TOP SECRETHCOMINTHREL TO USA, FVEY Tracking Targets on Online Social Networks The everell {If this briefing te TOP SECRETHCOMINTHREL TO USA, FVEY Online Social Networks SME Fr?m September 2009 1-52 Dated 20070108 Dec?assify on: 20320108 TOP SECRETHCOMINTHREL TO FVEY SEC RETHCOMINTHREL TO USE-KI SN verview TO USA, FVEY) OSN Selectors are usually invisible to the user and are only used internally. SECRETHCOMINTHREL TO USl?t1 FVEY TOP SECRETHCOMINTHREL TO USA, FVEY (U )Fanbox Fans-ans, To Lisa, Here's what your identifiers look like: . To USA, Usemame: terrorbomber378691622 . To USA, Userld: 217440283 . To Email: I terrorbomber@fanbox.oom (if it's available) . To USA, Email: terrorbomber?l 8246@fanbox.oom (if the above address is already taken) . (TSHSIHREL To USA. Note that Ill-F ., I r-.rr. TO USA: FVEY) Suppose YOU your sign up email address already 5'9? UP for Fan?? W'th the address exists as a Fanbox email address, terrorhomber lwe.oom, andyou also Fanng will simply append a few Sign up or Fanbox email. random digits to make it a unique Fanbox email address. TOP SECRETHCOMINTHREL TO FVEY TOP SECRETHCOMINTHREL TO USA, FVEY What intelligence do provide to the TO USA, FVEY) Insight into the personal lives of targets MAY include: . (U) Communications . (U) Day to Day activities . (U) Contacts and social networks . (U) Photographs . (U) Videos . (U) Personnel information Addresses, Phone, Email addresses) . (U) Location and Travel Information TOP SECRETHCOMINTHREL TO FVEY UNCLASSIFIED (U) Popular Online Social Networks as of 2007 - bob-o - facobook hi5 - olkut unidenti?ed - bloggor - fotolog I riuajournal - - cyworlcl - friendatar - myapaca - studivarzaiohnia UNCLASSIFIED UNCLASSIFIED (U)P0pular ()1?1li11t: Social as of October 2008 The data the highast ranking nemrk fur Eat-I1 muntr'y' by Haifa. nut Itrtr men?- hers. page views ur any :rther 'nelhui. Data mat. talten frum Alexa can 15h DH 2003 Mimi data Garnet 'Tt-rr W: 1:35?: t'It ?lm as well 33 'tlata :ther. divers-e ttal??: data snurmi? - Alexa turn in gray. nut have data a'xailth and fura few caun?ie? ital-'35 dif?wll ttu itlen1il?tr lutal Etrtaitll netwh and thereftre were nmittad turn map. Ittuggettiant. UNCLASSIFIED .EIatrJ Gin-ta I Gamma lint-wit!? It I Fatwa-1h: I .Frlar'l?ster .G'u-m Hyu't-s I GEII-EIFIE IPatIE-pc-t . ShyIrE-i3k .Emdit'f. g. If litrnlakte uh'hlcg reviainn UNCLASSIFIEDHFUR OFFICIAL USE HI Collective grc-upz that; wank *9 9 u. - H) EJ SKYROCK 415% Wind?ws MHE Spa??g Recruiting Grounds Q$ty?ammg Network rr?k ME 0 Fan?nw i'imys pas-9,50% anlaee?nr'friunds t. I . .- Frii?nd Summit: - beta UNCLASSIFIEDHFOR OFFICIAL USE ONLY TOP SECRETHCOMINTHREL TO USA, FVEY [3303.30ng '31 place! inr friends. 5 W53 T0 USA, FVEY) Targets have been observed using more than 50+ OSNs as of late facebnok SECRETHCOMINTHREL TO FVEY TOP SECRETHCOMINTHREL TO USA, FVEY TO USA, FVEY) Types of OSN Activity (TSHSIHREL To USA, FVEY) Type I: Operational Communication (TSHSIHREL To USA, Type II: Technological Operational Communication To USA, Type: Extremist! Propaganda OSN Users (Overt) (TSHSIHREL To USA, FVEY) Type IV: Direct Non?operational OSN Users (TSHSIHREL To USA, FVEY) Type V: Self-Provided Personal Data on OSN (TSHSIHREL To USA, FVEY) Type VI: Close Associate Information or Communication (?The Super Sloth Method?) TOP SECRETHCOMINTHREL TO FVEY TOP SECRETHCOMINTHREL TO USA, FVEY TO USA, FVEY) Types of OSN Activity Intel Value A II VI GEN Activity T371393 TOP SECRETHCOMINTHREL TO FVEY TOP SECRETHCOMINTHREL TO USA, FVEY TO USA, FVEY) OSN Selectors expand SIGDEV opportunities :Zl? . 11 I {21.11355 urn-b Leverage initial selector seeds to build a better picture of the target?s online persona and the selectors involved TOP SECRETHCOMINTHREL TO FVEY TOP SECRETHCOMINTHREL TO USA, FVEY (U) SN Comms Flow I Eta-?tail I I DEN [Hunt HEN $313391" hele?cu" ?353 ?ddle a TO USA, FVEY) TWO individuals communicating seamlessly through at least FOUR independent selectors TOP SECRETHCOMINTHREL TO FVEY TOP SECRETHCOMINTHREL TO USA, FVEY TO USA, FVEY) User Activity Possible Queries User Activity Datetime: 1 Day El Step: IE Search Fer: username Search Value: HEB-JENSEN Realm: Datetime: lDEty 2009-09-21 Step: Search Fer: Search Ftealm: TOP SECRETHCOMINTHREL TO FVEY TOP SECRETHCOMINTHREL TO USA, FVEY TO USA, FVEY) Pros and Cons of User Activity Queries Pros: Hard Selector query Easy to pullz?automate EmailAddresses in the Username can lead to new leads Cons: Only certain usernames that can be queried No content that doesn?t have a selector associated with it No Web?Browsing TOP SECRETHCOMINTHREL TO FVEY TOP SECRETHCOMINTHREL TO USA, FVEY TO USA, FVEY) HTTP Activity and IP Multisearch Queries Datetime: Star-t: 7- IZIIZIHZIIZI :1 E: Type: S'li Snippet Must Fl. ults to a Ll FLL Elt l'I: Single IP Address LEE-Litre" or From Eieereh Te rrns: IF Ftnle: To H-Forwerded-For Language: User . Hr- Phone Number EHtrector "dill Search Email Addresses Farms Extracted Files T'y'pE: HTTP Activity Full Log Web Frat-w TIE-1 HTTP Activity Queries usually require some other piece of technical information to query while leveraging the OSN apple to be legally compliant Address Address TOP SECRETHCOMINTHREL To usa, FVEY TOP SECRETHCOMINTHREL TO USA, FVEY TO USA, FVEY) Username Queries are preferable IZIIZI Eitep: :l Seamh Datetime: 1 E:_e E: a re r-:l :l II: lee-3i Enippet Me 2-: Re ulte in: a Single DE: F.- .El n: Search User Fitti'lul'it'f Finn? Email Addresses FullLeg Trip I: a in email erneil erneil -Email address of the user often appears in the ?Attribute Value" or other fields when looking at OSNs. TOP SECRETHCOMINTHREL TO FVEY TOP SECRETHCOMINTHREL TO USA, FVEY TO USA, FVEY) HTTP Activity Queries "ll-79' Field Builder] a w. [IF-Fieldalldaq Fl: Pakistan F'lti II: I: ntr'sr: "r I: is- I: IF HTTP Activity Queries usually require some other piece of technical information to query while leveraging the OSN apple to be legally Address -MAC Address -Ccuntry of Origin TOP SECRETHCOMINTHREL TO FVEY TOP SECRETHCOMINTHREL TO USA, FVEY TO USA, FVEY) Pros and Cons of HTTP Activity Queries Pros: OSNs that don?t require login are seen Mobile and other technologies may be seen more easily Web forms, chat, etc. that may not be collected by normal dictionary selection can be seen and saved off Cons: Traffic Overload Too many results (GET requests etc.) Proxies and network architecture can obfuscate the target?s traffic Bad presentation HTTP activity usually needs to be viewed as code TOP SECRETHCOMINTHREL TO FVEY TOP SECRETHCOMINTHREL TO USA, FVEY TO USA, FVEY) Xkeyscore Server Side Pulls Latitude LI: rug ?2le I: ii i i'l Tang Eet'E: i czati r'l i i .?ppl?l Ila [Field BuilderIii-El ti IZIIZI a lit ttEl? eanD [fulltm?t]: Ili- [Field Builder] TOP SECRETHCOMINTHREL TO USA, FVEY TOP SECRETHCOMINTHREL TO USA, FVEY TO USA, FVEY) Useful Social/?f Agreat starting point, will show all social traffic on an IP, also an efficient way to see the types of OSN are being used in a geographic area, ISP, region, etc. Social/YourOSNHere Great for IP level targeting etc. Social/Facebooldchat/to_seNer Possible to see the recepient of a target?s chat and the message that was sent Social/Facebookluploadfphoto ApplD detects the photos being uploaded onto Facebook by your target TOP SECRETHCOMINTHREL TO FVEY TOP SECRETHCOMINTHREL TO USA, FVEY (U) uestions or Comments? I Contact Info (I FO I (3'11 If: S?rrfaf Ne! mg GITJHIJ Ema?: UL 1511;11fo Main Pilg?: ?Ga Other Pagca: 1U Facuhrmk? Tux-mm? TOP SECRETHCOMINTHREL TO FVEY