Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
Gyrfalcon v1.0 User Manual Postprocessing
4.4 Advanced Analysis
While it is possible to sift through the text file as is, Python can be used to make the data a little clearer.
Here is an example of using python to dissect the output file.
$ python
...
1 >>> data = open('output.txt', 'rb').read()
2 >>> pdata = eval(data)
3 >>> pdata.keys()
['15154', '15156']
4 >>> s1 = pdata['15154']
5 >>> s1.keys()
['username', 'executed', 'command_line', 'packets', 'session_id',
'dest_addr', 'timestamp']
6 >>> len( s1['packets'] )
1
7 >>> print s1['packets'][0]['data']
Password:10sne1
Last login: Wed Dec 12 13:53:36 2012 from 10.5.1.11
rafes-mac-pro:~ test$ ls /
ls /
Applications cores opt
Library dev private
Network etc private_key.pem
System export public_key.der
Users home sbin
Volumes home (from old Mac) tmp
Xcode3.1.3 lost+found usr
bin mach_kernel var
bundle.h net
rafes-mac-pro:~ test$ logout
4.4.1 Explanation
In line 1, we open the decrypted collection file and read it into the variable 'data' as a string.
In line 2, we evaluate the data as python code (this turns the data into a python dictionary type).
In line 3, we list the keys in the dictionary to determine the available sessions.
In line 4, we select the session associated with process id 15154 into a variable called s1.
In line 5, we list the keys for 15154's session data to see what is available.
In line 6, we determine how many packets were logged (1).
In line 7, we print out the first packet's 'data' element in a readable form.
January 2013 SECRET//NOFORN 11