Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
Gyrfalcon v1.0 User Manual Gyrfalcon Usage
3.3 Collecting Data
Gyrfalcon writes to a collection file in its working directory. The filename was specified in the config
file. Gyrfalcon continues to stream data to this file during the course of its normal operation. The
operator must signal gyrfalcon to flush its collection buffers before the data can be collected. This is
accomplished using one of two options:
1. Shutdown gyrfalcon by sending it the SIGTERM signal (kill -SIGTERM). Gyrfalcon will
finalize the collection data and exit.
2. Send gyrfalcon the SIGUSR1 signal (kill -SIGUSR1). Gyrfalcon will finalize the collected data,
and continue collecting data using its current configuration.
When Gyrfalcon finalizes the data, it adds a timestamp to the collection filename to indicate that the file
is ready for consumption.
3.4 Reconfiguration
The configuration of a running gyrfalcon instance can be changed by generating a new encrypted
configuration file. See section 2.4 for information on how to generate the new config archive. Once the
config archive (e.g., test.tgz) has been generated, upload the encrypted config file (e.g., .gfconf) from the
archive's 'upload' directory to gyrfalcon's current working directory on the target. Finally, send
gyrfalcon the SIGHUP signal (kill -SIGHUP <gyrfalcon pid>). Gyrfalcon will flush its collection file to
disk and add a timestamp to the output filename as discussed in section 3.2, then it parses the new
configuration file, deletes the config from disk, and continues running using the new configuration.
January 2013 SECRET//NOFORN 7

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh