Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Gyrfalcon 2.0 SECRET//NOFORN
5.2 (U) Display Encrypted Configuration File
(S//NF) Through genconfig.py and the current archive file, Gyrfalcon can display the current
configuration loaded on a target platform. Copy the Python script and archive file to a working
directory on your local operator computer. Then execute genconfig.py according to the following.
1. ./genconfig.py -d archive_file
1.1 (U) Where archive_file is the current target platform archive file.
1.2 NOTE : use -d instead of -g or -u to display the configuration file.
5.3 (U) Post-Process Compressed, Encrypted Collection File
(S//NF) After you download the compressed, encrypted collection file onto the local operator computer,
the collection file must be post-processed. After processing the collection file you will be able to read
the captured key strokes. Below are the steps to post-process the collection file.
1. (U) Copy the current target platform's archive file and postproc.py into a local working
directory.
2. (U) Copy the compressed, encrypted collection file into the same local working directory.
3. (U) Within the working directory on the local operator computer, execute postproc.py to process
the collection file.
3.1 ./postproc.py -i collect_file -o output.txt -a archive_file
3.2 (U) Where archive_file is the current target platform archive file.
3.3 (S//NF) Where collect_file is the compressed, encrypted collection file.
3.4 (U) You are allowed to name the output file (output.txt) to whatever you want to name it.
4. (U) The output file from step 3 is viewable via less/more, view/vi/vim, strings, xxd, and cat. The
output is not easy to read and will take some time getting used to the format – sorry.
4.1 There was not enough time to make the output easier to read.
November 2013 SECRET//NOFORN//20381126 15