TOP CAN, AUS, GBR, NZL, USA LEVITATION and the FFU Hypothesis .che-cSt.gc.ca TOP CAN, AUS, GBR, NZL, USA What is - A behaviour-based target discovery project 0 Multi-disciplinaryteam 0 Prototyping and delivering advances in: Behavioural tradecraft - Hypothesis tradecraft Tradecraft automation TOP CAN, AUS, GBR, NZL, USA Current Hypotheses In Development GPS waypoints Devices close to places Telephony gaps SHe?lue?ntial numbers Targets oflforeign SIGINT Obvious selectOr names agenCies Web search terms calls TOP CAN, AUS, GBR, USA FFU Hypothesis Extremists use Free File Upload (FFU) sites differently than the general public. Al-Qaida uses FFU sites to distribute Jihadist propaganda Extremists use FFU sites to distribute training materials What do we need? A list of suspect documents A list of FFU URLs referring to those documents A list of IPs downloading those URLs New documents are found by CWOC (CSEC Web Operations Centre) retrieval from URLs, so that?s the easy part. TOP CAN, AUS, GBR, NZL, USA New URLs web forums team Previous Correlations 2nol Party reports alerts analVSiS Machine Learning Usmg tech techniques to ?gure out what else that user was up to at the same time Learning the textual context for the URLs in web forums e.g. Google analytics cookies Follow URL referrers back to the originating site Get STALKER Hostnames goperations Build SDLfor STALKER Referers Dummyl Query FFU for STALKER Referers nit - .ij any Rows I. I. IS I. a Calc lator Build SOLfor referers count Filter out image Memory Group by Sort rows Selectualues 2 4 .- zi: I Filter out hiters Dummy 3 Query ref rers count Dummy 2 Select alues lP Geo and etwork lnfo in . ?11 Dummy 4 Dummy 5 Filter out Referer count Pr 3 I . FFU Requests Master List Remove spaces Stream lockup TC lnit 2 Output duplicated URLs Mail New URLs Get Variables Mail Configs Blocking Step New URLs File Output new URLs TOP CAN, AUS, GBR, NZL, USA a. FFU Events Collection ATOMIC BANJO (Special Source) is collecting HTTP metadata for 102 known FFU sites. We see about 10-15 million FFU events per day All the FFU Events are available thru OLYMPIA TOP CAN, AUS, GBR, NZL, USA :5 Looking for a few good documents We only care about the 2,200 URLs that point to documents of interest. e.g. How to make a gas bomb Every day we sort through the 10? 15M events for the interesting ones We?re ?nding about 350 interesting download events per month. TOP CAN, AUS, GBR, NZL, USA :5 Chloroform in a Lowes bucket Bajadin Explosives Manual Documents vary - . . And lots of pictures of cars on ?re Cre ate HTTF Master List Extremist 3 TOP CAN, AUS, GBR, NZL, USA 3" SQL Dummy1 Query 1.1.14 [Jag 4.: Length Convert tring [F?s a Create SOL Dummy 2 Query Processed FFU records Master FFU Hits WE. . a: 3+1: C1 TClnit Geo Sortb time Cr tie . St em lookup Add constants LI 5 New FFU records la 1" mm TOP CAN, AUS, GBR, NZL, USA Resulting events . Computer shares Share} Levitation FFU FFU Hits Eile Edit ?iew Iools Help Drganhe 3 Open Newfolder Favorites I Desktop Downloads Recent Places I Desktop :4 Libraries 5' Documents Music Pictures I Videos 3? Computer Windows DVD Drive :3 sharu ('i'icorp) (it) Reserved Share_1 . Share_2 Share} Share} Share) Shareu? Tempshare ii: Inn?- or. ii h; if Lf apps Network Control Panel Recycle Bin DM Extension SQL Developer XMin sqldeveloper-Slm32 01'20?2012 FFU Hit Selecto A Filo Date modi?ed: 10:27 AM Of?ine status Online (Wino weitahilitv? NM marital?: Name 4 Date modified Type I 01-29-2012 FFU Hit Selects. 061031012101? File folder 01-20-2012 FFU Hit Select 8:32 AM File folder 01-20-2012 FFU Hit Selecto . udi Arabia 0102/2012 12:15 File folder 01-21-2012 FFU Hit Select I 1910312012 11:47 File folder 01-21-2012 FFU Hit Select ccupied Palestinian Territory 08,1031?2012 10:36 File folder 01-21-2012 FFU Hit Select . . udi Arabia 1030212012 1:41 PM File folder 01 -?-2012 FFU Hit Selecto Occupied Palestinian Territory 07102-9012 12:15 File folder 01-2-2012 FFU Hit Selecto [Brill-2012 10:41 File fotder 01-25-2012 FFU Hit Selecto 0603/2012 12:20 File folder 01-27-2012 FFU Hit Selecto @2035le 12:38 File folder 01-38-2012 FFU Hit Selecto Occupied Palestinian Territory 0902/2012 10:54 ?le folder 01-31-2012 FFU Hit Selecto 05x'03ir'2012 10:26 File folder 02?01-2012 FFU Hit Select 05/03/2012 10:36 File folder 02?02-2012 FFU Hit Selecto 07/02/2012 12:17 File folder 02426-2012 FFU Hit Selecto 08/03/2012 9:35 AM File folder 02-13-2012 FFU Hit Select 23/03/2012 10:02 File folder 0243:2012 FFU Hit Select 9:52 AM File folder 02-14-2012 FFU Hit Select 05/03/2012 10:57 File folder 02-15-2012 FFU Hit Selecto 211032012 12:25 File folder 02-17-2012 FFU Hit Select brain 09/03/2012 8:57 AM File folder 02-18?2012 FFU Hit Selecto anadian 0510352012 1:16 PM File folder 02?20?2012 FFU Hit Select 09/0312012 355 AM File folder Hit Selecto WIDE-2012 854 AM Fite folder 02-24-2012 FFU Hit Select emen 0910312012 9:50 AM File folder 02-23-2012 FFU Hi1 Select 0910352012 2:26 PM Fife folder 02-28-2012 FFU Hit Select 2050312012 933 AM File folder 02-28?2012 FFU Hit Select 2020352012 9:53 AM File folder 03?01?2012 FFU Hit Select 2103-2012 12:45 File folder 03?03?2012 FFU Hit Select 2230312012 1:18 PM File folder . 03032012 FFU Hit Select 27,433!le 20:59 File folder . 03?04'2012 FFU Hit Selecto anadian Anonymizer 1:29 PM File folder 03?07-2012 FFU Hit Select - 27/03/2012 12:58 File foider 03-07-2012 FFU Hit Select - 11:07 File folder 034072012 FFU Hit Select 2811130012 11213 File folder 03-16-2012 FFU Hit Select 1:09 PM File folder 03-20-2012 FFU Hit Select oroceo 810352012 1118 File folder m1 FFU From Mathieu 09/03/2012 3:02 PM Microsoft Etcel Search FFU Hits TOP CAN, AUS, GBR, NZL, USA FFU hit from selector 7/03/2012 7:46:51 9e0l0catedwtoKenya, accessing The Explosives Course through FFU site sendspace.com with HTTP user agent Mozilla/5.0 (Ubuntu; Linux x8654; rv:9.0.1) Gecko/20100101 FirefOx/ TOP CAN, AUS, GBR, NZL, USA Correlating other selectors with the IP FFUhitfromselector_on 7/03/2012 7:46:51 geolocated to Kenya, accessing The Explosives Course through FFU site sendspacemm with HTTP user agent Mozilla/5.0 (Ubuntu; Linux x8654; Gecko/20100101, Firefox/ we Mutant Broth query on IP_for5 hours on either side of 7/03/2012 7:46:51 i 682 events including 77 with an exact match of the user agent above yielding a Facebook ID ?a Google Pre?d Cookie?an M_Adnxs Uurd2 Cooki an MQuantserve Mc Cookie ndaGooglePre?d Cookie? lo FFU Hit Selector-Jami! 7, 2012. Mutant Broth TOP CAN, AUS, GBR, NZL, USA Correlating Facebook cookie FFU hit from selector'n 7/03/2012 7:46:51 geolocated to Kenya, accessing The Explosives Course through i FFU site sendspacemm with HTTP user O?ur i . pen Source research mdrcates agent manna, (Ubuntu; that the user of Facebook ID I mbasted in Dubai, -. I: ffn?fi': .1133? mm??l 1 .3 Marina Pro?te Query on Facebook User Cookie-bsewed in Muoaht Broth Query above 4 Lots of events including'r'egistration email addressgmail.c0m and Facebook name- FFU Hit Selector-arch 7. 2012. Marina Pro?te Query on Faceboot 1-5! Mutant Broth Sub-Query on Facebook User Cookie _Jbserved in Mutant Broth Query above 1 946 events with 393 matching exactiy the user agent above a: FFU Hit Selector ?March 7. 2012. Mutant Broth Sub-Query on Facebook TOP CAN, AUS, GBR, NZL, USA 100% 3? 5* 51 Iridetheexew?on resdls Dana '71 Get rows lFom result A I. A a \xh' lg fr eH?? - =1 Mufti-Threads Cutjusti?cationto 150 chars FilterE Result MB Raw Results Sortby Sequence Group TDIster-Agents l' Error Handling Ignore Empty Result Calc Co 1?dence 1! I: =1 3 MB Sort by Con?dence Different U.-A Filter on User-Agent Grows 27) ardx?veorglalmaphrm -27) 3 ardive.org/almapl.mp4 a4) ard'ive-orglahnapl-rrm ardive.orgfalmapl.rrp4 . . 3 ardive.orgfalmapl.n?p4 mew/mm . I adivenrgiaknaplmp?l -5) - ardivenrg/almaerrp?l El Mode/4.0 MSIE 8.0; Wit . ardive.orgfalmapl.mp4 DouxnenLTl?eIDesa'b?on Germanl?mstagevideo Germanhostagevideo Germanhostagevideo Germanhostagevideo Germanhostagevideo Germanhostagevideo Gammhostagevideo Wed Mar 28 18:32:32 GMT 2012 Wed Mar 28 18:32:32 GMT 2012 Wed Mar 28 Wed Mar 28 18:32:326M'l' 2012 Wed Mar 28 18:23:42 GMT 2012 Wed Mar 28 2012 Wed Mar 28 18:23:42 GMT 2012 Wed Mar 28 2012 Wed Mar 28 18:23:42 GMT 2312 Wed Mar 28 18:23:42 GMT 2012 ACTIVITY DATE 18: 18:002 Con?dence_Nurber ACTIVE USER 1.0 1.0 1.0 TOP CAN, AUS, GBR, NZL, USA Automated analysis documentation 1 e- "y A Createareia?onsfi) a: as A FFU hit from selector Mon 20120120000848000 oca ed to i SA, accessing Inexhaustible weapons part 2 through FFU site GET [download] I 1.1 with user agent Mozillals.o 53"05193; Mutant Broth Query on IP _for 5 haurs on either side of 201201200008480006MT 5 ?4 EMWN'?no?vaw' 7' {?51300} - MATOIINQEVENT coum' )matching uac?y the us 2 agent above. . l- 7 . . .et Marina Activity query on IP ?for 5 hours on either side of 201201200008480006MT with possible . mem_eossme_coanmnous_) . Mmum,..u- TOP CAN, AUS, GBR, NZL, USA What happens then? Compare control and experimental groups to show statistical differences Analyse experimental group to determine statistical power of the hypothesis Assemble selectors across all hypotheses Rank selectors according to the number and power of the hypothesis behaviors they show Deliver an ordered list of suspects to OCT TOP CAN, AUS, GBR, NZL, USA Scoreboard Hypotheses FFU Totals Weights 0.6 0.55 0.52 0.48 aeuosmd TOP CAN, AUS, GBR, NZL, USA Successes An HTTP-referred URL gave us a German hostage video from a previously unknown target. An upload event gave us an hostage strategy. The resulting report was disseminated widely including by the CIA to their counterparts overseas. TOP CAN, AUS, GER, NZL, USA The End Team Lead: Tech Lead: Me=?