Menu

Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

contact@drivebadger.com

Our plans for near future

Do you want any of the below features? Sponsor us...

Future plans - gathering information

Support for disk encryption schemes

  • HFS+ (older Mac OS)
  • ESET Endpoint Encryption (previously DESlock)
  • McAfee Drive Encryption

Support for more disk partitioning schemes

  • FreeBSD
  • possibly other *BSD
  • AIX

Support for RAID and network filesystems

  • is it possible to assemble and exfiltrate filesystems spanning multiple drives/hosts, based on discovered data?
  • RAID 5/6/...
  • ZFS/btrfs, possibly with encryption support
  • MooseFS, Ceph, GlusterFS etc.

Support for 802.1X

  • look for 802.1X certificate files and passwords
  • try to connect to protected networks
  • postpone executing all other hooks, until all drives are processed

Support for secured-core PC architecture

Support for hardware keys/modules and other mixed encryption methods

  • first research, what is really possible and usable in real-life scenarios
  • TPM modules
  • U2F keys (Yubikey, Google Titan etc.)
  • smart cards
  • biometric devices
  • HSM modules
  • Bitlocker PIN codes
  • VeraCrypt keyfiles (alone or mixed with passwords)
  • LUKS keyfiles

New hooks (if described functionality is possible)

existing hook-wcxftp
  • rewrite Python 2.x-based code to Python 3 (or PHP)
ssh keys
  • scan for ~/.ssh/id_rsa or other ssh private keys (parse ~/.ssh/config)
  • parse .bash_history and .zsh_history for connections using keys
  • try to find frameworks like Ansible and parse their configuration
  • use preconfigured keys from repository
  • finally, try to exfiltrate other machines via ssh
passwords
  • look for user passwords saved in browsers (Firefox, Chrome etc.)
  • look for ftp/sftp passwords from other programs
  • look for remote MySQL/Postgres/Mongo/other credentials, to "backup" them similarly to sf-backup
others
  • try to adapt DonPAPI
  • look for Windows password files
  • is it possible to extract SMB share credentials from Windows?
    • how about AD environment?
    • how about standalone Windows + Samba server?
    • either mapped to drive letter or not, but still available to open without password
    • mapped to drive letter using separate credentials

Fixes for known problems

  • properly recognize drive serial numbers behind RAID controllers

Future plans - management and reporting

Keep up to date with the latest version of Kali Linux

Mobile Badger

  • deployment-scripts: support at least for Raspberry Pi with Raspbian
  • try to unify event logging between Drive Badger and Mobile Badger

Custom, preconfigured Drive Badger ISO images

  • online ISO setup via admin panel, then build, download, and deploy using Rufus
  • goal: no need to use Linux at all (at least during setup stage)

Mobile Badger as additional "feature" for embedded devices

  • scripts for repacking external firmware (at least these based on Debian or its derivative, and provided as ISO images, eg. this one)

Integration with forensic analysis tools

  • scripts preparing automatic imports to Magnet AXIOM, Paraben E3, FTK Forensic Toolkit and Autopsy
  • research of Oxygen Forensic Detective and Belkasoft Evidence Center X

Standalone reporting server