Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Gyrfalcon 2.0 SECRET//NOFORN
5 (U) Sustain Operation Procedures
(S//NF) Once the Gyrfalcon library, application, and configuration file are installed onto the target
platform, Gyrfalcon will run continuously until you uninstall it or a system boot/reboot. Unless you
provide Gyrfalcon with application persistence, the application will not be loaded or running after a
system boot/reboot.
(S//NF) Occasionally you will want to connect to the target platform to download the compressed,
encrypted collection file. Any file with the config_file name appended with “_YYYY-MM-
DD_HH:MM:SS” is a closed file ready to be downloaded and post processed on the local operator
computer. Once this file is downloaded, you are free to remove it from the target platform's file system.
(S//NF) However, there may be times when you connect to the target platform and either no
compressed, encrypted collection file exists or a file with the config_file name exists. If the application
is still running, then this means the application has yet to reach the collection size defined at
configuration time. Do not worry, you do not have to wait until the application reaches this limit .
Follow these steps to generate a compressed, encrypted collection file.
1. (U) Determine the PID of the running application on the target platform.
1.1 ps -aux | grep client
1.2 (U) Where client is the name of the Gyrfalcon application on the target platform.
2. (S//NF) Flush the last of the OpenSSH client collected data through the Gyrfalcon application
pipeline into the compressed, encrypted collection file.
2.1 kill -s USR1 PID
2.2 (U) Where PID is the PID discovered in step 1.
2.3 (S//NF) It may take data arriving on the SYSV message queue for the application to
properly handle the USR1 signal. Monitor the collection file – if the collection file is closed
then the USR1 signal was handled correctly and it is safe to proceed.
3. (S//NF) Download the compressed, encrypted collection file to the local operator computer.
3.1 (S//NF) Gyrfalcon does not provide any communication services between the local
operator computer and target platform. The operator must use another application to
download the collection file from the target platform.
4. (S//NF) Remove the compressed, encrypted collection file from the target platform's file system.
4.1 (S//NF) Hopefully, the decision was made to keep the collection file in the JQC/KitV
hidden directory.
4.2
dd if=/dev/zero of=./collect_file bs=64
4.3 rm -f collect_file
November 2013 SECRET//NOFORN//20381126 11