Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20340424
1.1 (S) Test Set 1 – ExpressLane
7.1.1 (U) Test Procedure 1.1 – Windows XP Professional w/SP2 Operating Systems
Testing
(S) The following test procedure tests the operation of the ExpressLane client to covertly
capture biometric data files, with or without the cover application splash screen, from a
target computer when the operator has physical access to the computer to install a cover
application.
(S) Setup steps:
1. Receive target Panasonic CF-19 Toughbook laptop equipped with various biometric
applications and Windows XP Professional, SP2 provided by the customer.
2. The same laptop is used for pre-processing, target attack and post-processing activity.
(S) Testing steps:
Step Action Expected Result Req
1.
Run strings.exe on all ExpressLane file and
associated USB drives (overt and covert sides).
No suspicious text was observed on
either side. The covert side was not
accessible.
1
2. Run Advanced Registry Tracer on the Target
and compare with a previous scan; then save to
a log file.
Registry changes were saved to file
on the desktop.
1
3. Using createpartition.exe, allocate 10% of a
commercial USB drive to a hidden partition and
set the time for installation to 5 minutes.
A hidden partition was created on the
commercial USB drive.
7, 8
4. Using MOBS_UPGRADE.exe on the cover
application CD, install the cover application on
the target computer. Restart the target
computer.
mobslangsvc.exe service is running
on the target computer after the
restart.
1, 2
5. Remove the USB drive from the target laptop
once hard drive activity ceases.
Hard drive will indicate activity for
several minutes while target files are
copied to the hidden partition on the
USB drive.
2
6. Re-insert the USB drive into the target laptop.
Execute exitramp.exe to retrieve captured files
from the USB drive.
Once the process is completed,
captured eft, ldf, and mdf files are
visible in the designated output
directory.
3, 4
7. Install McAfee Total Protection 2009 on the
target laptop.
Appropriate security application is
active on the target laptop.
12
8. Repeat steps 3 through 6 on the target laptop. ExpressLane is not detected by the
security application.
12
9. Uninstall the security application from the target
laptop.
Security application has been
uninstalled.
12
10. Install Norton Internet Security 2009 on the
target laptop.
Appropriate security application is
active on the target laptop.
12
11. Repeat steps 3 through 6 on the target laptop. ExpressLane is not detected by the
security application.
12
12. Uninstall the security application from the target
laptop.
Security application has been
uninstalled.
12
13. Install Kaspersky 8.0 on the target laptop. Appropriate security application is 12
SECRET//20340424
5

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh