TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

XKEYSCORE

25 Feb 2008 xkeyscore@nsa

DÉRIVED FROM: NSA/CSSM 1 DATED: 20070108 TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL DECLASSIFYON: 20320108 1. DNI Exploitation System/Analytic Framework

2. Performs strong (e.g. email) and soft (content) selection

3. Provides real-time target activity (tipping)

4. "Rolling Buffer" of days of ALL unfiltered data seen by XKEYSCORE: • Stores full-take data at the collection site - indexed by meta-data • Provides a series of viewers for common data types

5. Federated Query system - one query scans all sites • Performing full-take allows analysts to find targets that were previously unknown by mining the meta-data

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL Methodology

• Small, focused team • Work closely with the analysts • Evolutionary development cycle (deploy early, deploy often) • React to mission requirements • Support staff integrated with developers • Sometimes a delicate balance of mission and research

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL System Details

• Massive distributed Linux cluster • Over 500 servers distributed around the world • System can scale linearly - simply add a new server to the cluster • Federated Query Mechanism

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL Query Hierarchy

Query

F6 HQS

Query SSO site F6 Site 1 F6 Site 2

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL Where is X-KEYSCORE?

Over 700 servers

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

unique about

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL General Capability

Processing Speed

MOIL/TURBULENCE

XKEYSCORE

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL • Cari look at more data

• XKEYSCORE can also be configured to go shallow if the data rate is too high

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL Why go deep

• Strong Selection itself give us only a very limited capability

• A large amount of time spent on the web is performing actions that are anonymous

• We can use this traffic to detect anomalies which can lead us to intelligence by itself, or strong selectors for traditional tasking

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL • I I I IT What XKS does with the Sessions fñtYSi •^HÉÉÉ

Plug-ins extract and index metadata into tables

[sessions] [processing engine] (database) > (user queries) L phone numbers [ email addresses

log ins

nix user activity

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

:of HWtf Plua-ins tTJ

Plug-in DESCRIPTION

E-mail Addresses Indexes every E-mail address seen in a session by both username and domain Extracted Files Indexes every file seen in a session by both filename and extension Full Log Indexes every DNI session collected. Data is indexed by the standard N-tupple (IP, Port, Casenotation etc.) HTTP Parser Indexes the client-side HTTP traffic (examples to follow) Phone Number Indexes every phone number seen in a session (e.g. address book entries or signature block) User Activity Indexes the Webmail and Chat activity to include username, buddylist, machine specific cookies etc.

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL What Can Be Stored?

Anything you wish to extract Choose your metadata Customizable storage times • Ex: HTTP Parser FM IP 58. TO IP 64.

Accept : image/gir„ image/x-xDitmap, image/jpeg, image/pjpeg, appi icafion/vnd. ins appi ication/msword^ appi ication/x-shoc kwa ve -flash, - /* Rererer: nttp://www.googie.com.pK/ | .. , . . Host: www.google.com.pl _ No userriame/strong selector «irUser-Aaenta SKiaiB: MoziMBsriifiw I la/4.;0 (compatible^=116^503483:LM; MSIE b.U; Window= s NT3:S=KKzZb3kPcw4vNxG b.i; t via: 1.0 proxy. 8080 (squid/2.5.STABLE13 X-Forwa For: 58 Zi ¿.\J\J Connection : keep-al ive

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

N.

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL Finding Targets

• How do I find a strong-selector for a known target?

• How do I find a cell of terrorists that has no connection to known strong-selectors?

• Answer: Look for anomalous events • E.g. Someone whose language is out of place for the region they are in • Someone who is using encryption • Someone searching the web for suspicious stuff

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

rift rH h Vf.w lnv:rh rnrvtf ft Lin*. Wn-n/j [ b - ê? • a i|§S Bssi i aa <à_m m n Q|i # ... * Time* Rn-rt-n H 3[F]/ H | = g = = us i- , SI- Q-

Show me all 1 documents fr Show me all

. ÛJÎ J1 Î Ù ? -aaji •»' J1 J ù JÙ i ¿J i a-s a' jeJ1 J2 û- * -V 5 .ù^if^ji J1 Once again - * * J' »

^'oJ' ^¡io*J' • jJ « J * JI i £¿1 HjJ' (3 1 | ^J' - -JiJ" J JJ^I J Al .jji-JfJ ^ ' Jj^Je e^k^I £ query, then $ Jl | P.v|ft I I I | "IV* IÏÏJ-RT I TTR 11 IvP from site as required

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL Technology Detection

Show me all the VPN startups in country X, and give me the data so I can decrypt and discover the users

• These events are easily browsable in XKEYSCORE • No strong-selector

• XKEYSCORE extracts and stores authoring information for many major document types - can perform a retrospective survey to trace the document origin since metadata is typically kept for up to 30 days

No other system performs this on raw unselected bulk traffic, data volumes prohibit forwarding

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 1 Persona Session Collection

r

Traditionally triggered by a strong-selector event, but it doesn't have to be this way

• Reverse PSC - from anomalous event back to a strong selector. You cannot perform this kind of analysis when the data has first been strong selected.

• Tie in with Marina - allow PSC collection after the event

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS Lanauaae Trackin

• My target speaks German but is in Pakistan - how can I find him?

• XKEYSCORE's HTTP Activity plugin extracts arid stores all HTML language tags which can then be searched

• Not possible in any other system but XKEYSCORE, nor could it be - • volumes are too great to forward • No strong-selector

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL ) 10 01 1001 I TOP SECRET//COMIN Gooale Ma 0,

My target uses G locations - can I determine his err web-searches - c suspicious?

XKEYSCORE extr including all web-based searches which can be retrospectively queried No strong-selector Data volume too high to forward

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL m Fift Frir Vlftw lrc=/r Firmar I & ^Mal S5 i m j ^ |üefeJt jJ docRiáll ,0'JI g £ I ¿I Jl d

Type: MS Word docurne t

Location; Size: I h; General Description ) User Defined | Internet | Statistics | Created: Title Modified: has Digitally signe Subject Last printed: Keywords

Total editing t Comments nur Revision nurnt Apply* use I

anc K ) Template:

j ¿«5 199

L•> ¿21 dk^ I Jl j .0 -?•» 1 ? OK Cancel Help Reset

Í I 0 J1 ? ^ V I J * Jl j a y J ^ Jl I * iâ í (15ft0n0)l i¿u 1 J ' ^

* jj^I j ¿»i cáj^uVJ1 e£á1 jjcáJe edâJûji 2- " ~ I I pace 1/1 ^faul: 100% I :N5PS~ I STD I HYP U I

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

All images are hashed in the metadata so that you can search for anyone who has received or transmitted this document. HThis is really useful for company logos. ramor Diugi upniLui u il a .¿nevi

< titl e >Bi ogr aphi c al D a" Ar ab lc I the blocks in. English & Type - Submit Jec Ironic ally via e- mail £ Arabic^ irst Name i* Middle (fathe/s) Name Middle [Grandfathertfan 5c24dabb 15f0c5d64dcf7 A\7\sh> Rinh Date City/Country of Birth Nationality Religion _>1! uJ -iljjJt «Jfyl ¿Ka 4 iUI ¿jJ-J.I djU-JLoJI) YY/4uj Iraq-kut-d«!' almoalniean Muslim

Gender (Mate/Female) Maritai Status (SingLe/Married/Divorce d) Number of children 4 p^jjl i JWI

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

KJ M*.rv»ufL Ex<_*d - NdjdfCivÌ Deleuze £J Ed t üew [nier: f.v-ö: lo:k L>at= t*P Triteresti 0V Li tf y af öGx vi & Na ea^l ° - s & ¿1 SiiB4M * -

PROACTIVE

CoiiiniuiiiculioiiSs Iiur. /(LiTV Cfoseoi/l Document

Sii» Iriiuirridtiun Sil« Ma my'Cily; tnainwwi(w flamy; hunction (IHS, FJUJ. KOL...): Lquipmant Shippmant Date; ^Jlt UH J GPS Orvjrrfforcto'r: ij^i^lc- Fqulpmnnt nnlkrnrrd i>am: lo-^Jf Uft-'k: She Pre-Commissioned Date: CLIN: Situ Cuiiirrifc&iuriuiJ Dalu: fjgiijv-j-j^drOMyrilily ui Puwui Sliips Usuri:. lójtjjglu Show Myltfi« ufCATO Usuil: 300 Meters HjJIU^O^ Cliniciriyi ; Hardi rig C at « ji ¿¿a PCI Pi?livui abiuri Equipmi?»! C > j 1*5 Serial Humher • ¿Jy ljüi>u>0 [ I HfttMndem Muriel . ¿tf- l-Jyj j\ conta NetModem: Pix fiill rirewil •

so I c tUiuinut 5wilth ayual Niuribyi

Sufai Hunihu i 'fl-a'ArO Nndi'l ¿iiP LWU ¿v^ij^j: DUC: M^IJ^J. Nev hood Horn As&Binbly doc Vuip luluphuiiu MAC Addi y«i Muüul lylupliuriy Nurribui diet C,t\vp.n\n\p.rrt furnish ari Fqulpment RnrdfirC.uard Serial Number Mndpl info ¿W U^io^L* Jtj j

4U Dell Model lype Serial Number Monitor lype/ Serial A1 jcv- tecJ PO? ö^LyÜLy js LL^'u" No : 42 Dat J4 u|< ll » 'Lustomc r Kccapt / K&rrfj-

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TAO

• Show me all the exploitable machines country X

• Fingerprints from TAO are loaded into XKEYSCORE's application/fingerprintID engine • Data is tagged and databased • No strong-selector • Complex boolean tasking and regular expressions required

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Over 300 terrorists captured using intelligence generated from XKEYSCORE

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL • Customer: CounterTerrorism (CT) • Provides near real-time tips to TRAFFICTHIEF server in operations in coordination with coalition forces in Iraq 24 hours a day • Currently producing hundreds of confirmed alerts per day on over 3000 user accounts

Afternoon of 2004 - coalition detained individuals below:

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL I uihiy Mb rimili Intanai h|iliinT May 2006, WealthyCluster2 and X-KEYSCORE Installed at •Connected to Moonshine

ARCH IVC 5 fll r C :0IMC \ S 5IC73MY • II01C ft Lriu I. • Enabled processing of wireless collection ITS^SI) Brcghthrcugh; Previously Unfindablc' IntcrnctCgfcs in Cornmunlcadonc (SD2C) and Iraq Con Now Be Located Iraq Wireless T*am{SSG211) • Enabled near-real-time tipping • Enabled full-take SIGDEV i l-Wtel- fbt.^.oU /'.V V.o'i »• Or.Tiri7Tiav fiOlCMCD?r,0 feezed mm

c'c 3 rcr :~trxn:io 11L-L %- : I -ero njr ne/- n pnoor v-rozc va/i i. yy • cl'iirrj III Hi 'j Le vi i y . va kv u j in Ihu 111 Jdb *:UI "Xll J'^d Lv J.c- Juuj-'V. AV II* Ctrl'd I 41 .1 JiajJjJfL' Wwci rl;J Un-locatable cafés were geolocated: Ye V c j': I li r t « vv voi c *.1, * H w ci J U k" «.v; v.-

IT5.V0; A'v>*w. 5CIN"m'ih*la-airf* ir.lvl* • j- n^n v.c:i"¿**iit-r .• SIDiorfa/blog "A Goldmine" da/find r .vMhis Lvsr «-»r -n r* o.vo.v At* in Ir-i'i• u n r.f M= "i-rft -hiv.njh v-v .u* r* "-i vj.-^o-v • fir.mih? <\-r¿ r.v h = ^fe vwra l.vi.1 n.i nu -nr.x". n.*«tc. ikt«*. urn. r.imir.:» r<*. .rr.v -wr «".r rr v v. i-r -r.r«ov • Four Other Cafés Being Developed ct3*v rgv'-ih hirr.ibco a- caiic L- Jtoctt* amele- on the :*pic • 11 :; "iir-V'-fi in mit* nrj - rr r r^r-'tftr- p.-.rr -¿V:' r-i.r i.-iti wr vTs'o v/cv d nrj v jj j in cu* l':'.^ I Ir*. Ndr c r '/o o.ld riul wwA* r.eb .o v. / VArl V ¥tf I V'4'J Ly / * Al^pm^ Id' J*. * Ili K\' ' **r >«: J\)VI dÜ T üJV^ ui A kth- -jj y lc rijl'^ i . ci iy % ri u p^c *.1 h» r i • - .-»i.r r "i k [.r*r. + •-y• r -j-r Acquired important targets:

•T >V 5 : T -t :• :t. r© hi igec : -i =. $pr n :i. h y;* • i ^ rO"-K«í A" r.n.1 AO c.^l ^ :.H .v "ì r ì • NSA/Georgia Tips With Precise Locations iWr.r:inY^::irr;-7 -ir.jx.hhvs rcaicn. J C3IN nwhad tic capati to r:c-' cirJltivU-crj. •JSOC Tools In Newl

11 ; -»^i. ny Uk-.c ^ ccl-. ^ inizili en lv N'th d j i k -.1 k' í i v J i* I'j'.cI ui • Reacquired Lost When Zarkanet Went Down ( AC), i i oui Jii laic i .1 i i.wi ^ri i j\ vn fífc^ t-.Tri '=. snd rn T.r; «•. .w.rr rí ^ iT5"5 : T' t '.uU.ur se ai I :i= tw j-j-vf. .->AAn .>:;.- "I nn.ir. v.-.f.r.n-i.v -«;.(__ Terrorists were captured; • Members of the^^^^^^^^l • Members of thel

.T//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL Innovation

High Speed Selection Toolbar Integration with Marina GPRS, WLAN integration SSO CRDB Workflows Multi-level Dictionaries

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL Future / /

• High speeds yet again (algorithmic and Cell Processor (R4)) • Better presentation • Entity Extraction • VoIP • More networking protocols • Additional metadata • Expand on google-earth capability • EXIF tags • Integration of all CES-AppProcs • Easier to install/maintain/upgrade

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL