Drive Badger is sometimes being compared to, recently popular in media, Pegasus spyware platform, developed by Israeli company NSO Group. In this article, we'll try, without going too far into technical details, to compare the functionalities of both platforms from purely functional side.
From technical point of view, Pegasus can be divided into several dozen separate functional modules (mostly related to remote infection and subsequent analysis of the victim's actions). But functionally, looking from the perspective of surveillance officer, it can be divided into 5 functional blocks:
Fully remote phone infection ability is in fact the main competitive advantage of Pegasus and the reason, why it is chosen by uniformed services across the world above any other platform - including platforms with much better digital evidence analytics. Especially that Pegasus supports phones and tablets only, and it's not possible to combine evidence obtained from victim's phone and computer in any single tool.
Drive Badger can "infect" only locally - but full range of targets: computers, servers, mobile phones, tablets, pen drives, and even photo cameras. This functionality was developed for countries, where evidence or backdoor planting is legal, eg. Brasil, Vietnam, China and so on.
As Drive Badger is developed by a civillian company, without any cyberweapon trading licenses etc., as open source project, it is not directly weaponized (apart from this simple demo for Linux hosts). It fully allows injecting content into exfiltraded filesystems, but it is operator's responsibility to provide any exploits, evidence files or any other content to be injected.
The whole data exfiltration process is fully automated, based on over 400 unique exclusion rules (for various operating systems, for both phones and computers), which reduce the amount of files to be copied by eliminating low-value files and directories from the list, thus save most of the time, that would be spent by "naive" script.
Pegasus comes with web panel for surveillance officers, allowing them to browse phone contents in a way similar to how most people uses Google services (especially Drive and Calendar): browse SMS contents, call lists, photos, calendar entries etc.
Drive Badger mainly focuses on quick taking control over victim's data, while all analytics is left to be done using 3rd party computer forensic software (either commercial or also open source).
Below we intentionally skipped tools that:
It's a definite leader among forensic analytics tools. AXIOM package consists of 2 separate tools: Process and Examine (in one you operate on raw source materials, while the other is for conducting evidence analysis - of course this makes sense during formal investigations, where all knowledge is collected for use in the trial - while Drive Badger is designed for collecting operational knowledge).
AXIOM is a paid (and expensive) toolkit. Official trial version is available, however it requires not just filling the registration form, but also being verified by Magnet Forensics. In Internet, it's also easy to find cracked versions 184.108.40.20663 and 220.127.116.1107, without malware.
Another commercial tool, in our opinion even better than AXIOM (especially when analyzing non-Windows platforms, eg. Apple devices) is Paraben E3, which has a free version - functionally restricted, but fully functional regarding phones.
Registration is just a formality and the download link comes in email right after completing the form.
If you know the very popular, free FTK Imager software - FTK Forensic Toolkit is a full forensic analysis suite, developed by the same company.
The trial version can be simply downloaded, without any previous verification, or even registration form.
The above 3 packages are commercial, very expensive tools, with proprietary solutions for working with digital evidence - so user can operate not only at raw data level (eg. photos, SMS history etc.), but there are higher, abstract levels: evidence and investigation.
Different types and parts of raw data can be grouped together, forming an evidence. And evidence can be attached to investigation. Finally, these data can be exported in imported, which, especially for AXIOM, allows cooperation of many experts on the same investigations directly in AXIOM, not just at the paper level.
Autopsy (often bundled with The Sleuth Kit, for analyzing drive images) is probably the only open source tool (comparing eg. to the below ones), that is not just a compilation of open source components, but provides its own panel, that at least tries to follow this commercial approach.
THe below recommended open source tools, are actually just specialized Linux distributions, based on either Debian or Ubuntu, with added bunch of generally known, open source, security-related programs: live forensic scanners, drive image scanners, filesystem scanners, network scanners, Windows registry scanners (eg. RegRipper), cloud content scanners, OSINT tools and so on, glued together in a better or worse way.
But still, different programs for each purpose, and working on raw data (computer or drive) level only, instead of uniform panel for investigators without IT experience.
In case both for Pegasus, and any other system to be officially approved as tool for armed forces:
All these rules are intended to prevent abuse - both individual (eg. surveillance operator suspects his wife of infidelity and would like to spy her) and institutional (eg. spying politicians or journalists). In practice, since these restrictions don't really work in the first case, is it fair to still enforce them in the second one?
Drive Badger is based on completely different assumptions:
Of course, surveillance officer can still be held accountable for everything that happens outside the devices themselves - especially if their actions are recorded by cameras. Therefore, in each attack, there should be as little improvisation as possible, and as many strictly planned and rehearsed actions as possible.