Arabic} [refererj tbe el?Ikhlas netwerk [tybertrana frem Arabitj i3) EDGE?ii?ig Fbrum bridef'nrue [cybertrene frem Arebiej 2nne-11?1e ne:n5:51 Ferum levefgrem from Arabic} 2008?11?19 [refererj fbrum levefgram {cybertrana frem Arabic) ilj EDDE?ii?ig 15:?i:?D The hille jihediet witheut inflicting [cybertrene frem Arabia) (in) rune?11?1e 15:14:13 [referer] the bills jihediet mitbent inflicting [e?bertrene from Arabic] 15:33:19 Haziriaten [cybertrana frem Arabic] EDGE?ii?ig Seendele [cybertrene frem Arabic} (3) 2nne-11?1e Uq:rq:59 [referer] seeree1e frem Arabic} 2008?11?19 Heme {cybertrana item Arabic] [13 EDDE?ii?ig Ferum eeil [cybertrene frem Arabic] rune?11?1e Uq:31:51 [referer] fernm eeil [e?bertrene frem ireniej 111 Werk?nw EML . TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 38 from XKS as a SIGDEV Tool
l. L: leis IL. see AUSE Cali31:71?- SEG EX: Targets pass links to videos, use XKS to discover new targets who have viewed those videos htteii?firwwiwleadtei les WE In HE 00215-09, he promises that the newest video will be ready very soon. and then sends these two Datetirne: Weeks Start: ante-1323 1- 5 Stop: an Type: 23:59 Host: wwfilesin Path: TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 39 from XKS as a SIGDEV Tool
3" - -37CAN, GER and 1:11: 0112411 WI27:33 .Ff?01:11..J. Ll: 31111 FUJI T?ll PHD-NE USELELA ACTWITF UHEELE Datet Em 22221221 2242222 ?22m2112242:= 1222222122222) 22- 222212212242422 _em212222:= 12.222221122121131 22- 222212212242422 _em212422:= 1432242122122) 22- 222212212242422 _em212422:= 1222242122122) 22- 222212212242222 _em212422:= 1222242122121) 22- 222212212242222 _em212422:= 1222242122122) 22- 222212212242222 _em212222:= 12.222221112212111 22- 222212212222122 _ema22222:= 12.222221112212111 22- 22221221 22211212 _em212422:= 1232242122122) 22- TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 40 from XKS as a SIGDEV Tool
find technical documents of interest One Idea: Take advantage of the properties exploited as meta-data by X-KEYSCORE like the Author and Organization Lets look for all documents where the organization field is the company we're interested in, ex: Warid Telecom TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 41 from XKS as a SIGDEV Tool
. TEDFilenarne Extension Author Last ennuth Drganila?tinn troubleshoot MPEH eml for Wand Telecom Ltil. troubleshoot MPEH eml for um Warm Tale-com Ltil. wp. for him troubleshooting Ell-1 2?133le {lo-n: Wariil Telecom Ltil. wp. for line troubleshooting Ell-1 (Ion: 1Mari-[l Tale-com {Put} Ltil. Fleno Signed-Lie His Willi-El Tole-com {Put} Ltil. Flew} His W?liil Telecom Llil. L?l W?riil for 3443: and 34-1-1 Silenced-Beetle: {lo-H: W?liil Teleeom Ltil. Wariil for 3441i and 34-14 Sliorlcoilesxloi: {lo-4: W?ll? Telecom Ltil. Sohail Malihms mg Warm Telecom Ltil. Many of these files may have not been selected, because either there was no strong selector associated or the strong selector(s) weren't tasked for collection TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 42 from XKS as a SIGDEV Tool
WEE: @9319 NZQuestions? -@nsa xkeyscore@nsa TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 43 from XKS as a SIGDEV Tool
THEE- gamma Sascnpe=urdualink=next GET nl . start= Accept: Accept-Lanwage I - User?Agent Hazillaf?.? (compatible; HSIE Windows NT 5.1; HDSE: Eache? an EU max?3 a e=l Connectinn: Ee-a?1 - E?Elue?uat?via 553n32n2E9293545 Hn?t UHL Path LIHL ?rga Hearth Search Terma Language: Elrnwaer ma mLJEharraf an Mozillam? (compatible; MSIE Window NT 5.1; Heferer CDDME TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123
Page 44 from XKS as a SIGDEV Tool
User Queries 1w X-KEYSCO Central Query F6 Query HQS I. QUEW FORNSAT site Query;r I6 Sitel F6 Site 2 Query THEE- MUSE 880 site TOP SECRETHCOMINTHORCONEEL TO USA, CAN, GBR and NZLH20291123