What is Drive Badger project?
Drive Badger project is a set of tools for stealth data exfiltration – which means, for copying data from someone's computer or mobile device to external USB drive. In most cases, without knowledge or consent of the owner.
Because of technical limitations, Drive Badger project is divided into 2 separate products, sharing the same source code, but run in a different way:
- Drive Badger is installed on USB drive, and it uses Kali Linux, which is the distribution of Linux focused around security. It runs directly on the victim computer, detects your external drive as well as all other drives, and exfiltrates data to your USB drive.
- Mobile Badger is installed on your own computer (Raspberry Pi, laptop, or even desktop computer), and it uses Debian/Ubuntu/Raspbian Linux - this separate product is meant for data exfiltration from mobile devices (Android, iPhone and many others), photo cameras and USB drives, to either your USB drive or internal memory card.
Why ever use Drive Badger? This can be done manually, or by ad-hoc script.
That's true. Unlike many other tools from IT security area, Drive Badger is not a Proof-of-Concept kind of tool, bringing some groundbreaking techniques. Everything, what Drive Badger does, can be as well run manually, step by step.
Instead, what Drive Badger really does, is doing it all better, by putting the maximum focus on:
- speed - the whole operation is fully automated, and there are over 400 unique exclusion rules, which reduce the amount of files to be copied by eliminating low-value files and directories from the list, and thus save typically over 95% of the time, that would be spent by "naive" script
- stealth - the whole operation is done below the installed operating system, so totally invisible to the installed security software (anti-virus, DLP, SIEM, EDR etc.)
- support for drive encryption - Microsoft BitLocker, Apple FileVault, LUKS and VeraCrypt encryption is supported, including automated matching the keys given as flat list, to particular encrypted partitions
- operator safety - there is no way to distinguish between Drive Badger and ordinary Kali Linux Live drive, or to prove the fact of data exfiltration, until someone knows the proper password (and thanks to PBKDF2 algorithm, there is no way to crack it)
So, the real purpose of Drive Badger is to change the economics of covert data exfiltration attacks (make them more affordable), by reducing the overall risk of the operation, and also by lowering the entry threshold for the operator, who no longer needs to have IT background.
My country bought Pegasus (or any similar solution). Do our police officers still need Drive Badger for anything?
Pegasus is a very expensive, and therefore exclusive solution. Both for targeted subjects, and for potential operators.
Most countries buy between 20 and 50 tracking licenses, no matter if they choose Pegasus, DevilsTongue, RCS or any other commercial solution. This fact will always limit its use only against the most dangerous criminals.
From your individual perspective as an officer, you either are the lucky guy who has been granted access, or not. And you either can use Pegasus as your career booster, or not. In 99.9% cases, NOT. And this is not your decision.
On the contrary, Drive Badger is fully open source project. You get all the software and manuals for free. What you need, is:
- time to read and understand everything
- time to plan the individual operation against your target
- some small money for the hardware equipment (everything should be available at normal computer stores)
- trusted partner(s) with similar badge/powers as yours (to perform bigger operations)
So you can use Drive Badger just like any other private, non-standard equipment, to improve your work results. This is only your decision.
Are there any real-life materials showing, how Drive Badger performs?
See Cayman National: Hyper-V exfiltration case study - it brings the detailed performance analysis of exfiltration of big part of Cayman National bank's IT infrastructure.
If the operation is done offline, then only the local computer is exfiltrated, right?
Wrong. Please see hooks.
Hooks analyze each copied partition - and if particular files are found, they are analyzed and Drive Badger can use information extracted from them to exfiltrate network shares as well:
- on Windows - passwords for FTP accounts stored in
wcx_ftp.inifiles by Total Commander - on Linux -
smbfs/cifsandnfsshares mounted statically in/etc/fstabfiles
Can Drive Badger be used to plant evidence?
While Drive Badger's main functionality is data exfiltration, it is also able to make changes to the copied filesystem: create files or directories, write data into them, rename, delete etc. - as long as processed drive/filesystem is writable.
This feature is called filesystem injection and is done by "injectors". See injectors-playground repository for example scripts.
Do you want any money?
No. I created Drive Badger and Mobile Badger for purely ideological reasons. I have money for living, and I don't sell anything here.
- Drive Badger and Mobile Badger software are 100% free and open source, including all manuals - and all the code is written in possibly high-level way, to be as short and easy to understand/review as possible
- underlying Linux distributions are also open source
- you need just an USB drive, preferably a few fast ones (or a bit more equipment for Mobile Badger) - however you buy them separately in your local computer store
Of course, I'm open for sponsoring either Drive Badger or my other open source projects - but it's your individual, voluntary decision, whether to donate anything.