USA, AUS, CAN, GER#h?rrt?earch March 2009 DERIVED --.- - BUMINTHRELTD USA, nus, CAM, GER, NZL DECLASSIFT cm: 20320103 USA, AUS, CAN. b. "Standard search fields? i Wildcards I - multiple characters anywhere in word I - single character anywhere in word I Some fields are auto-wildcarded - the field name will have a before and/or after it Operators - Boolean ANDthe same field I NOT ljoe) - - comparison 300080) - regex: - regular expression - Enter to require a field to be non-empty TD USA, AUS, CAN, GER, NZL TD USA, AUS, CAHIGB, HEEL ll-text) ?eld: ,Special (fu - Google-like syntax - just list your terms and the query will return sessions that match any of them - Wildcards only allowed at the end of a word Search terms must be at least 4 characters Use or - to require that a word must or must not be present - Use to find an exact phrase Use for grouping You can still use ?classic? syntax - we convert it for you TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. .- ll-text) sea Special (fu Exam pies: Search terms Returned apple banana contain ?apple? or ?banana? or both +apple +juice contain both ?apple? and ?juice? +apple -macintoah contain ?apple? but not ?macintosh? +apple +(turnover strudel) contain ?apple? AND either ?turnover? or ?etrudel? apple? contain words like ?apple? or ?apples? or ?appleaauce? or ?applet? ?apple juice? contain the exact phrase ?apple juice? TD USA, AUS, CAN, GER, NZL USA, AUS, GER, This plug-in has no ital Under development - Menu items and search forms may show up before a plug-in goes ?live? in the field Limited deployment - Some sites run different sets of plug-ins Populated by front end I Some plug-ins simply database metadata provided by the system that feeds XKS, and not all sites are set up the same way TD USA, AUS, CAN, GER, NZL USA, AUS, CAN, GERII-ql?qSlmle 'l II. I . USA, AUS, CAN. GER, NZL Full Log NI One record for every session processed Collection fields I SIGAD - Casenotation - Session ID (UUID) Protocol fields - MAC addresses - IP addresses - Port numbers TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. "Full Log NI I . Application ID fields - Application Name full application ID - Application Type top level of application ID - Application Info extra info - Appid+fingerprints full application ID plus any matching fingerprints Example: - Application name: mail/webmail/yahoo - Application type: mail - Application info: viewFolder_webmail TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, MEL Full Log NI Fields populated by other plug-ins - Username (from User Activity) - Category hits (from Category DNI) - Client lP/X-Forwarded-For (from Web Proxy) 2 Most Full Log search fields are available on every other search form TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL .- Email Addresses - Anything that looks like an email address Searchable fields - Email username the part before the only! - Domain the part after the - Subject email subject, if present 1 Example: Sender: userl@yahoo.com MIME-Version: 1.0 Subject: check this out Date: Tue, 02 Jan 2007 13:27:31 -0000 massage-ID: From: ?User One" {user1@yahoo.oom} To: ?User Two" {userZEhotmai1.oom} TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL Logins Passwords Anything that looks like a login or password Searohable fields - Username - Password Examples: {input name=?username? {input name=?password? value=?asdf123?} USER badguy BASS asdf123 TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL I. Phone Numbers in Nl ;3 Anything that looks like a phone number Searohable fields - Phone number I Number type (fax, telephone, mobile, etc.) Example: John Smith Executive.Assistant Phone: 555-1234 Fax: 555-2345 TD USA, AUS, CAN, GER, NZL u; - USA, AUS, CAN, GER71:! Scan I - .0 If. Alert Log of sessions tipped to TRAFFICTHIEF Searohable fields - Target (strong selector) - Weight (confirmed/unconfirmed) Other fields - Permutation that triggered the tip (DECODEORDAIN) - Copy of XML document sent to TRAFFICTHIEF TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL Category NI Category hits from CADENCE and other dictionaries Searohable fields - Dictionary - Category - Keywords - Target (TRAFFICTHIEF) TD USA, AUS, CAN, GER, NZL USA, AUS, CAN, GER, NZL Willy .4 i USA, AUS, CAN. ser Activity 1-. . Metadata from applications with a strong selector webmail, chat, webcam Searchable fields - Active username (?search value?) - Activity what the active user was doing - Attribute type type of metadata - Attribute value metadata value I Source which plug-in provided the data TD USA, AUS, CAN, GER, NZL s'er Activity Ueernerne USA, AUS, CAN. GER NZL Example: Activity Seuree ?u Attribute type Attribute value bedguy@yehee vieerldeLwebmeil epp_preuider Yehee bedguy@yehee uieerldeLwebmeil wehmeil bedguy?yehee vieerldeLwebmeil direetien elient bedguy@yehee vieerlder_webmeil previeue_ueer user@yehee bedguy@yehee vieerlder_webmeil ueer_reelm yehee bedguy@yahee vieerlder_webrneil via equidi2.5 bedguy@yehee uieerlcleLwebmeil x-fenmarded_ip 10.0.123.45 bedguy?yehee vieerldeLwebmeil zxev1234 bedguy?jyehee uieerldeLwebmeil eedf1234eedf eedf1234esdf vieerldeLwebmeil user_reelm yeheeGSB eedf1234eedf vieerldeLwebmeil TD USAI AUS, CAN, GER, NZL yahee bedg uy@yehee USA, AUS, CAN, GER, NZL I. Ii?. 0 I I 4" USA, AUS, CAN. GER, NZL Extracted Files Log of files transmitted as email attachments, web uploads, etc. Searchable fields - Filename - File extension - File type/MIME type TD USA, AUS, CAN, GER, NZL TD USA, AUS, CAHIGB, HEEL piccument Tagg i ng Document bodies and email bodies are labeled with hits from a custom second-level dictionary Idea: ?embassy? by itself is not so interesting, but inside a Word document, maybe it is i Searchable fields - Filename - Tech name (tag/category) - government, monetary, proliferation, satellite, wireless, etc. - Tech value - word or phrase that hit i Note: also called Tech Strings search TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. .- "ocument Metadata Metadata from Office docs, videos, etc. Searchable fields - Filename and extension, document type I Author, organization - Language - Unique ID - Creation/modification timestamps - Hash of the entire document and any embedded images TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL PF Metadata Metadata from PDF documents Searchable fields - Unique ID - Filename I Title I Author, creator, producer - Version - Language Also available in Document Metadata search TD USA, AUS, CAN, GER, NZL USA, AUS, CAN, GER88m 1.: Ilva I I- I Ill ?01- an H, *0 USA, AUS, CAN. GER, NZL Blackberry Id numbers and payload info from Blackberry devices Searchable fields I Source and destination PIN and BES - Direction - Payload type and encoding TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL Cellular NI Metadata from DNI over cellular modems Searohable fields - IMSI, TMSI, IMEI, MCC, RAC, TLLI, etc. - Cell ID, Tunnel ID, Access point - Latitude, longitude - Spotbeam, direction Limited deplyment - populated in SOTF by front end TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL Cisco Passwords Logs Cisco router passwords Searohable fields - Password - Decoded password (simple obfuscation with known key) TD USA, AUS, CAN, GER, NZL USA, AUS, CAN, GER, Metadata from HTTP traffic Searchable fields - Host, URL file path, URL query string - Search terms - parsed from URLs for common search providers (Google, Yahoo) - Language, character encoding - Referrer - User-Agent I - Server type (Apache, etc.) - Via - proxy info . Geolocation info - e.g. city names from weather reports TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL IKE Metadata from IKE (Internet Key Exchange) sessions Searchable fields - Version - Vendor ID - parameters - key length, field size, group curve, etc. - Cookies - Nonce TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL I. RC Cafe Geolocation QUIT messages from IRC - Internet cafes often configure their IRC clients to advertise the Gates street address Searchable fields: - Username - Nick name - Cafe address (the QUIT message) I Example: QUIT :Quit: HainStreet Internet Cafe, 350 Main Street, P4 Hebeam,IMP3, 123Kbpe TD USA, AUS, CAN, GER, NZL TD USA, AUS, CAN, GBRAHZL Passport detection Detect images of passports (code from R6) - OCR machine-readable information - Searchable fields - Original filename - Passport detection score - Info from machine readable area - name, passport number, issuing state, DOB, expiration, etc. - Under development TD USA, AUS, CAN, GER, NZL USA, AUE, CAN. GER, NZL dqu Radius Logs Metadata from RADIUS sessions for dial- up authentication and IP assignment Searohable fields - Username - Phone number - IP address - Account information TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL RBGAN Metadata from RBGAN satellite internet terminal collection Searchable fields - Username - IMEI - Latitude and longitude - Spotbeam and direction Limited deployment - populated by front end TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. 1" i - Metadata from RTP audio and video sessions Searohable fields - Payload type - SSRC - Number of bytes and packets - Timestamps and sequence numbers - The RTP formatter in the session viewer can decode certain payload types into playable audio or video TD USA, AUS, CAN, GER, NZL TD USA, AUS, CAN. GBRAHZL Metadata from SIP (Session Initiation Protocol) used for VolP setup, etc. - Stored as multiple type-value pairs per session - Searohable fields - Message type - Attribute type (call-id, content-type, from, to, user-agent, via, etc.) - Attribute value - Subsession ID TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL SSL Metadata from SSL sessions Searchable fields - Version - parameters key length, modulus, exponent, etc. - Signature info - Certificate info TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL TR Log Logs any identified TOR routers used for anonymizing Internet traffic Searchable fields - TOR from server - TOR to server - Router nickname TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL Web File Transfer Log of uploads and downloads from public file- sharing sites (rapidshare, depositfiles, etc.) Searchable fields - Filename I File size I Number of downloads - Uploader - Username and password Under development TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, MEL 'Web Proxy Log of X-Forwarded-For IP addresses and other leaked public/private IP Currently contains XFF plus leaked info from STUN and Google Earth Searohable fields - Internal from IP - Internal to IP I External from IP - External to IP I Source - plug-in that provided the info - Network path - Chain of XFF addresses TD USA, AUS, CAN, GER, NZL USA, AUE, CAN. GER, NZL dqu I. Wireshark Metadata from various protocols processed by the wireshark library Protocols - Routing - BGP, OSPF - VolP - H225, Skinny, Clarent, Megaco, SCTP I Net management - SIVIB, SNMP - Tunneling - GTP Searchable fields - Protocol - Field name - Field value TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL WLAN Metadata from WLAN collection Searchable fields - Channel - SSID . BSSID - MAC addresses - Username - Private IP Limited deplyment - populated in SOTF by front end TD USA, AUS, CAN, GER, NZL USA, AUS, CAN, GERMisc aneu? hg?..nd?iv' a I?f' USA, AUS, CAN. GER, NZL Call Logs DNR metadata from JUGGERNAUT, CERF, FASCIA, DURT, etc. Searohable fields - Phone numbers - Signaling type - OPC, DPC, CIC, IMSI Limited deployment TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL Network Logs Network metadata from MOONSHINE logs Searohable fields - Net type - ESSID, BSSID - Channel - Carrier - Latitude and longitude Limited deployment TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL CNE data from TAO Searchable fields I Project name - Collection technique - Filename and extension Limited deployment (xks?one) TD USA, AUS, CAN, GER, NZL USA, AUS, CAN. GER, NZL Registry Windows registry data from TAO (CNE) Searchable fields - Collection technique I Hive - Key, subkey, value Limited deployment (xks-one) TD USA, AUS, CAN, GER, NZL USA. AUS, CAN, GERFrh?r - I I ?all511%: Ii]. i' I 1+3. '31 Alli ill TD USA, AUS, CAN. GBRAHZL "Simple Search Simple way to search for usernames, IP addresses, and machine ID cookies Just enter your search term and select what type of thing it is, and the form sends it to User Activity or HTTP Activity as appropriate TD USA, AUS, CAN, GER, NZL TD USA, GR, mu 3 ea Problem: XKS may have info about ?badguy@yahoo? in Email Addresses, User Activity, Logins Passwords, etc. - Solution: submit multiple searches from a single form Enter the username and select which databases to search, and the form translates that into the proper queries Similar MultiSearches for IP addresses and MAC addresses Optional: merge results into one table TD USA, AUS, CAN, GER, NZL