The main Drive Badger advantage over ad-hoc exfiltration scripts is a set of over 400 unique exclusion rules, which reduce the amount of files to be copied by eliminating low-value files and directories from the list, thus save typically over 95% of the time, that would be spent by "naive" script - eg. Windows system files.
Thanks to these rules, the whole exfiltration operation of typical office computer takes usually below 2 minutes.
That's just speed advantage. Check also other advantages of Drive Badger.
Functional groups
All rules are divided into 14 functional groups. Each group is a separate repository and can be configured on Drive Badger or Mobile Badger devices separately from others:
- Windows system files
- common Microsoft software: Office, OneDrive, Edge, Windows Live - except for:
- OEM preinstalled trial versions of Microsoft Office (provided by
exclude-oem
repository)
- instant messaging and video conferencing software (provided by
exclude-messaging
repository)
- Linux system directories (either generic or Debian-style)
- Mac OS system directories (tested on Yosemite and Catalina)
- hardware drivers, including for common peripheral devices (Creative soundcards, HP printers etc.)
- preinstalled trial versions of Microsoft Office
- preinstalled OEM software (Acer, Dell, Fujitsu etc.) - except for:
- antivirus and other security software (provided by
exclude-antivirus
repository)
- OEM games, game launchers and other related tools (provided by
exclude-gaming
repository)
- PDF related software (provided by
exclude-pdf
repository)
- trial versions of image/audio/video recording/editing/streaming software (provided by
exclude-digital
repository)
- virus databases for many anti-virus products
- other downloaded updates for such software
- quarantined files (almost always in encrypted form, useless for anyone other than particular software vendor)
- additional browsers: Google Chrome, Opera, Firefox
- alternative office software: LibreOffice, Mozilla Thunderbird
- remote work software: TeamViewer
- multimedia viewers: IrfanView, VLC, movie codecs
- productivity software: Evernote, Notepad++
- Java
- PDF readers/writers: Adobe Reader, Foxit Reader, Foxit PhantomPDF, novaPDF, PDF Architect, PDFCreator, PDFsam
- instant messaging and video conferencing software (Teams, Slack, Skype, Zoom, WebEx and others)
- Android Studio
- Microsoft Visual Studio
- Microsoft SQL Server
- database management tools (PostgreSQL pgAdmin, SQL Server Management Studio)
- hypervisors (VirtualBox, VMware)
- various Jetbrains software
- various tools and SDKs
- image/audio/video recording/editing/streaming software - except for:
- image/audio/video players (eg. IrfanView, VLC)
- video codecs (eg. K-Lite)
- OEM preinstalled software (provided by
exclude-oem
repository)
- Windows Live video editing software (provided by
exclude-windows
repository)
- multimedia files (provided by
exclude-user
repository)
- installation files related to ERP/business software (mostly specific to Poland)
- games (OEM preinstalled, games installed by users)
- content related to browser games
- game launchers
- other gaming-related tools (except for generic video-recording/streaming software)
- multimedia files (avi/mkv/rmvb movies, mp3/flac music)
- image files containing encrypted filesystems
- Mozilla Firefox/Thunderbird caches
- Windows memory dumps
- Windows search telemetry
- Universal Windows Platform application cache
This special repository should be installed only in tandem with hook-virtual
hook. It speeds up exfiltrating VMware and Hyper-V virtualization servers by excluding:
- VMDK (for VMware), VHD/VHDX and other Hyper-V related virtual drive images
- ISO images (mostly OS installation media)
Mentioned hook mounts these drive images just like local drives, and then recursively exfiltrates them.
Technical details
The actual exfiltration process is realized using rsync
tool, with parameters --exclude-from
for each group.
Each functional group is maintained as separate Git repository, containing exclude.list
file. All repositories listed above are maintained as a part od Drive Badger project, so you can rely on their timeliness and quality.
You can fork each of these repositories and maintain these forks on your own. You can even create completely new sets of rules, and use them on your Drive Badger / Mobile Badger devices.