Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
5 Post Processing
A single file is POSTed by AM on every beacon cycle. By default, Octopus will gather
these files in a single directory. Each file begins with a block of RSA-4096 encrypted
data that includes a unique AES-256 session key. The rest of the file is made up of
separately encrypted (but with the same AES key) log and data entries. There are a
few trade-offs with this method:
• Pro: Minimizes the number of expensive RSA operations
• Pro: Protects against same-data messages being encrypted identically
• Pro: File can be “cut off” suddenly with no negative effect on earlier entries
• Con: 512 bytes of overhead for the RSA block
• Con: Between 17 and 32 bytes of overhead per entry, and so, depending on
the sizes of gremlin outputs, could be a large percentage of the total file.
These files contain all data that has come from a Gremlin while the file was being
built, roughly in order. A single file can contain logs and data from potentially very
many Gremlins. AM includes enough metadata to be able to identify the sources of
all files, so long as a valid key is available.
39
SECRET//NOFORN