Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

The whole Drive Badger solution is contained on a single USB Storage device:

  • pen drive
  • external SSD drive
  • external hard drive
  • standard SATA drive behind USB bridge

Pen drive vs external SSD drive

In theory, SSD drives and pen drives work in the same way: inside they have a flash memory, a controller to manage operations on this memory, and USB bridge. But at a closer look:

  • SSD drives have completely different types of memory, with different (much better) parameters (allowing faster writes, degrading much slower, because of bigger size, better heat management and optimizations to work parallel) - while memory chips for pen drives are designed mainly for miniaturization at all cost
  • SSD drives mostly have a few separate memory chips, to allow parallel writes and slow down the degradation process
  • SSD controller itself is also different, more powerful, often with dedicated RAM memory for buffering write operations

These differences make SSD drives much more powerful in means of write performance and durability, than pen drives. On the other hand, SSD drives are more expensive, and bigger, harder to hide and operate, especially comparing with models like SanDisk Ultra Fit or Samsung Fit Plus, which are smaller than just USB-C adapter (see the below photo).

UASP support

UASP (USB Attached SCSI Protocol) is a data transmission protocol, allowing USB Storage devices to communicate using SCSI standard and achieve faster data transfers. It was introduced a part of USB 3.0 standard, however it can also work with USB 2.0, assuming use of compatible hardware, firmware and drivers.

You can read more about UASP on Wikipedia.

Checking, if the USB device supports UASP

On Linux console, run lsusb -t, and look at the Driver field:

Port 3: Dev 9, If 0, Class=Mass Storage, Driver=uas, 5000M          # UASP on USB 3.0
Port 3: Dev 14, If 0, Class=Mass Storage, Driver=uas, 480M          # UASP on USB 2.0
Port 1: Dev 6, If 0, Class=Mass Storage, Driver=usb-storage, 5000M  # no UASP support

Then run lsusb and match Port and Dev numbers, to read the device name.

Magnetic drives

Magnetic (classic) hard drives are not suitable for "production" use with Drive Badger because of several reasons: bigger weight and size, fragility and relatively low performance are the most important ones. And, in case of Mobile Badger, too big power usage.

On the other hand, magnetic drives can handle theoretically unlimited number of write operations, where both pen drives and SSD drives are degrading. This makes magnetic drives a good choice for development/testing use, if you eg. develop functional extensions for Drive Badger and want to test each code revision: they are cheaper, more durable for rewriting over and over again, and slower, which makes it easier to spot any problems.

All recommended models have relatively low durability - enough if used only for real attacks, but not enough for daily/development usage.

SanDisk Ultra Fit, first generation models:

  • available sizes up to 128 GB
  • great write performance at the beginning (as for mini pen drive), but quickly degrading with each write cycle
  • metal enclosure
  • discrete look, easy to confuse with Bluetooth dongle for wireless mouse etc.
  • hard to buy (replaced by second generation)

SanDisk Ultra Fit, second generation models:

  • available sizes up to 512 GB
  • black plastic enclosure, less durable physically
  • a bit less discrete look

Samsung Fit Plus:

  • available sizes up to 256 GB
  • faster than SanDisk Ultra Fit, degrading slower
  • much more noticeable, when connected

SSD drives are physically bigger and more expensive than pen drives - but also offer much bigger write performance and durability, so can be used for development, or any other tasks and don't need to be reserved only for attacks.

Samsung Portable SSD T5:

  • available sizes up to 2 TB
  • available in 4 different colors
  • supports UASP

SanDisk Extreme 500 Portable SSD:

  • available sizes up to 1 TB
  • most resistant to negative external conditions (waterproof, dustproof, durable case)
  • hard to buy, replaced by the newer generation below

SanDisk Extreme Portable SSD, Gen.1:

  • available sizes up to 2 TB
  • supports UASP
  • very similar hardware to Samsung Portable SSD T5 (see detailed comparison)
  • hard to buy, replaced by Gen.2 below

These drives are NVMe models, not SATA.

Theoretically NVMe standard is backwards compatible with SATA, but there are many older motherboards that don't work properly with NVMe, even when attached via USB - so using NVMe models is recommended only for bigger operations, where you have several computers to exfiltrate, several target drives, and an option to choose an alternative drive for any particular computer, that doesn't work with NVMe drive.

Samsung Portable SSD T7 (and T7 Touch):

  • available sizes up to 2 TB
  • similar look as T5, but a bit bigger
  • available in 5 different colors (3 for standard, other 2 for Touch)

SanDisk Extreme PRO Portable SSD V2:

  • available sizes up to 4 TB
  • the fastest and most durable from all models (except for Thunderbolt), but also most expensive
  • similar look as Gen.1, but a bit bigger than all "non-PRO" models

SanDisk Extreme Portable SSD, Gen.2:

  • available sizes up to 4 TB
  • a bit bigger than Gen.1, but smaller than PRO and PRO V2

These are Thunderbolt 3 drives, not USB - they work only with Apple computers, and very few others.

Samsung Portable SSD X5 Thunderbolt 3:

  • available sizes up to 2 TB
  • the fastest possible model
  • durable magnesium alloy housing, resistant to strong vibrations and falls (but not waterproof or dustproof)

Additional materials

From the founder...

Being in IT security business for almost 25 years, I realized, that breaking protections (or preventing it) is becoming less and less important. We are not living in Outlook Express times anymore...
The key point is the ability to keep the privileges permanent, once obtained. This becomes more and more difficult, as IT systems get more and more complicated - and this is exactly the goal of Drive Badger project: to give non-ITSEC people the ability to keep either the privileges, or the outcome of the successful break-in.