Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Elsa User Manual.doc
10
SECRET//NOFORN
described below it is important to note that in this mode the current version of Elsa will
delete ap lists even if it encounters errors in parsing geolocation responses. This can
result in data being lost.
(S) When ELSA observes a set of access points it compares the new observation to the
last observation. If they differ then the new set of access points is used to request a
location; otherwise, it is discarded since an additional request would presumably result in
an identical location. ELSA uses the following criteria to determine if two access point
lists differ:
If the old wifi list is empty then they differ
If the lists do not contain the exact same set of MACs and BSSIDs, then they
differ
If the lists contain the exact same set of MACs and BSSIDs but the largest signal
strength difference between two corresponding APs is greater than the
WifiRssiThreshold option then they differ
Otherwise the lists are considered the same
(S) Note that the above criteria were designed to be highly sensitive to change and as a
result can result in a lot of geolocation requests being sent. If essentially anything
changes about the lists then a new record is logged and a new request sent (if elsa is
configured to request geos). Testing has revealed that lists can change quite frequently
even when a device is motionless, so these criteria may be revisited in the future.
4.2.3 (U) CONFIG option DataFileArchiveSeconds
(S) The DataFileArchiveSeconds option specifies the number of seconds between updates
to the disk.
4.2.4 (U) CONFIG option DataFileKey
(S) The DataFileKey option is the hex encoded 128 bit AES encryption key used to
encrypt the data file. This key will be needed for use in the PROCESSOR to decrypt the
data file. The PATCHER wizard asks for the filename that contains the key. The default
filename is ‘key.bin’. If the file does not exist then the wizard prompts if the file should
be created.
4.2.5 (U) CONFIG option Mode
(S) The Mode option specifies the operational mode of ELSA and is covered in detail in
the deployment section. It is needed for ELSA to operate as well as for the ELSA install
and uninstall routines.
Mode Description
SvcHost Enables the Service entry point.
DllHost Enables the Task Scheduler entry point.
RunDll32
Enables the RunDll32 entry point.
AppInit Enables the AppInit entry point.
Figure 7 - (S) Elsa Mode Settings

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh