Skip to content

Data storage

Tomasz Klim edited this page Jan 9, 2022 · 20 revisions

Mobile Badger saves all exfiltrated data:

  • on internal memory card (or hard drive, depending on chosen hardware - it is later called "fallback storage")
  • on attached USB external drive (later called "target drive")

How connected drives are discovered

When an USB Mass Storage device is connected to (or disconnected from) a Linux computer, series of udev events are generated. Particularly there is "add" event for each detected device, and each detected partition. Such events can be intercepted and can eg. run some program, create and start a new systemd service etc.

Mobile Badger works by intercepting such rules and creating ephemeral systemd services (living until the device is still connected). Each partition is:

  • recognized
  • checked for encryption - using the same mechanisms and keys, that are used by Drive Badger
  • decrypted (if the key is available)
  • mounted read-only
  • processed by the same hooks, that are used by Drive Badger
  • exfiltrated - again, using the same exclusion rules, that are used by Drive Badger
  • if any injector script is found:
    • mounted read-write (if supported for this filesystem and possible)
    • processed by injector script
  • closed

ignore.uuid files

ignore.uuid files (provided via configuration repositories) contain lists of UUID partition identifiers, one per line, eg:

2021-02-18-17-44-06-00
2021-02-18-17-16-26-00
1366-8586
FFFF-FFFF

Partitions defined in these files will be completely ignored by Mobile Badger.

There are 2 example repositories with ignore.uuid files:

  • ignore-known - list of real, well-known UUIDs of Kali Linux Live partitions (installed by example install script)
  • target-demo - demo repository, showing how to configure your own devices

target.uuid files

target.uuid files contain lists of UUID partition identifiers, one per line. Partitions defined in this file will be:

  • mounted in /media/targets/sda1 directory (where "sda1" will be replaced by the actual device identifier)
  • symlinked as /media/target

If you connect many target drives simultaneously:

  • only the last connected one will be used
  • disconnecting any of them will revert /media/target symlink to fallback storage

To fix it, just disconnect your chosen target drive, wait 10 seconds and connect it again.

rebuild-uuid-lists.sh script

ignore.uuid and target.uuid files are not used directly - instead, after each Git update (or other update operation), all such files are processed by /opt/drivebadger/internal/mobile/rebuild-uuid-lists.sh script, which generates temporary files, without comments and empty lines.

If you deploy updates to your Mobile Badger devices other way, than by executing /opt/drivebadger/update.sh script, you need to remember about executing rebuild-uuid-lists.sh at the end.

Additional requirements for target partitions

  1. For best performance, target partitions should be formatted as ext4, however it's not required. You can use any Linux-writable filesystem type. However, as opposite to Drive Badger persistent partitions, LUKS encryption is not supported here.

  2. LUKS target drive encryption is not supported - unless you install Mobile Badger on laptop or desktop computer, on top of Kali Linux, instead of Raspberry Pi and Raspbian.

  3. Target filesystem has to have already created one of the following directory chains:

.support/.files
.files/.data
files/data

Exfiltrated data is then saved to eg. /media/target/.files/.data/20210723/$deviceserial/$partition subdirectory.

If neither of these directory chains is found, then fallback storage will be used. This is a kind of "security by obscurity" mechanism, that at least prevents accidential showing names and serial numbers of exfiltrated devices, when someone accidentally attached your target drive to quickly inspect its contents. You can put eg. some movies or mp3 files inside its root directory, while .files directory will be hidden by many file managers.

Can Drive Badger Kali persistent partitions can be used with Mobile Badger?

Yes, but only unencrypted ones. LUKS encryption is not supported.

Drive Badger device contains 3 partitions (or more):

  • the first 2 are standard Kali Linux partitions - their UUIDs should be added to ignore.uuid file
  • third partition (or in general, partition labeled persistence) should be added to target.uuid file
  • if you created additional partitions (encrypted or not), their UUIDs should also be added to ignore.uuid file

Fallback storage

When:

  • no target drive is connected
  • any previously active target drive was disconnected
  • target drive doesn't contain any of required directories

then all exfiltrated data are saved to internal memory card or hard drive (depending on your chosen hardware), in eg. /media/fallback/20210723/$deviceserial/$partition subdirectory.