25 Feb 2008 xkeyscore@nsa . - . . . . . 63 TO USA, Aus, GBR, pEc'LAs$jfiY on: go mmrm1 - DNI Exploitation System/Analytic Framework 3 oi zozuw . in CH not mr;r;r.u 7 . in 2. Performs strong email) and soft (content) selection 3. Provides real-time target activity (tipping) 4. "Rolling Buffer" of ~3 days of ALL unfiltered data seen by XKEYSCORE: Stores full-take data at the collection site -- indexed by meta--data Provides a series of viewers for common data types 1. Federated Query system -- one query scans all sites Performing fu|l--take allows to find targets that were previously unknown by mining the meta--data TOP TO USA, AUS, CAN, GBR, NZL TOP ., 1; IHII -Small, focused team - Work closely with the - Evolutionary development cycle (deploy early, deploy often) - React to mission requirements 0 Support staff integrated with developers 0 Sometimes a delicate balance of mission and research TOP TO USA, AUS, CAN, GBR, NZL Massive distributed Linux cluster Over 500 servers distributed around the world System can scale linearly -- simply add a new server to the cluster Federated Query Mechanism TO USA, AUS, CAN, GBR, NZL User Queries Query XKEYSCORE web Server Query Query QUEVY F6 HQS Qugry Query FORNSAT site SSO site F6 Sitel F6 Site2 TOP TO USA, AUS, CAN, GBR, NZL Ila} iI'Yll mt (3. Fl xsu:o1Lmu 3 us at 1 '01" UH A Approximately 150 sites Over 700 servers TOP TO USA, AUS, CAN, GBR, NZL ?figgd'-' USA, Aus, CAN, GBR, NZL. 11Processing Speed Processing Depth I XKEYSCLORE TOP TO USA, AUS, CAN, GBR, NZL [ll] I2, I I . 'i'f ll': . . '1 . Jjul -. . . t' 4' I - Can look at more data 0 XKEYSCORE can also be configured to go shallow if the data rate is too high A TOP TO USA, AUS, CAN, GBR, NZL 3 0 Strong Selection itself give us only a very limited capability - A large amount of time spent on the web is performing actions that are anonymous - We can use this traffic to detect anomalies which can lead us to intelligence by itself, or strong selectors for traditional tasking TOP TO USA, AUS, CAN, GBR, NZL Plug-ins extract and index metadata into tables [sessions] [processing engine] (database) (user queries) Database gala-u--ndla phone numbers 1 tables email addresses it qei Iogins TOP TO USA, AUS, CAN, GBR, NZL DESCRIPTION LTOP usA, Aus. CAN, GBR, 00! 100' Ti on) or mouoam 'i onouow ?3'5iQAnything you wish to extract - Choose your metadata - Customizable storage times 0 Ex: Parser GET I I Accep jmage g1 1mage_x--xg1 map, 1mage/jpeg, 1mage/pjpeg, app11cat1on/vnd.ms- a--11cat1on msword an-11cat1on/x-shockwave-fiash, er: _wwW'g??g e'c?m'p No username/strong selector . I 0 Ccompatibie; MSIE 6.0; w1ndows NT 5.1) U0 'll Connection: keep-aiive TOP TO USA, AUS, CAN, GBR, NZL TO USA, Aus, CAN, GBR, NZLI as 7 TOP Hui -uni In-9 3 1 lip I,'x -. . IlD\lr.10flfind a strong-selector for a known target? 0 How do I find a cell of terrorists that has no connection to known strong-se|ectors? - Answer: Look for anomalous events - E.g. Someonewhose language is out of place for the region they are in 0 Someone who is using - Someone searching the web for suspicious stuff TOP TO USA, AUS, CAN, GBR, NZL EU wru- TOP 3 I . nu-.Hill - I I 0 Show me all the word documents from Iran - Show me all PGP usage in Iran 0 Once again -- data volume too high so forwarding these back is not possible 0 No strong--selector - Can perform this kind of retrospective query, then simply pull content of interest from site as required TOP TO USA, AUS, CAN, GBR, NZL .t.I}l ll ff'-'34 HYH OPFVJ 9:-ammo an as IIDI . 'll '1 "finShow me all the VPN startups in country X, and give me the data so I can and discover the users 0 These events are easily browsable in XKEYSCORE No strong-selector - XKEYSCORE extracts and stores authoring information for many major document types -- can perform a retrospective survey to trace the document origin since metadata is typically kept for up to 30 days 0 No other system performs this on raw unselected bulk traffic, data volumes prohibit forwarding TOP TO USA, AUS, CAN, GBR, NZL bl: I. an! InnTraditionally triggered by a strong-selector event, but it doesn't have to be this way - Reverse PSC -- from anomalous event back to a strong selector. You cannot perform this kind of analysis when the data has first been strong selected. - Tie in with Marina -- allow PSC collection after the event TOP TO USA, AUS, CAN, GBR, NZL "'77 :71new iv-*9 .A Top 1l'$'Il Mm -- tr 0 My target speaks German but is in Pakistan -- how can I find him? 0 XKEYSCORE's H'l'l'P Activity plugin extracts and stores all HTML language tags which can then be searched - Not possible in any other system but XKEYSCORE, norcould it be -- 0 volumes are too great to forward - No strong--se|ector TOP TO USA, AUS, CAN, GBR, NZL target uses GoogleMaps to scope target locations -- can I use this information to determine his email address? What about the web-searches -- do any stand out and look suspicious? - XKEYSCORE extracts and databases these events including all web-based searches which can be retrospectively queried No strong-se|ector - Data volume too high to forward TOP TO USA, AUS, CAN, GBR, NZL TOP alfili . I I -2 '1 I un;vn' 5'-1 '7 .- . -r - .-..-.. .I, 'ithave a Jihadist document that has been passed around through numerous people, who wrote this and where were they? TOP TO USA, AUS, CAN, GBR, NZL 0: mm: . . -. 5-2; I 1 "1 ll.' . L.-. .'iI_Il - Show me all the Microsoft Excel spreadsheets containing MAC addresses coming out of Iraq so I can perform network mapping 0 New extractor allows different dictionaries to run on document/email bodies -- these more complex dictionaries can generate and database this information No strong--selector - Data volume is high - Multiple dictionaries targeted at specific data types TOP TO USA, AUS, CAN, GBR, NZL 0 Show me all the exploitable machines in country - Fingerprints from TAO are loaded into XKEYSCORE's application/fingerprintID engine 0 Data is tagged and databased - No strong-se|ector - Complex boolean tasking and regular expressions required TOP TO USA, AUS, CAN, GBR, NZL . . . I 7A 77 7 TOP '5 marrow. .I mm 7-an-V I . .. . "rt not D4526 ;4.m.nn H: 2 . - New web services every day - Scanning content for the userid rather than performing strong selection means we may detect activity for applications we previously had no idea about TOP TO USA, AUS, CAN, GBR, NZL :20 or Eh. I i TOP 1.4.: - lf_'aIl 5.1Sr14>> . ll .l 0 Have technology (thanks to R6) -- for English, Arabic and Chinese - Allow queries like: - Show me all the word documents with references to IAEO - Show me all documents that reference Osama Bin Laden - Will allow a 'show me more like this' capabnfiy TOP TO USA, AUS, CAN, GBR, NZL - .-. .. - 'c-vvj" ..-, .-. . . . USA, Aus, QAN, intelligence at from XKEYSCORE TO USA, AUS, CAN, GBRI TU - i I 0 High Speed Selection 0 Toolbar 0 Integration with Marina 0 GPRS, WLAN integration - SSO CRDB - Workflows - Mu|ti--|eve| Dictionaries TOP TO USA, AUS, CAN, GBR, NZL - inn62' l1m_ _l - High speeds yet again (algorithmic and Cell Processor - Better presentation - Entity Extraction 0 - More networking protocols - Additional metadata - Expand on google-earth capability EXIF tags 0 Integration of all CES--AppProcs - Easier to install/maintain/upgrade TO USA, AUS, CAN, GBR, NZL