Events display
Mobile Badger is designed to run in full headless mode (without monitor, and without auto-logging on local console).
However, there is a way to control its activities - it supports various LED/LCD displays:
| Device model(s) | Installing | Notes |
|---|---|---|
| Adafruit PiTFT 2.2/2.8 inch LCD | manual | framebuffer-based |
| BakeBit NanoHat OLED | manual | for NanoPi NEO/NEO2, not Raspberry Pi |
| BlinkStick Strip | manual | USB instead of GPIO; our recommended device |
| Pimoroni Blinkt! | manual | our recommended device |
| Pimoroni Scroll HAT Mini | manual | |
| Uctronics 3.5 inch Touchscreen | manual | framebuffer-based; avoid it |
| Waveshare 1.44inch LCD display HAT | manual | |
| Waveshare True color RGB LED HAT | manual |
Here you will find a repository containing the current list of drivers, along with their documentation.
Data exfiltration takes time, especially when run on relatively slow device, instead on a normal computer. Therefore it is crucial to know, what is actually happening with this device:
- was the attached target drive properly recognized?
- was the user drive properly recognized and decrypted?
- is the exfiltration still running, or already finished?
- any other important events?
The easiest way to handle this, especially in the field use, is to use simple LED interface, that will show such event using multiple LED colors, eg.:
While there multiple different display devices supported, where each of them has completely different capatilibies, there is a common idea of slots. Each device needs to display from 8 to 10 slots, counted from 0 to 7/8/9, where each slot is represented as:
- multi-color LED pixel
- LED column in a matrix LED display
- text row on LCD display
So slot 0 is simply the first LED pixel or first line or text, slot 1 is second LED pixel and so on.
There are exactly 8 types of events, from which some are global (bound with slot 0), while others are related to exfiltrated devices - where slot number is bound to partition number. Thanks to it, a simple 8 LED display can show stages of up to 7 parallel operations.
Global events (slot 0):
-
shutdown- turn of all display, disable all LED pixels etc., depending on device type -
ready- Mobile Badger device is ready to work after boot -
target_ready- target drive was connected, recognized and mounted -
target_disconnected- target drive was disconnected, fallback drive will be used
Per-partition events (slots 1 to 7..9):
-
media_device_detected- MTP/PTP device was detected, and its exfiltration is about to start; represented by last slot -
media_device_processed- MTP/PTP exfiltration is done -
operation_started- hard drive was detected, and its exfiltration is about to start; each partition gets its own event, eg./dev/sdb1is bound with slot 1,/dev/sdb2bound with slot 2 and so on -
operation_finished- partition exfiltration is done
This way, if you connect a modern Windows drive with many hidden/recovery/reserved partitions, you will always properly see, which operations are done, and which are still in progress.