SECRET NOFORN 20340511 Requirements  General  Requirement # 2009-1655  Enhance ExpressLane v3 0 to include a Windows installation splash screen  Provide a tool to select the duration of the installation application  File collection to begin during the execution of the installation program without having to reinsert the USB drive  This delivery closes the requirement  Version 3 1 1 supersedes older versions of ExpressLane IOC ERB 11 SECRET NOFORN 20340511 SECRET NOFORN 20340511 Concept of Operations  ExpressLane is installed as part of a normal upgrade performed by an OTS officer on Liaison systems  OTS officer inserts a watermarked USB drive containing a covert partition  The biometric system upgrade program is launched  IExpress is used to package the install program ExpressLane service and biometric system files  The duration of the install program is pre-configured by the OTS officer  The upgrade program installs the ExpressLane service if not already on the system  The upgrade program initiates a collection where files are surreptitiously copied to a hidden partition on the USB drive  The watermarked USB drive contains a kill date to disable the software provided to Liaison as in ExpressLane v3 0 IOC ERB 11 SECRET NOFORN 20340511 SECRET NOFORN 20340511 Capabilities and Limits  A Biometric system upgrade program included in ExpressLane v3 1 1  User configurable installation time  Upgrade program drops the ExpressLane service and initiates a collection  ExpressLane is installed as a system service that runs when Windows boots MOBSLangSvc  Collection is delayed by 30 seconds due to Windows drive recognition issue  Collected files are compressed encrypted and saved to the covert partition on the USB drive  Collection occurs even if no one is logged in  Kill date is modified by inserting a watermarked USB drive  Checks current date when the service starts and corrupts the license files if on or past the kill date IOC ERB 11 SECRET NOFORN 20340511 SECRET NOFORN 20340511 IV V Overview  ExpressLane v3 1 1 was tested against IMIS Requirement 2009-1655  Core IV V testing was performed using an ExpressLane USB Drive and a Panasonic Toughbook Laptop Model CD-19 provided by the developer This machine is identical to the laptop previously provided to the liaison  The software test environment consisted of Windows XP Professional w SP2 and various biometric applications It was also identical to that of the laptop provided to the liaison  Security suite characterization was performed on two Dell Optiplex 330 desktop machines equipped with Windows XP Professional w SP2 IOC ERB 11 SECRET NOFORN 20340511 SECRET NOFORN 20340511 IV V Overview cont  Tested the ExpressLane splash screen collection control and cover application functionality  Collections performed with and without cover application  ExpressLane was subjected to complete functionality testing IOC ERB 11 SECRET NOFORN 20340511 SECRET NOFORN 20340511 IV V Findings Context Impacts Work Around or Mitigation 1 None IOC ERB 11 SECRET NOFORN 20340511 Recommendation SECRET NOFORN 20340511 IV V Observations  Deleted license files that were deleted by the tool were found in the recycle bin This should appear as a normal part of the cover upgrade  ExpressLane was characterized against the following security suites  Kaspersky Internet Security 2009  Kaspersky – All alerts were low level and were related to the installation cover app  McAfee Total Protection 2009  McAfee – All three versions had a single low level alert stating that the installation modified a registry entry  Norton Internet Security 2009  Norton Internet Security - Both versions were non-alerting IOC ERB 11 SECRET NOFORN 20340511 SECRET NOFORN 20340511 Product Support  Tool and Project Documentation  ExpressLane3 1 1 User Manual_Rev New_2009-04-06 doc  ExpressLane v3 1 1 TDR_2009-05-04 ppt  Express Lane v3 1 1_TPP_FINAL doc IOC ERB 11 SECRET NOFORN 20340511 SECRET NOFORN 20340511 Certification  Discussion and Decision  Recap of Assigned Actions IOC ERB 11 SECRET NOFORN 20340511                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu