Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Elsa User Manual.doc
2
SECRET//NOFORN
(S) In order for Elsa to successfully geolocate a target, the target must be (1) wifi
enabled, (2) deployed in an environment with wifi access points in range (C. Wifi Access
Points) and (3) deployed in an environment where a survey has recently been performed
by the provider.
(S) Given these criteria are met, Figure 1 above illustrates typical Elsa operation on a
Windows client:
1. An operator configures an Elsa implant based on the host environment.
2. An operator deploys the implant to a Windows host and it begins collection.
3. The implant begins collecting wifi access point information based on the
schedule set by the operator.
4. If configured to do so, when the target user connects to the Internet the
implant will resolve the wifi data to a geolocation via the 3
rd
party database.
5. The operator connects to the Windows hosts and downloads the encrypted
collection log.
6. The operator decrypts the log and performs further analysis on their target.
The operator can use the wifi data to query geolocation information from alternate
databases.
(S) Although the implant is the recommended means for collecting wifi metadata from
targets, the processor can ingest and resolve wifi metadata obtained through other means
so long as the MAC address, SSID and signal strength are available. See the processor
instructions for more details on the comma-separated-value feature.
1.2 (U) Assumptions and Constraints
(S) As long as the wifi is enabled, the implant can record wifi observations. This is true
even if Windows host is not actually connected to an access point. If configured, during
each geolocation interval the implant will attempt to resolve geolocation information for
past observations. A connection to the Internet is required for this to occur.
(S) Wifi data points are larger in size than geolocation coordinates so the tool provides
settings for limiting the log size. When the log size is reached the implant deletes older
data points in favor of newer ones. The log is encrypted and written to disk to persist the
collection across reboots. By default, when the tool resolves a wifi observation to a
geolocation coordinate it will delete the wifi observation.
1.3 (S) Background on Wifi-based Geolocation
(U) A wifi geolocation provider first amasses a database containing the geolocations of
many wifi access points. This data can be collected by any device with (1) a wifi receiver
and (2) knowledge of its true location; for example, specially outfitted cars or typical
smartphones. Once built, this database associating wifi metadata (MAC addresses, signal
strengths and sometimes SSIDs) with locations can be queried to resolve the metadata to
a location. Providers can use the relative signal strengths observed by the machine to
better triangulate the machine between multiple access points.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh