Drive Badger: open source platform for covert data exfiltration operations, ranging from small computers to big servers.

Drive Badger is sometimes being compared to, recently popular in media, Pegasus spyware platform, developed by Israeli company NSO Group. In this article, we'll try, without going too far into technical details, to compare the functionalities of both platforms from purely functional side.

From technical point of view, Pegasus can be divided into several dozen separate functional modules (mostly related to remote infection and subsequent analysis of the victim's actions). But functionally, looking from the perspective of surveillance officer, it can be divided into 5 functional blocks:

1. Remote infection

Fully remote phone infection ability is in fact the main competitive advantage of Pegasus and the reason, why it is chosen by uniformed services across the world above any other platform - including platforms with much better digital evidence analytics. Especially that Pegasus supports phones and tablets only, and it's not possible to combine evidence obtained from victim's phone and computer in any single tool.

2. Local infection

Drive Badger can "infect" only locally - but full range of targets: computers, servers, mobile phones, tablets, pen drives, and even photo cameras. This functionality was developed for countries, where evidence or backdoor planting is legal, eg. Brasil, Vietnam, China and so on.

As Drive Badger is developed by a civillian company, without any cyberweapon trading licenses etc., as open source project, it is not directly weaponized (apart from this simple demo for Linux hosts). It fully allows injecting content into exfiltraded filesystems, but it is operator's responsibility to provide any exploits, evidence files or any other content to be injected.

3. Data exfiltration

4. Data analysis and correlation, digital evidence management

Compatible analysis tools

Magnet AXIOM

Paraben E3

FTK Forensic Toolkit


other open source tools

5. Supervision, fraud/abuse detection

Drive Badger

From the founder...

Being in IT security business for almost 25 years, I realized, that breaking protections (or preventing it) is becoming less and less important. We are not living in Outlook Express times anymore...
The key point is the ability to keep the privileges permanent, once obtained. This becomes more and more difficult, as IT systems get more and more complicated - and this is exactly the goal of Drive Badger project: to give non-ITSEC people the ability to keep either the privileges, or the outcome of the successful break-in.