Mobile Badger saves all exfiltrated data:
When an USB Mass Storage device is connected to (or disconnected from) a Linux computer, series of
udev events are generated. Particularly there is "add" event for each detected device, and each detected partition. Such events can be intercepted and can eg. run some program, create and start a new systemd service etc.
Mobile Badger works by intercepting such rules and creating ephemeral
systemd services (living until the device is still connected). Each partition is:
ignore.uuid files (provided via configuration repositories) contain lists of UUID partition identifiers, one per line, eg:
2021-02-18-17-44-06-00 2021-02-18-17-16-26-00 1366-8586 FFFF-FFFF
Partitions defined in these files will be completely ignored by Mobile Badger.
There are 2 example repositories with
target.uuid files contain lists of UUID partition identifiers, one per line. Partitions defined in this file will be:
/media/targets/sda1directory (where "sda1" will be replaced by the actual device identifier)
If you connect many target drives simultaneously:
/media/targetsymlink to fallback storage
To fix it, just disconnect your chosen target drive, wait 10 seconds and connect it again.
target.uuid files are not used directly - instead, after each Git update (or other update operation), all such files are processed by
/opt/drivebadger/internal/mobile/rebuild-uuid-lists.sh script, which generates temporary files, without comments and empty lines.
If you deploy updates to your Mobile Badger devices other way, than by executing
/opt/drivebadger/update.sh script, you need to remember about executing
rebuild-uuid-lists.sh at the end.
For best performance, target partitions should be formatted as
ext4, however it's not required. You can use any Linux-writable filesystem type. However, as opposite to Drive Badger persistent partitions, LUKS encryption is not supported here.
Target filesystem has to have already created one of the following directory chains:
.support/.files .files/.data files/data
Exfiltrated data is then saved to eg.
If neither of these directory chains is found, then fallback storage will be used. This is a kind of "security by obscurity" mechanism, that at least prevents accidential showing names and serial numbers of exfiltrated devices, when someone accidentally attached your target drive to quickly inspect its contents. You can put eg. some movies or mp3 files inside its root directory, while
.files directory will be hidden by many file managers.
Yes, but only unencrypted ones. LUKS encryption is not supported.
Drive Badger device contains 3 partitions (or more):
persistence) should be added to
then all exfiltrated data are saved to internal memory card or hard drive (depending on your chosen hardware), in eg.