Skip to content

Data storage

Jump to bottom
Tomasz Klim edited this page Jul 24, 2021 · 20 revisions

Mobile Badger saves all exfiltrated data:

  • on internal memory card (in some places it is called "fallback storage")
  • on attached USB external drive ("target drive")

How connected drives are discovered

When an USB Mass Storage device is connected to (or disconnected from) a Linux computer, series of udev events are generated. Particularly there is "add" event for each detected device, and each detected partition. Such events can be intercepted and can eg. run some program, create and start a new systemd service etc.

Mobile Badger works by intercepting such rules and creating ephemeral systemd services (living until the device is still connected). Each partition is:

  • recognized
  • checked for encryption - using the same mechanisms and keys, that are used by Drive Badger
  • decrypted (if the key is available)
  • mounted
  • processed by the same hooks, that are used by Drive Badger
  • exfiltrated - again, using the same exclusion rules, that are used by Drive Badger
  • closed

/etc/drivebadger/drives/ignore.list file

/etc/drivebadger/drives/ignore.list file contains list of UUID partition identifiers, one per line (without empty lines), eg:

2021-02-18-17-44-06-00
2021-02-18-17-16-26-00
1366-8586
FFFF-FFFF

Partitions defined in this file will be completely ignored by Mobile Badger.

/etc/drivebadger/drives/target.list file

/etc/drivebadger/drives/target.list file contains list of UUID partition identifiers, one per line (without empty lines, format as above). Partitions defined in this file will be:

  • mounted in /media/targets/sda1 directory (where "sda1" will be replaced by the actual device identifier)
  • symlinked as /media/target

Additional requirements for target partitions:

  1. For best performance, target partitions should be formatted as ext4, however it's not required. You can use any Linux-writable filesystem type. However, as opposite to Drive Badger persistent partitions, LUKS encryption is not supported here.

  2. Target filesystem has to have already created one of the following directory chains:

.support/.files
.files/.data
files/data

Exfiltrated data is then saved to eg. /media/target/.files/.data/20210723/$deviceserial subdirectory.

If neither of these directory chains is found, then fallback storage will be used. This is a kind of "security by obscurity" mechanism, that at least prevents accidential showing names and serial numbers of exfiltrated devices, when someone accidentally attached your target drive to inspect its contents. You can put eg. some movies or mp3 files inside its root directory, while .files directory will be hidden by many file managers.

Can Drive Badger Kali persistent partitions can be used with Mobile Badger?

Yes, but only unencrypted ones. LUKS encryption is not supported.

Fallback storage

© Copyright 2020-2022 by Tomasz Klim Payload.pl

Clone this wiki locally