Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Elsa User Manual.doc
9
SECRET//NOFORN
2) How much space are you willing to allocate for the log file? (See
DataFileMaximumSizeKB option)
3) Do you want to save the wifi surveys after they've been geolocated? (See
WifiSaveAllSurveys option)
▪ Wifi surveys may get deleted even if geolocation fails – resulting in a loss
of data
▪ Wifi surveys can get large if the target machine is in an area with a lot of
access points nearby
(U) The following sections provide detailed descriptions of each configuration option.
4.2.1 (U) CONFIG option DataFileName
(S) The DataFileName is the location of the encrypted collection file on the target
system. ELSA will expand environment variables but the operator should ensure that the
environment variable exist for the account. The accounts used to uninstall ELSA can be
different than the account that ELSA runs as, although in that case care must be taken to
ensure that variation in environment variable expansion does not leave data on the
machine.
(S) For example, consider the case where ELSA is installed from the Administrator
account and configured to run as a system service. If %TEMP% is specified as the file
path then during the install (AND uninstall) %TEMP% will expand to ‘C:\Document and
Settings\Administrator\Local Settings\Temp’. When ELSA starts up as the system service
%TEMP% will expand to ‘C:\Windows\Temp’ e.g. the value specified in the
HKLM\CCS\Control\Session Manager\Environment registry setting. When the uninstall
procedure is run from the Administrator account it will appear as though ELSA is not
deleting the data file. Depending on the system configuration it may be preferable to
either specify %SystemRoot% or hard code the path.
4.2.2 (U) CONFIG option DataFileMaximumSizeKB
(S) The DataFileMaximumSizeKB option specifies the maximum size to which the data
file is allowed to grow. It is not an exact size as encryption adds some overhead. This size
is used to compute the records to save.
(S) The size of wifi records vary depending on the density wifi access points within the
operating environment. On average a single wifi access point will require 44 bytes of
storage and a location with 20 access points within range will require 900 bytes of
storage. There is currently no limit on the number of access points recorded in a wifi
record, so dense environments can result in arbitrarily large data files. Geolocation
coordinate records are smaller and the size of a single coordinate averages about 52
bytes.
(S) ELSA will bias the collection to preserve geolocation coordinates over wifi access
point observations. Once out of space ELSA will drop the oldest wifi observations first
followed by the oldest geolocation coordinates once all wifi observations are gone. As