TCIP T0 USA, AUS, CAN, GER, NZLH20291123 I I I IrvMarch 2009 p. J. . elem-5m DERIVED R- -- mag; I'lnl? TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER, NZLH20291123 a SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL Protocols Signaling/setup/control - SIP (Session Initiation Protocol) - H323 - Skinny - Clarent - Yahoo proprietary Data - voice, fax, video - RTP (Real-time Transport Protocol) TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL The Problem I Setup and data may take different routes I Different routes may be collected at different sites I Routes may change 12 200 UK Outbound SUP Inbound Pretty Sewer I gd Proxy Server 13 11 20!] ?it EDD UK Contact: Contact: El SDF 141 MK . User no ent A Us er Agent ?ul? - in? MEdlEl TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL To USA, nus, ?rm. GEL Local site XKS identifies VOIP setup involving a tasked target Local XKS queries itself for corresponding RTP data lfthe local query fails, it is passed back to HQS for a cross-site query across the entire XKS network Forward hits to NUCLEON and generate summary reports TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL XKS Solution If we ?it?1th?IR?'EmeaMgrd it VOIP box lm?kacress all sewers 1% If we feund the RTP locally, femard it bask. XKEYSCORE web Server Forward back results F6 QS FORNSAT site 880 site F6 Site 1 F6 Site 2 queries itself for the RTP on a hit TDP USA, AUS, CAN, GER, NZL TU USA, AUS, CAN, GER, NZL VIP Hits Use this to find data for I There was a dictionary hit on the VOIP signaling (TRAFFICTHIEF, CADENCE, OCTAVE, MARINA, UTT) I We were able to find the RTP corresponding to the signaling information TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL VIP Hits Ii r? Weleeme: tuber switch users 433 Heme FI.I:lmin i Llsers Werkflew l:entral Ck Search Results Statistics Preferences Help Nari atiun Menu . I Search: 1tl'alp Elli?leeareb Query- Name: aber_[ I:emmen I I I El I: Didimaw HES JustIFIeethn: File Transfer .EI JustIFIeethn: VI Netwerlt Management I Search-Wizard Nlrentla Number. I Lla emetiva E?amp Datetime: l'l Day Start: 200903-04 Ell DEIHIIEI Stab: H'rte Email: Frern Email: Tb Name: Frern Name: Te F'bbne Number: F'bbne Number: Tb Cbuntry F'bbne Number: Pbene Number: Te 3 VI Taslting Ualue: Dietibnery: Categbry: Prierity: Target: Deseribtibn: ICentaets: TDP USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, ALIS, CAN, VIP Hits - Search F055 User/target information I Email I Name - Phone number - IP address - Country code Content information - Content type (audio, video, image) - Control type (SIP, H323, skinny, clarent) - Fingerprints may indicate specific VOIP devices TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL VIP Hits - Results l0 4 Datetime Datetime End Content From Email Frum Name: From Phi-nail": FrE-m TI: Email 2000-03-03 05:05:20 2000-03-03 05:00:42 @yahclc- @0011 2000?03?03 00:41 :22 2000?03?03 00:42: 33 :3 @001100 "a 3 @yahuu 2000-03-03 00:30:00 2000-03-03 00:40:00 I: @1100- I: 5 @1100- 2000?03?03 00:30:01 2000?03?03 00:32:00 I: @1100 I: 5 @1100: 2000-03-03 10:02:31 2000-03-03 10:02:02 I: @ynlI-Du- I: 5 @ynlI-Im 2000?03?03 12:02:22 2000?03?03 12:02:41 H: @1100 "0 @3400 2000-03-03 00:00:20 2000-03-03 00:00:42 Ill @y?ll?-E "cl @514: 2000-03-03 00:41:22 2000-03-03 00:42:33 :1 @3411ng "a 5 ?yalmo 2000?03?03 02:00:10 2000?03?03 02:00:10 0002 IE: .23 0234 pinkish? 0001 2000-03-03 02:50:10 2000-03-03 00:04:15 0002 .23 0234 pakiitan 0001 TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA. AUS, CAN, GER, NZL VIP Hits - RTP Viewer 1" :lziens 1' Rep-arts 1' view I Stats: I [Js'tetime Ds'tetime E1 2999-93-93 95:95:23 2999-93-93 95:93:42 I31 2999-93-93 DEE-41122 2999-93-93 9514-2133 a 1 2999-93-93 99:39:99 2999-93-93 99:49:95 I1 2999-93-93 99:99:91 2999-93-99 99:32:99 2999-93-93 ?1 9:92:91 2999-93-93 ?1 9:92:52 I1 Hessian 'ufiemer I 1 pr .1 tr 1* :Iatetirne Case Fr'srn Ta Par-I: T11 F'ar'l: F'rn: 2999-93-95 95:95:23 .51.149 .11.214 19122 E9352 LID Hessian Header (9) Meta I My 11.11121 -l I Elem-111:1: files-Elan Snippet Iii-ptiens 5ear'l:hliII:Intent: wick clicks AUTEI multimediag'rth'mr'EEl Viewer: HTF fermetter. Inf-:1: 9essien Extracting RTP august? Side Elf ssre packets packets bytes bytes 11111 ts 11s:-: 11s 11111 seq 11a:-: seq . 59:4 9259 199.9% 194.559 199.9% 159525297"? 199592999? 9 55535 - pearl-sad packets 9. packets bytes 9 bytes 111.11 ts 11a;-: 11s 111.11 seq 11a;-: seq an 1:929 9235 199.9% 194.559 199.9% 199525297"? 199592999? 9 55535 . 11.214 I?umhe: of bad sequence numbers=2 .51.149 Elm-Find aaelieatian -- Elm-find fingergrint 99:4 a929: raw wa1f au [194.2 see] audie 5 .. .regignf eemhined. a929: ra wa1f au [9.9 see] audie gracessing g929: ra decade-j wa1f au [9.9 see] audie gracessing TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL um 01 IUJI I310 I- -. I ??55 - l. . rm onus. I'lj I -- - FUJI II I 1 Date 1 x? a? ma manage 23mg .H If] Now Playing i433 . I-DE 09:3 A. if HDW Playing I-DEI 09:3? n1 mn-n . Guide Early frum I Edia -. get . Lib ra r1: Ila-Elie Tuner a [any tn ED ur DIE-vice Premium Ser vices SI-cin Ehuuser EIIJIZIIZIIE: El Tilt-Ell 3:14 Flea-innI..- a TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GER, NZL VIP Sigdev Use these search forms to find other VOIP not included in the VOIP Hits I Heme Admin Users Werkflenr I Havigatinn Menu ii! I IFleearsh [3 Classic: - VOIP Setup Hits I [3 File Transfer I I re 3 a rk assess Hetwerit Management - Search Wizard [3 Llseraetiaitg.? ENS Hits El SSigdsa EETP Easip Setup TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL SECRETHCUMINTHHEL TU USA, AUS, CAN, GEIR, MEL "uestions? Contact the team: - xkeyscore@nsa.ic.gov - xkeyscore) - Primary POCS for VOIP: -@nsa.ic.gov -@nsa.ic.gov TDP SEGHETHCUMIHTHRELTD USA, AUS, CAN, GER, NZL