TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123 i I«

Finding and Querying on Document Metadata Booz|Allen| Hamilton Sigint Development Support / SIGINT Technical Analysis (SDS/STA) April 2009

»

^

W

4

TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123

TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Document Metadata Agenda Why to Query on Document Metadata How to Find Document Metadata • e.g. File - > Properties • Google

How to Create Queries in XKS • XKEYSCORE Document Metadata and PDF Metadata TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Document Metadata Analysis What?: Use non-traditional selectors to find and track targets sending/receiving documents of interest How? It targets documents by Author, Organization, or embedded images (logos) Why? We don't always know WHO is sending the documents, but they are "guilty-by-association" if they send/receive the document. So, who are THEY? TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Finding Document Metadata We find "Document Metadata" in File Properties XKEYSCORE_Terms.doc

®

XKEYSCORE Edil.

T e r m s . d o c - Microsoft W o r d

View

Ii lijcrL

FuriiidL

Tuulb

T o b le

Ctrl+O

Save Save As... Save as Web Page...

Ctrl-t-5

ontents

General Win duw

New...

Open... Close

Properties

I. ^

Mel^

5 t : i _ r e l A y e i iL

- g H ¿

Custom

| Cidi>i>il'

y. Key score Terms

S Subject Author

Joe BaggaDonuts

Manager: ìmpany;

Remove Hidden Data...

2 MF A Zendian MFA|

Mie b e a r c h . . .

Category:

Versions... W e b Pag© P r e v i e w

Keywords;

Page Setup... Print Preview

S T M 4 ,

Print-...

S T M 1 6 ,

S T M 6 4 ,

multi

If unique, these Document Properties can be targeted

(~hrl4-P

bend I o

Hyperlink

Properties

base:

1.1 l:yprival"R\anHrRiA».Hnr

Template;

2 U ; V • • \ K K E Y 5 C O R E T i p * e i iü Tr h_ks, 4 *|J . . .

Normal, dot

Q s a v e preview picture

3 U : \pri vate\Pré s entati on. do c 4 U :\pri vate\. •.\NIA Cross Training .doc 5 U :\private^l\JIA^MSRs\April 2 0 0 9 . d o c 6 C ; \ D ui_ui i ici lib oí i d S e l l i i i y b - \ . . .

E I . dui.

7 U : V • • \NIA\R ITCHI E_DWI_IWP S(r evi s ed). do c 8 U : V.. \XKS_kmkeith_tips7 Apri I. doc 9 U : \ . . . \ Z w a k e n b e r g , Garrii: T r e y I P W S . d o c

Exit

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Document Metadata Analysis How do you find document metadata? • Passive Collection: Collected Documents already contain data • Active Collection: CNE "Categorized Collection" from TUNINGFORK Data or Pinwale Queries on "US-3101 • Open Source: Google Hacking

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Subject .corn

5 / 1 5 / 2 0 0 8 3:05:25 P M

text/html

text/html

Las Villas de Dubai

application/octet-stre

5/15/200311:15:21 PM

452

application/rnsword

application/rnsword application/rnsword

5/15/200811:14:32 PM

application/msword

Display original Raw I SMTP header |

[Pioperïiesj J ]

Control

Collected Doc

Search Kwd p p I ir: at i ri n / n r t r t - s f r r a r bas

Document Properties

452

Category Company HiddenSlideCount LineCount LinksUpToDate Manager MMCIipCount NoteCount ParagraphCount Presentalo nTarget ScaleCrop SlideCount Author Charas Comments DateCreated SecurityLevel

5/12/2008 3:13:00 A M

none

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

application/hisword

• Active Collection: CNE "Categorized Collection" from TUNINGFORK Data Collection No EP user information found.

Multimedia C i p h e r

Raw Project Detailsfs3115 only]

Mailbox Collection

•

(17)^

Mail (35)

^

Inst M s or

(9)^

VOIP (1642)^,

HTN1

5 0 1

Show Pat

Excel (2)

Filename

Extension

Collected

Execs (4)

Last C o l l e c t i o n [ l i m i t 3 d a t e s 2008-08-29 l i s t e d ] : 2008-08-27 2008-07-19 List All Collection

«

BleOix

Ini files (2)

21-4a68af648ec5

2008-07-19

:ld-3dffb4d38926

2008-07-19

B0-clfedl756266f

2008-03-13

Otlier Office (5)

g i bSSQea

Powerpoint (0)

Tiuiiìil)S.(ll) (12)

« 0c6527 7

Word (252)

.-. 1 7.-. a Tf> .-nni- i- n o c n H ^ i r d n c c

To find Document Metadata in TUNINGFORK, you must view each Document in Categorized Collection (manual intensive)

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

•inn

Using XKEYSCORE to query on CNE data Fields •

Advanced Features

T

Show Hidden Search Fields

Clear Search Values

Reload Last Search Values

Search: Document Metadata

This query in XKS

Input Source ;

0

F O X A C I D * or F O X B A S E 1

Selected implant exfils f r o m active collection (xks-cne.corp.nsa.ic.govixs web db)

Filename

Extension

System Admin CV.doc C:,DowiiIoflDeslf If

C:'Documents and S ettingsuiserDesktop'desktop ¡cons\servers_expi doc

-*öWHWlDER12

results

j j c L J i ^ CÌU^ÌM-dl^LC- j i W e * '

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Finding Document Metadata Open Source: Google Hacking T'il

AdvancedSearch

S e arch T i p

Help

s ite : co m s at s. n et. pktil ety p e : d o c

Search by domains • "site:comsats.net.pk"

Search by file types • "filetype:pdf" or "filetype:doc"

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Google Search

How to find Document Metadata when NEVER collected a document

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Document Metadata Analysis Take Client's (Active User) IP address and query on it in XKEYSCORE S e a r c h ! D o c u m e n t Metadata

Extension:

Active User:

IP Address:

pptor doc or pdf orxls

39.

yahoo.com AC TIVEJtfSER < jraho

AC TIVE USER IP . 8

| < yahoo>

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Either

v

• Use XKEYSCORE to Find Who Else is sending the files?

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Document Metadata Analysis Take "File Properties" information and fill-in qu Document Type:

XKEYSCORE_Terms.doc Properties General

Summary

Title:

Statistics

Contents

Encrypted?:

Custom

Corrupted?:

XKey score Terms

Filename:

Subject: Author:

Extension:

Joe BaggaDonuts

*Subject*:

Manager: * Creation Time*:

Company:

Z M F A Z e n d i a n MRA!

t Modified T i m e * :

Category:

* Unique I&\[fulltextl:

Keywords:

Author:

Comments:

Last Author:

Organization: Hyperlink base: Template:

Joe BaggaDonuts

ZMFA Zendian M FA

Title:

Norma I. dot Language:

O Save preview picture

* Comment* rfulltextl: OK

Cancel

File/Embedded Image Hash rfulltextl: M e t a d a t a Name: M e t a d a t a V a l u e [fuHtext]:

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Document Metadata Analysis Sample Query Sample Query: Organization = PTCL To/From Country = Pakistan

Language: * Comment*

rfulltextl:

File/Embedded Image Hash [fujjtext]:

Metadata Name: Metadata Value

ffuiltextl:

IP Address:

From

V

IP Address:

To

V

Port:

From

V

Port:

To

V

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Document Metadata Analysis Sample Query (Results) Previous Slide produces these results Filename

/

Organization

Instructions to Ktuiar province bidders community midwifeiy. floe

PTCL

Instructions to Kuiiar province bidders community midwifery.doc

PTCL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

\

/

• Turn a logo into a selector

mf

YemerL The Gateway of Yemen

t

= SIGINT VALUE

C^i^

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Embedded Images XKEYSCORE parses out logos from within documents (PDFs, DOCs, Outlook Emails, etc) embedded as images

H

!2

#1

m

80.6%

Find

Oj « m u y

m a s L o

.

CLO-X-PLOJI c i l S * . « » ! ! uLi^ll

^ L O J J »

ÄLJI

W l

U

Logo/Image 32-character hash can be parsed out and queried. I^JUP

:

^OJ^OAJI

fJUÜ

; IfliLo J £ j á j o L x l l o L l é o O L J L . ö j ^ S j u J I O I S j j u L J I á J s b u ,

olk^UJI

oïlf-1 f j j o ^ l

ÒJ.LÓJÜ'L

« JQJuvcJ 1

|OJUll

¿SjjJÎ MB L2 On Chip Cache per Processor 2* System Controller Card 1* Solaris 10 03/05 HW1 Operating System P reinstall ed* «

MDS

Sun Fire V490 Server . i

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Embedded Images Files often contain embedded images, such as company logos

GPRS TLLI ä

y

OJUDI

I ^fJI J

jUii^Ui t-xjjjj'iI Ü j L t i ü

ADSL

^

^

UljJ

Wy

Step 1 : Identify if a document HAS an image in it I Ö*

ti Ij U ^ I Htiij ! I

j I A Ä j I i i i i » r ^ i j| H

t

VPN Clients Configuration Examplf I

-if •

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Embedded Images Step 4: Paste the 32-eharacter name into the "File/Embedded Image Hash" Field in the Document Metadata query @ O Classic A-M h 0 ASF and WMV Metadata ;••• 0 Alert |-El0lackBerry |-0CNE Call Logs Category DWI 0 Cellular DNI ¡ 2 Cisco Passwords S Document Metadata fVir-i imprrf

Fields •

Advanced Features

•

Show Hidden Search Fields

Clear Search Values

Reload Last Search Values

Search: Document Metadata File/Embedded Image

Hash rfulltextl:

b3d7853e4btìe70874d402e3d6de10

Tsnrtinn

Step 5: Select all of your good collection sites + SUBMIT! 0 Search Databases Clear Checks

(xks-central.corp.nsa.ic.gov:qsummary)

0

A u s t r a l i a n sites ( x k c e n t r a l 2 , d s d : x s _ w e b _ d b )

0

CARBOY (carboy-proxy,rl.r.nsa:carboy_web_db)

0

CARDAMON (xkey-dsd.rl.r.nsa:xs_web_db)

R e s e t Checks Submit

Cancel]

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Session

Header (3)

Attachments (6)

Meta (4)

Or

AUTO

You can one-click query to create a new query

Quick Clicks ^

iiiidye_suniiiidr ^_niuii(.dye.j(jey

• ^

document_meta c:_docurnents and 5ettirig5_u5uari( • ? unknown B ? text ? document_body .SOLICITANTE .txt El ¡TCp] office • ¡ST] word j - @ C:\Documents and SettingsVisuari •

S e a r c h ; D o c u m e n t Metadata Query Name;

One-click search on document hash: McG353

Justification:

One-click search to find more documents with

Additional Justification: Miranda Number:

Find opposite side of session

t_ai l y u a y c .

: 0

•

^

Find M o r e Docs w i t h S a m e hash j

a97dS2d06aaa9017cacbe5fe4bl2fl5c !ebd01ba02b7c087a91bdf29o4

* Comment* [fuNtext]: File/Embedded Image Hash ffulltextl:

Mc6353ebd01 ba02b7c087a91 bdf29c4

Îd5ûea629ba899f9b9091 :acf45e5f466d6ed99e484d377 a

Find e m a i l a d d r e s s 7r\ Wimm

i5) h n t r n a i I .nn rn

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

Embedded Images Stand-alone files can be uploaded into XKS and images parsed out • Useful for TAO collection that didn't get into XKS (non United Rake) •

httDs://xks-'Garit[ral..coro..osajc.Jao¥/aeneral/¥i©w file,oho T h i s s y s t e m is auc C L A S S I F I C A T I O N : TOI

XKEYSC / o u c a n u p l o a d S O T F a n d D - 1 2 4 f i l e s , a s w e l l a s j u s t r a n d o m f i l e s ( . d o c , .ppt, e t c . ) U p l o a d File I

1 Browse... 1

T h i s s y s t e m is auc C L A S S I F I C A T I O N : TOI

To task the hex values for images in CADENCE or Query in PIN WALE, contact The Xtreme Target Pursuit Team S2I7 ar i ^HS3114 TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL

Embedded Images ff

\

m Questions on any of these tools or techniques, contact:

TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL