First stage: choosing a proper USB device

Here you will find our curated list of recommended hardware:

• miniature pen drives, looking like wireless mouse receiver
• external USB SSD drives - much faster and more durable, but also bigger and much easier to spot
• external NVMe/Thunderbolt drives - fastest, but limited only to computers that support them (eg. Apple)

Start with choosing (and buying) the most adequate device to your individual requirements.

Second stage: installing Kali Linux

1. Download Kali Linux Live image for your chosen hardware architecture from here.

2. Write the downloaded image to your chosen USB device (at least 8GB required just for testing, but 240GB-2TB recommended for "production" usage):

   dd if=kali-linux-2021.1-live-amd64.iso of=/dev/sdb status=progress

   where /dev/sdb is the device identifier of the drive, to which you write the image (remember that these identifiers are assigned randomly after each computer boot).

3. Create the third partition on that USB device (preferably LUKS-encrypted):

   • if you use Windows, boot into Kali Linux
   • if you use Linux, you can do it straight from your computer

   The exact instructions can be found here.

Security advice

We suggest to setup stronger encryption parameters, to avoid brute forcing your chosen password:

cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --debug --verify-passphrase luksFormat /dev/sdb3

Third stage: installing and configuring Drive Badger

Basic installation

Boot into your new Kali Linux (in persistent mode), make sure that you have working Internet connection, open the terminal, execute sudo su - to become root, and execute:

apt update
apt install git
git clone https://github.com/drivebadger/drivebadger /opt/drivebadger
git clone https://github.com/drivebadger/compat /opt/drivebadger/external/compat
git clone https://github.com/drivebadger/ext-veracrypt /opt/drivebadger/external/ext-veracrypt

Configuring and installing functional extensions

The above set of 3 repositories is a bare minimum - enough to run the exfiltration process, but not enough to achieve optimal performance, handle encrypted drives or network shares. Now you need to clone all chosen configuration repositories and hooks into respectively /opt/drivebadger/config and /opt/drivebadger/hooks directories:

• this includes also your own (or 3rd party) repositories outside github.com/drivebadger namespace
• you can also use Github private repositories, see how to install them
• you can also use SVN repositories
• you can also manually create subdirectories there

Make sure that you cloned everything that you want to use (see our reference install script as checklist). So far, you can safely reboot Kali Linux, how many times you need.

Drive encryption keys

Drive Badger supports 4 most important drive encryption methods: Apple FileVault, Bitlocker, LUKS and VeraCrypt. Of course, decryption is possible only when you obtained and installed encryption keys (either assigned to drives, or not).

For security reasons, in most cases you should keep your encryption keys in a private repository. See how to install private repositories.

Filesystem injectors

While Drive Badger's main functionality is data exfiltration, it is also able to make changes to the copied filesystem: create files or directories, write data into them, rename, delete etc. This feature is called filesystem injection and is done by "injectors". See injectors-playground repository for example scripts.

After you create your own injector repositories, you need to clone them into /opt/drivebadger/injectors directory.

Arming the device

Open the terminal, execute sudo su - to become root, and execute:

cd /opt/drivebadger/setup/2020.3 && ./install.sh

This will:

• "arm" your USB device by setting /etc/rc.drivebadger script to be run on each boot (even on your own computer, so don't execute this prematurely)
• enable ssh server to also run automatically after each boot (default password is kali)
• disable graphical mode (operator still can start it manually by running startx after boot)

If you don't want to disable graphical mode, execute in the same terminal:

systemctl set-default graphical.target

Example install script

You can find the example install script here - just remember, that it's an example, not a complete script.

Creating multiple devices

If you need to create multiple Drive Badger devices (eg. when planning some big attack), you can do it using configure-new-device.sh script from separate deployment-scripts repository.

Note that this script intentionally doesn't arm created devices - this allows you to fine-tune the configuration of each device separately, eg. load only recovery keys assigned to particular operator.

For simultaneous dealing with multiple Drive Badger devices, you can use Dell Optiplex 7040 Micro computer - very cheap, while having good performance and 6 USB 3.0 ports.