TOP SECRET//COMINT//RE TLO USA, AUS , CAN, GBR, NZ L · 2014-04-09 · TOP SECRET//COMINT//RE TLO USA AUS, CAN, GBR, NZ, L ï »tnano shallo w» m w Can look at more data XKEYSCORE

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

:


DERIVED FROM: NSA/CSSM 1-52 DATED: 20070108 DECLASSIFY ON: 20320108

_ 'iaHDBHHI

toot i 001100» HtM'njf loot 1001 »001 l l j g l 0 1 01 MM 1

OSOOS >Dt I 0 0 ! O to 01 t lot 010001,0>M 3 0» 10101 y "v'j sr


is XKEYSCORE? 1. DNI Exploitation System/Analytic Framework

2. Performs strong (e.g. email) and soft (content) selection

3. Provides real-time target activity (tipping)

4. "Rolling Buffer" of days of ALL unfiltered data seen by XKEYSCORE: • Stores full-take data at the collection site - indexed by meta-data • Provides a series of viewers for common data types

1. Federated Query system - one query scans all sites • Performing full-take allows analysts to find targets that were

previously unknown by mining the meta-data


nooi , o t i««»;h»i »«" 10011 00. .00. TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 1001 too» 1001 m0IO1O1ic,jm I " ' '

S t f f i t h n H n l n n v 3 01 I01QI0 . y»<" 110 J r

Small, focused team Work closely with the analysts Evolutionary development cycle (deploy early, deploy often) React to mission requirements Support staff integrated with developers Sometimes a delicate balance of mission and research


• Massive distributed Linux cluster • Over 500 servers distributed around the world • System can scale linearly - simply add a new

server to the cluster • Federated Query Mechanism


HO Ol 101 I « " ™ ÍOO! 1 OQl too» Htfl'vo «001 »00» 1001 'I®!0!0'1©' 1,11 OIOOI toi Mimmi O (O Ol io» «oon oot iWR'®- HOT 010001 Ol 101010 10101 10, 10 101 01010 IO Ol

, in; l im s «-ai


•uerv Hierarch

User Queries

t Query

XKEYSCORE web Server

F6 HQS

SSO site

F6 Site 1 F6 Site 2


HO 01 , U I , y u l

10DM «311001 W W 1001 tOOl 1001 "J J®1 !iCI U)

OlrtOI 3n! ^ . v/\# n p 1 01 10(010 ,,Voy»|


is X-KEYSCORE?

Approximately 150 sites

Over 700 servers TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL



dì c _£_ \n -M co c l cu a; ^ Q

MOIL/TURBULENCE

Processing Speed


TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL ï »tnan» w m o shallow

Can look at more data

XKEYSCORE can also be configured to go shallow if the data rate is too high


• Strong Selection itself give us only a very limited capability

• A large amount of time spent on the web is performing actions that are anonymous

• We can use this traffic to detect anomalies which can lead us to intelligence by itself, or strong selectors for traditional tasking


Plug-ins extract and index metadata into tables


[sessions] [processing engine] -> (database) (user queries)

phone numbers

Sess ion

^ email addresses

log ins

user activity

Plug-in DESCRIPTION

E-mail Addresses Indexes every E-mail address seen in a session by both username and domain

Extracted Files Indexes every file seen in a session by both filename and extension

Full Log Indexes every DNI session collected. Data is indexed by the standard N-tupple (IP, Port, Casenotation etc.)

HTTP Parser Indexes the client-side H 1 1 P traffic (examples to follow)

Phone Number Indexes every phone number seen in a session (e.g. address book entries or signature block)

User Activity Indexes the Webmail and Chat activity to include username, buddylist, machine specific cookies etc.


l # V P W W f , ( A l • " - " « 1 ' ' io» „„, lA I t _ |_ »t ifll iti T •


Can Be Stored?

Anything you wish to extract • Choose your metadata • Customizable storage times • Ex: HTTP Parser

GET /search?hi =en&q=isiamabad&meta|= HTTP/1.0 Accept: image/giT, image/x-xDitmap, image/jpeg, image/pjpeg, application/vnd.ms-application/msword, application/x-shockwave-f1 ash, */* keTerer: nttp://www.googie.com.pK/ i , . . auepl-Lci11yuctyy. yii'uI ;—1 No username/strong selector Usec Aaenjj o zi 11 a/4• 0 (compatible; MSIE b.U; Windows NT b. Ij

Connection: keep-alive


http://www.googie.com.pK/

I110 01 10! I W t ,, LtfllCLiOJ 10011 001 iooi •n.M'vtfPr« looi too» io< J«» to

i r • 01 totoio .,10 01 >!»1 »MH

TOP SECRET//C0MINT//REL TO USA, AUS, CAN,

i j ^ g ' T a r g e t s

GBR, NZL

How do I find a strong-selector for a known target?

How do I find a cell of terrorists that has no connection to known strong-selectors?

Answer: Look for anomalous events • E.g. Someone whose language is out of place for the

region they are in • Someone who is using encryption • Someone searching the web for suspicious stuff


10 01 ' t . I J i UAH

IOOI 1 OQI toot 1001 1001 1001 0 <0 Ol > IO 01 901 010001

' 01 tonoio

IIOIOIOI H TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

• Show me all the encrypted word documents from Iran

• Show me all PGP usage in Iran

• Once again - data volume too high so forwarding these back is not possible

• No strong-selector • Can perform this kind of retrospective

query, then simply pull content of interest from site as required


country X, and give me the data so I can decrypt and discover the users

• These events are easily browsable in XKEYSCORE

• No strong-selector

• XKEYSCORE extracts and stores authoring information for many major document types - can perform a retrospective survey to trace the document origin since metadata is typically kept for up to 30 days

• No other system performs this on raw unselected bulk traffic, data volumes prohibit forwarding


10 01 101 iw* iwi iwi m • ,.-• IODI 1 ooi looi W W ' TOP SECRET//COMINT//REL T0 USA, AUS, CAN, GBR, NZL

1001 tOOIIOOl " " i r r r

?l&«ffisona Session Collection

• Traditionally triggered by a strong-selector event, but it doesn't have to be this way

• Reverse PSC - from anomalous event back to a strong selector. You cannot perform this kind of analysis when the data has first been strong selected.

• Tie in with Marina - allow PSC collection after the event


My target speaks German but is in Pakistan - how can I find him?

• XKEYSCORE's HTTP Activity plugin extracts and stores all HTML language tags which can then be searched

• Not possible in any other system but XKEYSCORE, nor could it be -

• volumes are too great to forward • No strong-selector


• My target uses Google Maps to scope target locations - can I use this information to determine his email address? What about the web-searches - do any stand out and look suspicious?

• XKEYSCORE extracts and databases these events including all web-based searches which can be retrospectively queried

• No strong-selector © Data volume too high to forward


10 l o i IUO» IUU1 IUU! _ 1001 1 OOt IOO» TOI'Vy foo» loo» too? noioToi,0, Hl, O l O C U «Ok « ¿ t t t f h W n

oi V i r i r i 101 010001 l0l|" * oi loioio {vol


Document Trackin

I have a Jihadist document that has been passed around through numerous people, who wrote this and where were they?


R %ÉIh

• Show me all the Microsoft Excel spreadsheets containing MAC addresses coming out of Iraq so I can perform network mapping

• New extractor allows different dictionaries to run on document/email bodies - these more complex dictionaries can generate and database this information

• No strong-selector • Data volume is high • Multiple dictionaries targeted at specific data types


'10 01 •«» » 1001 1 001 lOOl Sò 1001 10011001 I tOIOIOI l 0 , omm 'ni ¿seitfW ^ 10 I /\ f 1 101010001 I H I J • oi loroio


Show me all the exploitable machines i country X

• Fingerprints from TAO are loaded into XKEYSCORE's application/fingerprintID engine

• Data is tagged and databased • No strong-selector • Complex boolean tasking and regular

expressions required


IO Ot <M!'lV«t I 1 «> " - f TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

ion m noi loot noioioi m i u ' ' o io Ai 101 icofWWŒto ¿1.

01 lOIOIO i o o i ,D|1 , C 0 1 ' bf new target web services

• New web services every day • Scanning content for the userid

rather than performing strong selection means we may detect activity for applications we previously had no idea about


VtfiW TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Extraction

Have technology (thanks to R6) - for English, Arabic and Chinese Allow queries like: Show me all the word documents with references to IAEO Show me all documents that reference Osama Bin Laden Will allow a 'show me more like this' capability



HO 01 l o ' ItWMJOl ii.ul ioom OO. M TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 1001 lOOMOOi ' ¡'I mi- m MHO - 1

oir)m loi u*rm\Vn to ii *\ m

High Speed Selection Toolbar Integration with Marina GPRS, WLAN integration SSO CRDB Workflows Multi-level Dictionaries


IU01 loot


O to 01 10 1101 010001 ' 0 01 iOtOIQ 1 lougj—• oi H-

,)•>, 0] J irpl

• High speeds yet again (algorithmic and Cell Processor (R4))

• Better presentation • Entity Extraction • VoIP • More networking protocols • Additional metadata

• Expand on google-earth capability • EXIF tags • Integration of all CES-AppProcs

• Easier to install/maintain/upgrade


Documents

TOP SECRET//COMINT//RE TLO USA, AUS , CAN, GBR, NZ L · 2014-04-09 · TOP SECRET//COMINT//RE TLO USA AUS, CAN, GBR, NZ, L ï »tnano shallo w» m w Can look at more data XKEYSCORE