Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
Postprocessing Gyrfalcon v1.0 User Manual
4 Postprocessing
4.1 Introduction
After flushing the collection file to disk it is ready to be analyzed. Note that the base collection file (as
specified in the config file), is not sufficient. The operator must cause gyrfalcon to finalize its collection
first; either by reconfiguring it with SIGHUP, terminating it with SIGTERM, or commanding it to dump
the collection file with SIGUSR1. Only finalized collection files (with a timestamp tacked on the end of
the filename) can be analyzed.
4.2 Decryption
The eyrie config tool is used to decrypt and decompress a finalized gyrfalcon collection file. The
original configuration archive is required to decrypt the data. Below is an example command line usage:
$ ./eyrie.pyz -p -f cfg.tgz -o output.txt collect.bin.20121202_135960
In this example, cfg.tgz is the path to the original config archive, output.txt is where the decrypted data
will be stored, and collect.bin.20121202_135960 is the finalized collection file from gyrfalcon.
8 SECRET//NOFORN January 2013