TCIP T0 USA, AUS, CAN, GER, NZLH20291123 KEYSC March 2009 - TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER, NZLH20291123 To USA, Alla, ?rm, GEL Activity . HTTP Activity is essentially all web-based activity from a user?s internet browser (with some exceptions) It includes, web-surfing, Internet Searching (like Google), Mapping Website (Google Earth/Maps) etc. Most of this data will not contain a strong selector like E-mail address TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL HTTP Activity HTTP activity comes in two types: cnn.cem Server Client-te-Server ?requests? Server-te-Client ?responses? TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL TU USA, E. @339 Ml. tivity i A How do you know which side you?re looking at? . Client-to-Server requests are generally small in size and are computers talking to other computers Server-to-Client responses larger and are what web-pages look like at home So if you?re looking at something that looks like a web-page its Server-to-Client TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL HTTP Activity Examples CIient-to?Server request: I ID: 3933_nrig_prnc Type: HTFP-GET Printer Friendlv Ltflarsiurt Displayr If Haw Data DNI Fnrmat] Services 1- GET 1. 1 User-Agnew: Mmzillsu?j? Wind-owe NT 5.1; art-US} ApplaWebKiu'?j 19 1111:: Crack-D} Chr?mefl?l??l?? Referar: mgla- b??ks r311 t?zb Dept: lit: applil: Eiti-D . 9 (FD. 5 511311?115 ar?id=P 1 QP 1PUTQ5 ?ccept?La?guagez Accept?Charsat: H931: mm D?llE! KB lip 1%th TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL HTTP Activity Examples Server-to?Client Response: ID: sess_orig_proe Doeument Information Type: Ea Printer Friendly Version DHI [l'isIJ-lajlr I Haw Date I DNI Format 1 El Heatler Information Content Type: Services 1-- A [Ea Earea reinstates E5, Isfahan to . 'l E-Eoint lead etdnh1t otter Real expressionist at Latest News 11111 I?lwait government *l'esigtst over eeonolnjr Mon, 1e Mar teens GMT :5 Emmett? 1mg eeonoIn The Kuwaiti government has submitted its Ch?dh??'d dim? Lebanon resignation to the county's ernir arniel a Turk-EH Egg?the premrer 5 handling ofthe eoonorrnt: :El Shield fgw' "The resignation has been submitted formally and Jud??s ?,th US it's up to the emir {ruler} to Reuters . - - - eon?seated Agi?am?c quoted Nasser al-DuwallahJ a oarIamentanan, as Africa M'I'li'jalf- Leader pardon: The reelgnatltn would further delay the approval of billion dlnars 5.11 book Arneneas billion} resoue oaokage whioh is t: he injeoted to the Persian Gulf natior's L. sch-Tech eoonomy to ease the imoaot of the global ?nanoial orisis. IE email We? din The ouernment has not oommented on the re ort - '3 Er?! Idteiheent TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL TU USA, AUS, CAN, GER, NZL HTTP Activity a: ,9 XKS HTTP Activity Meta-data differs greatly depending on which side of traffic we?re collecting In nearly all cases it?s better to have client- to?server traffic TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL HTTP Activity Client-to?SerV GET nl . start= Accept: A: I: apt?Language I - User?Agent Hazillaf?.? (compatible; HSIE Windows NT 5.1; HDSE: Eache? an EU max?3 a e=l Connectinn: Ee-a?1 - E?Elue?uat?via Hn?t UHL Path LIHL ?rga Hearth Search Terma Language: Elrnwaer ma mLJEharraf an Mozillam? (compatible; MSIE Window NT 5.1; Heferer CDDME TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL HTTP Activity Server-to?Clien application Infua Type Press Kuwait 'reaigns' mar resp?nse ID: aeaa_arig_pnac F. Illic-nnaII-z-n Type- E: Z?nter F?iencl'; Fara tn Display E'a'n' lat-a I DH 1 Cl Ilentler Ini-t-rma?-an Emten: Type: Ir 1 :5 T3: area reinstates Tj Isfahan It} '7 I It- p-a-mt Jan-:1 earlulm: {?rcr Jical cam-magmas: art LamatH-E'm IE lulwail gm'umntm 'l'caigna' aver mummy Eadie East MHZ, lamaana am :5 in; Elf-111C121 The Kuwaiti qnunrnmunt has submitth its ml Hrrlir .-I FIIW . . . . THEE premier 5 of the economic: .[T??umm 11H Ijema? m?f ?shialrr1 rut-w' 'Tha resignatinnlhas tee-F: fjr?na lg and ?5 31.1- t's u: he narrlr {Mar} - Brad ?iaJ-Pmi? :ILIate-j 15.3559" aI?LTLIwailah a parliamentarian as Alan- aayi?lg Ian rar?uanjayr :5 The I'esignatinn WEIJIEI further dalag.r appraual :11: 1.5 Jillicn dirars 5 ll ??til?thl-Et? marina rescue Facaagg which DE tn the F'ar'SIa?n :qu natlm's bcfiech l5! I:de Ir If": "t Hall: . II I - ?ea-1:1- TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL TU USA, AUS, CAN, GER, NZL tiv i ty TT HTTP AC Meta-data will also tell you which side of traffic you?re looking at Client-to-server has two main types: Type WIDE HE: Server-to-Client has only one: Type TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL TU USA, AUS, CAN. GER.- NZL I [El HTTP Activity Get VS A is you requesting data from the server (most web surfing) A is you sending data to the server signing in, filling out a form, uploading a file etc.) TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL TU USA, AUS, CARI-GER SIGDEV: Tif??ii Example: Lets look for all Arabic font Google queries coming out of the tribal areas of Pakistan Information needed is contained in HTTP Activity meta-data '?uerr Marina for IP: llE._ 3 hours Fm Country PH [Ill-i Cancel TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL -. I .1 1 211. - .15311?1 . A . H11: ?llh?v! -I I ?n 01111111 Rig-? it --. 11 111 {?11 3 11110111111 . . Jl 1 a_ 1 legu', 1: FUJI T5: at PHD-HE ACTWITT USERJEI 2111131113 11132532, ?c:em3113331:: Eggedm 1311131131 1115..- 2111131113 11132523 ?:3m31E3312 1333333113331). 113- 2111131113 111431133 13.333113113133111 1111- 2111131113 11233132, ?c:em31111333:= 1113;331:1111 1311131131 2111131112 111113133 ?==3m3111331:= leggedi? 13331:. 113- EEDEHIE [217431152 ?ams??dd? 1113151111 31113111 115- til DURATION 2111131113 11131313 2111131113 111323413 113111511111 11111:: 113- I ll I I I ?33m3133332 133333 3113133113: 1113- ?=:3ma1121331:= 133233 3113313131 113- 133333 31133311 113- ?33m313333:= lagged 121 13111311]: 1113- ?=:3m31131331:= 13%33 311313313. 113- ?=:3m31333::= 13,3333 311331311 1113- 2111131113 11133532, ?c:em313331:= legged 1111:3111311} 1115..- 2111131113 111113533 ?=:3m3111331:= legged 311313313. 113- 2111131113 11233113 13.3333 3113133111 113- TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL 2121031119 UTEESTE 211113311153 EDDEHIE WEBSTZ 21211331119 213031119 EEDEHIE [17?43532 SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL XKS SIGDEV: HTTP m; Now make that into a workflow NAHE: Mee_NHFP_FDriegn_Gng1ere current time: GHT submitted at: 2008?11?20 03:55:03 GMT has 1% reeult?ej EDDE?ii?ig e1 qeide (en, en?GE) [13 The ai?Ilthlas 111211111012}! {cybertrana flit-m Arabic} [refererj tbe el?Ikhlas netwerk [tybertrana frem Arabitj i3) EDGE?ii?ig Fbrum bridef'nrue [cybertrene frem Arebiej 2nne-11?1e ne:n5:51 Ferum levefgrem {eynertrene frem Arabic} 2008?11?19 [refererj fbrum levefgram {cybertrana frem Arabia) (11 EDDE?ii?ig 15:?i:?D The hille jihediet witheut inflicting [cybertrene frem Arabia) (in) 20ne?11?1e 15:11:13 [refererj the bills jihediet mitbent inflicting [e?bertrene frem Arabic] 15:33:19 Haziriaten [cybertrana frem Arabic] EDGE?ii?ig Seendele [cybertrene frem Arabic} (3) 2nne-11?1e Uq:24:59 [referer] seenee1e {eyhertrene frem Arabic} 2008?11?19 Heme {cybertrana item Arabic] [13 EDDE?ii?ig Ferum eeil [cybertrene frem Arabic] 20ne?11?1e Uq:31:51 [refererj fernm ee11 [e?bertrene frem ireniej 11] It" Il_l_n? EML TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL TU USA, ALIS, gin. gamma; tivity AC Many targets use Free File Sharing Websites to pass messages. - Example we may see a message like this: From: badguy@yahoo.com To: someotherbadguy@yahoo.com Hey dude Check out this file: gojft Lets use X-KEYSCORE to find who else might have viewed that file TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL TU USA, AUS, CAN. GER.- NZL I [El HTTP Activity URL XKS breaks up into their components: =terrerism&start=10&ea=N is the ?host? aka everything between the http:/I and the firs??earch is the ?url path? everything after and before the is the ?url argument? aka everything after the terrorism is the ?search term? TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL XKS SIGDEV: HTTP EX: Targets pass links to Videos, use XKS to discover new targets who have viewed those videos In HE 00215-09, he promises that the newest video will be ready very soon. end then sends these two linlts: httozifitiwirti les .toioe_ sses ti Stop: isms-mos 1r Detetirne: EWeeI-ts Start: 2005-12-23 1 Type: Host: wwtilesto URL Path: sis?st? TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL I it} u; SECRETHCUMINTHHEL TD 3.9.522.91 19222929 91999119 292292_2 22229299 1992219 23:299912912249992 _.9m922449:= 149g94919m99) 99- 299912912249492 _em912499:= 1499949199199) 99- 299912912249492 _em912499:= 1439949129199) 99- 299912912249492 _em912499:= 1999949129199) 99-- 299212912249922 _em212499:= leggedinliema?j 99-- 299912912249922 _em912499:= 1492949129199) 99- 299912912249922 _em912499:= 14929491999199) 99- 299912912299122 _em912499:= 1499949199199) 99- 299912912299212 _em912499:= lagged?lliema?) 99-- TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL ICOI I ID i '23: :00: 02:: i f?il??-EJ lul?'i?t, I 1m girl I?j'l1 .u I a i. - fail - 3" - 1 I a 3119?" .b . 1 Wilt!? . l' .omi 10 in 1 I TO USA, AUS, CAN, GBR, NZL) During his Internet session, 'Atiyah queried on himself, "Shaykh 'Atiyatallah," and on the name "Khalid al-Habib." (3/00/7878-08) TO USA, AUS, CAN, GBR, NZL) During his session on 16 September, 'Atiyah used a U.S. search engine to search for information on himself and a possible associate. 'Atiyah submitted Arabic queries for an alias of his, "'Atiyahtallah", and his real name, "Jamal Ibrahim lshtaywi". 'Atiyah also queried for Revealing View." (COMMENT: This is likely a reference to the book he recently wrote entitled "Lebanese Hezballah and the Palestinian Issue - A Revealing View") 'Atiyah also queried for "'Ali 'lwad al-Harabi" (no further information). On 17 September, 'Atiyah searched again on the title of his book. (3/00/7151-08) TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL 1% Fl '13: ii: "m gi??t?h?wemr a us. s. :1 I HM Ion! ?mom25;! -1 Hill ?on 30 (2. Hill mm: on! 11} In? - USA, AUS, CAN, GBR, NZL) During the 10352 to 11432 online activity, 'Atiyah down-loaded the application Skype to his private computer. During an earlier online session from approximately 09022 to 09352, either 'Atiyah or his wife,Jamila, also down-loaded Skype onto her private computer. (3/00/10570-07) USA, AUS, CAN, GBR, NZL) Although much of 'Atiyah's online activity is communication, he is also a "news hound." While located in Sanandaj, 'Atiyah daily visited several online international news sites, such as Qatar-registered al-Jazeera news website, and Arabic language versions of U.S.-based and U.K.-based news organizations. Also, 'Atiyah frequently visits religious sites, such as the Saudi Arabia-registered islamtoday.net. (3/00/21045?07) TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL -hw.10mm .39_ 101 man If, .33.: LE: .uImrLL 1r E- TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL