TDP MEL LES-FL LEVITATION and the FFU Hypothesis TCIP CAN AEJS GER HILJ USA i What is - A behaviour based target discovery project Multi-disciplinaryteam I Prototyping and delivering advances in - Behavioural tradecraft Hypothesis tradecraft - Tradecraft automation TC Gala AJS GEE HEL Current Hypotheses Active In Development FFU GPS waypoints Devices close to places Telephony gaps Sequential numbers Targets of foreign SIGINT Obvious selector names agendas Web search terms calls TC Al-i EEGFL MEL L555 FFU Hypothesis Extremists use Free File Upload FFU sites differently than the general public Al Qaida uses FFU sites to distribute Jihadist propaganda Extremists use FFU sites to distribute training materials Ill-1H GER NEL USA What do we need A list of suspect documents A list of FFU URLs referring to those documents A list of downloading those URLs New documents are found by CWOC CSEC Web Operations Centre retrieval from URLs so that s the easy part MEL i a New URLs web forums team Previous Correlations 2 d Partyr reports alerts anall SiS Machine Learning Using tech techniques to gure out what else that user was up to at the same time Learning the textual context for the URLs in web forums e g Google analytics Referrers cookies Follow URL referrers back to the originating site LE3 if Bet STALKER Human-4 5 upalaiians Build I Query FFU Referrers I 1 Cal Ialnr Build SDL for referers count Pitta nutirnag Memory Group by Bartram-s Seiedvalues 5 Filter nu hilers Dummy 3 Dummy 2 Dummy Dumn ny 5 FIRE out Refere count deduping suing FFLF Requests Master List Remove spaces Stream lockup TC InitE utpul duplicaled URLs I 3 31 Mail NEHLIRE Gel Valiahtes Hail Con gs mud-ting Step NEHURLs Fne Select was Clutput newURLs TIZIP ALIS BEER NIL USA ii a FFU Events Collection ATOMIC BANJO Special Source is collecting HTTP metadata for 102 known FFU sites We see about 10 15 million FFU events per day All the FFU Events are available thru OLYMPIA EAH NE USA a Looking for a few good documents We only care about the 2 200 URLs that point to documents of interest e g How to make a gas bomb Every day we sort through the 10 15M events for the interesting ones We're nding about 350 interesting download events per month ALPS REL USA Documents vary Chloroform in a Lewes bucket Bajadin Explosives Manual And lots of pictures of cars on re PUP SEEREFHSIHREL CAM AUS GEE HEL a Filtering out Glee Episodes Creme SEE Elumm Query TCinii Gen Su ma a in 3 Master List Extremist Get Lengm HELSIEFFU HITS Add mngtams am lunkup g5 Deane mama-mm sen Dummy- 2 Query 1m PTUEESSECI FFU remrds New FFLJ remrds -Fuum ui 91m -unuquusHM rm 3 21 if - - Hannah Im Ju mu 1323 E nn mum have 51 it min thigh-u ium mhm b umlm Eqmmumw nnw ix m nmwr in Iqu um p 332 Ed 3 Hr mum munm prf Loplm m rlm mv I HM inunth FanaJM waning L lumu u mun- nu mm winnununlhm nn ink-u $331 hw nlnh am mn nnlm In uli L a wmqirp If ail iu ur LE-rIJ - ul d n EPEH iufnuu nh IEFEILHTL L I u m I 3F nan Ihau Ln m Hun WEAKHA Lin m my LI Jn Hammulhp 1 1 Edi ur an um i iu u mH U nn I ail Amannm n u I flan El n l ruin 3 4 3 7 23 h wrm m um nn Julia fn unn i in 3 2 Hmhum IE 311513 illim r um fu omliuulu 3 96 mcEsmwm 3 Em dwar atr mm an d xl lwli Al I I 11 - - Chi-l AUS GER MEL USA 3 Sta rt analysis with event info FFU hit from selector on 1 03 2012 7 46 51 geolocated to Kenya accessing The Explosives Course through FFU site sendspace com with HTTP user agent Mozilla 5 0 Ubuntm X11 Linux x86_64 w 9 0 1 Gecko 20100101 Firefox 9 0 1 5 - MEL USIEI a Correlating other selectors with the IP hit from selector an woman 1 45 51 geolocated to Kenya messing The Explosives Course through FFU site sendspacemm with HTTP user agent M1353 Linux 35 64 11 93 1 Gecto l l l Firefoxf -- Mia- t lF-r-r 5 ram or either sale-3 TFEISECIEE a Irma sweatmh m autumn 131 meniang SEERETHSUIHEL CAM AUS GER NIL LISA Correlating Facebook cookie hit from 1 03 31 Trl-Ez geolucatadta Kama am The Elplua'm Emm mngh Elli 1-1311 LE5 ht 2-19 by 1 5 I II I Him East Fame Lw Carafe-term 14-45 Err star - or q 59 an Imm- ram- - iiFSH-wtzz r Eur-$3 Fax-3 5 is 93 a 431er U291 5933 EEC-E maxi-n urban-aw mm H21 USA IP Correlation aunhm' hllh'rl inn-3 2 mm Barren-51pm remit r1 FularE Haul why-Same erTDia iJser- gm-As - I t 2 ill I Eerr l-Eanri'pg Egan-IE Remit rte Fr ermb sa gert 13m Dun-null HIM EIEHLTIHESIHIP mm Mm mm I LEI mm SEISEIEWHILE 1 13 Wm Hedi-lull EEHEWIE 31295315213113 Era-man El azmm 3122-03-371333132 1 9 I I I IMEME I15 Wm ' IadM-rz amaze-Hm 5 5 r93 mugged mwmm w 0 5 5 adv-targ fqi p-i grammes ma c-nsnsusmz 9 5 mail-mm mumm m 0 5 Wadi-1 3113 ma E m l n 9 5 TGIF CAN HUS GBFL HIL U545 Automated analysis documentation 20111112 gen tn SA n9 Inexhamtible weapons ipmtIthmugh FHJsiteEEHdannloadf 1 1 will - -- - l' - mm um w mwm CREME-EF- dear 17mm will In - an- ht Venn-a au- pnam at I Top- nus GEE HEL USA What happens then Compare control and experimental groups to show statistical differences Analyse experimental group to determine statistical power of the hypothesis Assemble selectors across all hypotheses Rank selectors according to the number and power of the hypothesis behaviors they show Deliver an ordered list of suspects to OCT TUP SECREIMIREL MIL LISA Scoreboard Hypotheses FFU Totals Weights 1 55 1 52 1 43 a Successes An HTTP-referred URL gave us a German hostage video from a previously unknown ta rget An upload event gave us an hostage strategy The resulting report was disseminated widely including by the CIA to their counterparts overseas mesa-cst gc ca Me