Rigmaiden

Anti-Forensic USB Defense Tool with Advanced System Protection

Continuously monitors connected USB devices and enforces system kill-switch upon detection of unauthorized hardware changes

Learn More


Read the paper I've wrote on ORCiD about Rigmaiden.


Learn More About Rigmaiden

🎯 What Makes Rigmaiden Unique?

Rigmaiden represents a comprehensive approach to anti-forensic defense, combining multiple security layers into a single USB-deployable solution. Unlike traditional security tools that focus on prevention, Rigmaiden emphasizes detection and rapid response to forensic threats.

🔗 View Full Project 📧 Contact Developer

🔬 Technical Deep Dive

Hardware Fingerprinting: Uses advanced USB device fingerprinting to detect unauthorized forensic hardware including Cellebrite devices, USB jigglers, and custom exploitation tools.


Cellular Analysis: Implements sophisticated signal processing algorithms to identify IMSI catchers and Stingray devices through frequency analysis and base station fingerprinting.

Memory Protection: Utilizes hardware-backed encryption and secure enclaves to protect sensitive data from memory extraction attacks.

🚨 Emergency Response System

Kill Switch Technology: Implements multiple layers of emergency shutdown procedures including immediate system lockdown, secure memory wiping, and network isolation.


Automated Countermeasures: Deploys real-time protective actions such as airplane mode activation, GPS spoofing, and encrypted data quarantine without user intervention.

Evidence Destruction: Securely overwrites forensically valuable data patterns while maintaining system functionality for legitimate use.

🏛️ Legal and Ethical Framework

Rigmaiden is developed specifically for educational and research purposes within the cybersecurity community. The tool serves as a practical demonstration of advanced defensive techniques against digital forensics tools.


Research Applications: Security researchers use Rigmaiden to understand forensic tool capabilities, test defensive measures, and develop improved privacy protection techniques.

Educational Value: Cybersecurity students learn about real-world threats including government surveillance tools, commercial forensics products, and advanced persistent threats.

🔄 How It Works

Rigmaiden System Flow Diagram
🔍 Click to expand 
1. INITIALIZATION
   └── Hardware enumeration
   └── Baseline establishment
   └── Whitelist verification

2. CONTINUOUS MONITORING
   └── USB device scanning (500ms intervals)
   └── Cellular tower analysis
   └── Memory integrity checks
   └── Process monitoring

3. THREAT DETECTION
   └── Device fingerprint comparison
   └── Behavioral pattern analysis
   └── Signal anomaly detection

4. EMERGENCY RESPONSE
   └── Immediate threat isolation
   └── System protection activation
   └── Evidence preservation prevention

📊 Detection Capabilities

USB Forensic Tools: Cellebrite UFED, Oxygen Detective, MSAB XRY, and custom hardware solutions.


Surveillance Equipment: IMSI catchers, Stingray devices, DRT boxes, and cell tower simulators.


Exploitation Devices: USB Rubber Ducky, Bash Bunny, O.MG Cable, and similar HID attack vectors.


Persistence Mechanisms: USB jigglers, keep-alive devices, and covert monitoring hardware.

Rigmaiden Logo Large
Stingray

🛡️ Multi-Layer Defense Strategy

Rigmaiden implements a comprehensive defense strategy that operates on multiple levels:

Physical Layer: Hardware detection and USB port monitoring prevent physical forensic tool connections.

Network Layer: Cellular surveillance detection and network traffic analysis identify remote threats.

System Layer: Process monitoring and memory protection guard against software-based attacks.

Data Layer: Encrypted quarantine and secure deletion protect sensitive information from extraction.

🎓 Educational Scenarios

Red Team Exercises: Understanding how forensic tools operate and their detection signatures.

Blue Team Training: Learning defensive techniques against advanced persistent threats.

Privacy Research: Studying the effectiveness of anti-surveillance technologies.

Academic Study: Analyzing the cat-and-mouse game between forensic tools and defensive measures.

⚡ Real-Time Protection

Zero-Touch Operation: Runs silently in the background without user intervention.

Instant Response: Sub-second reaction time to detected threats.

Adaptive Learning: Updates threat signatures based on new forensic tool releases.

Cross-Platform: Consistent protection across Windows, macOS, and Linux systems.

Core Features

🔌 USB Device Management

Monitors all connected USB devices with whitelist-based access control. Automatically triggers system protection measures when unauthorized devices are detected.

📡 Cellular Surveillance Detection

Detects IMSI catchers, Stingrays, and other cellular surveillance tools through signal pattern analysis and frequency hopping detection.

🛡️ Cellebrite Protection

Specifically designed to detect and block Cellebrite forensic tools, including database access monitoring and iOS device access blocking.

🖱️ Jiggler Detection

Identifies and blocks USB jiggler devices used to keep systems active, preventing covert surveillance and data extraction attempts.

💾 Memory Protection

Implements hardware-backed encryption and memory protection to prevent unauthorized data extraction from system memory.

🌐 Network Monitoring

Continuously monitors network interfaces for suspicious activity and can automatically enable airplane mode upon threat detection.

Rigmaiden Protocol

Category Details Reason
Detection - Monitors cellular network for suspicious patterns
- Detects frequency hopping (common with IMSI-catchers/Stingrays)
- Analyzes unusual signal strengths and rapid changes
- Uses machine learning to detect abnormal network behavior 		To identify and flag the presence of surveillance tools like Stingrays before they compromise privacy
Device Protection - Enforces memory protection to prevent data extraction
- Implements multiple layers of encryption
- Monitors and protects critical system processes
- Tracks and verifies memory integrity
- Scans for suspicious patterns in system memory 		To safeguard sensitive data and ensure the operating environment remains uncompromised
Automatic Response - Enables airplane mode upon threat detection
- Activates geolocation spoofing
- Adds additional layers of encryption
- Blocks suspicious network connections
- Isolates and protects sensitive memory regions 		To quickly contain threats and minimize exposure with real-time protective actions
Continuous Monitoring - Runs in the background silently
- Regularly checks cellular network parameters
- Analyzes signal patterns and anomalies
- Monitors network traffic and system behavior 		To maintain constant vigilance without user intervention or disruption
Fuzzy Model Protection - Scans for database carving tools and suspicious directories
- Monitors processes for communications data extraction
- Detects user information and location data carving attempts
- Identifies manual examination and parsing tools
- Automatically quarantines carved files with encryption
- Clears suspicious directories to prevent data exfiltration 		To prevent unauthorized extraction of sensitive communications, user data, and location information through database carving techniques
CFURL Cache Protection - Monitors WebKit cache directories for exploitation attempts
- Detects suspicious cache-related processes and network activity
- Scans registry and plist files for cache manipulation
- Protects Safari cache from unauthorized access
- Encrypts and quarantines suspicious cache data
- Prevents cache-based data extraction attacks 		To protect against WebKit cache exploitation and prevent unauthorized access to cached sensitive data
Use Cases - Educational Only, but if it were theoretically in practice, defense against cellular surveillance (e.g., Stingrays, IMSI-catchers)
- Prevents unauthorized data extraction from the device
- Maintains privacy in sensitive or high-risk situations
- Secures devices against advanced persistent threats
- Protects against database carving and cache exploitation 		Designed for users in high-risk environments who require reliable, autonomous security mechanisms

Installation & Setup Commands

📦 Prerequisites Installation 

# Update system packages
sudo apt update && sudo apt upgrade -y  # Ubuntu/Debian
sudo yum update -y                      # CentOS/RHEL
brew update && brew upgrade             # macOS

# Install Python 3.8+ and pip
sudo apt install python3 python3-pip python3-venv git -y  # Linux
brew install python3 git                                   # macOS

# Install system dependencies
sudo apt install libusb-1.0-0-dev libudev-dev -y         # Linux USB support
sudo apt install build-essential cmake -y                  # Build tools

🔽 Quick Installation 

# Clone the repository
git clone https://github.com/montana/rigmaiden.git
cd rigmaiden

# Create virtual environment
python3 -m venv rigmaiden-env
source rigmaiden-env/bin/activate  # Linux/macOS
# rigmaiden-env\Scripts\activate   # Windows

# Install dependencies
pip install --upgrade pip
pip install -r requirements.txt

# Install additional security libraries
pip install cryptography pycryptodome
pip install psutil netifaces
pip install usb pyserial

🔧 Advanced Setup 

# Set up USB device permissions (Linux)
sudo usermod -a -G dialout $USER
sudo usermod -a -G plugdev $USER

# Create udev rules for USB monitoring
sudo tee /etc/udev/rules.d/99-rigmaiden.rules << EOF
SUBSYSTEM=="usb", MODE="0666", GROUP="plugdev"
KERNEL=="ttyUSB*", MODE="0666", GROUP="dialout"
EOF

# Reload udev rules
sudo udevadm control --reload-rules
sudo udevadm trigger

# Logout and login for group changes

⚙️ Configuration Setup 

# Copy default configuration
cp config/rigmaiden.ini.example rigmaiden.ini

# Edit configuration file
nano rigmaiden.ini  # or vim/code

# Set environment variables
export RIGMAIDEN_MAX_MEMORY=1024    # MB
export RIGMAIDEN_MAX_CPU=80         # Percentage
export RIGMAIDEN_MAX_FILES=100      # Number of files
export RIGMAIDEN_LOG_LEVEL=INFO     # DEBUG/INFO/WARNING/ERROR
export RIGMAIDEN_USB_WHITELIST="05ac,0483,0781,0951"

# Make environment persistent
echo 'export RIGMAIDEN_MAX_MEMORY=1024' >> ~/.bashrc
echo 'export RIGMAIDEN_MAX_CPU=80' >> ~/.bashrc
source ~/.bashrc

🚀 Running Rigmaiden

Rigmaiden Interface in Action
🔍 Click to see full interface

Live interface showing real-time monitoring and threat detection

# Basic execution
python3 rigmaiden.py

# Run with specific modules
python3 rigmaiden.py --usb          # USB monitoring only
python3 rigmaiden.py --cellebrite   # Cellebrite protection
python3 rigmaiden.py --jiggler      # Jiggler detection
python3 rigmaiden.py --cellular     # Cellular surveillance

# Run with configuration file
python3 rigmaiden.py --config /path/to/config.ini

# Run in background with logging
nohup python3 rigmaiden.py > rigmaiden.log 2>&1 &

# Check if running
ps aux | grep rigmaiden

🛠️ Service Installation 

# Install as systemd service (Linux)
sudo cp scripts/rigmaiden.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable rigmaiden
sudo systemctl start rigmaiden

# Check service status
sudo systemctl status rigmaiden
sudo journalctl -u rigmaiden -f

# macOS LaunchAgent setup
cp scripts/com.rigmaiden.plist ~/Library/LaunchAgents/
launchctl load ~/Library/LaunchAgents/com.rigmaiden.plist
launchctl start com.rigmaiden

🔍 Testing & Verification 

# Test USB detection
python3 test_usb.py

# Test cellular monitoring
python3 test_cellular.py

# Run system diagnostics
python3 rigmaiden.py --test

# View live logs
tail -f /var/log/rigmaiden/rigmaiden.log

# Check USB whitelist
python3 -c "from rigmaiden import USB; print(USB.get_whitelist())"

# Test emergency shutdown
python3 rigmaiden.py --test-shutdown

# Monitor system resources
python3 rigmaiden.py --monitor

🔐 Security Hardening 

# Generate encryption keys
python3 scripts/generate_keys.py

# Set secure file permissions
chmod 600 config/rigmaiden.ini
chmod 700 logs/
chmod 755 rigmaiden.py

# Enable TPM (if available)
sudo modprobe tpm_tis
sudo systemctl enable tcsd
sudo systemctl start tcsd

# Configure firewall rules
sudo ufw enable
sudo ufw deny incoming
sudo ufw allow ssh

📊 Monitoring Commands 

# Real-time USB monitoring
watch -n 1 'lsusb'

# Network interface monitoring
watch -n 1 'ip link show'

# Check for suspicious processes
ps aux | grep -E "(cellebrite|jiggler|forensic)"

# Monitor system calls
sudo strace -p $(pgrep rigmaiden)

# View network connections
sudo netstat -tulpn | grep rigmaiden

# Check memory usage
free -h && ps aux --sort=-%mem | head

Advanced Usage & Commands

🖥️ Command Line Interface 

# Show all available options
python3 rigmaiden.py --help

# Run with verbose logging
python3 rigmaiden.py --verbose --log-level DEBUG

# Specify custom configuration
python3 rigmaiden.py --config /etc/rigmaiden/custom.ini

# Run specific protection modules
python3 rigmaiden.py --enable-usb --enable-cellular

# Dry run mode (testing without actions)
python3 rigmaiden.py --dry-run

# Force emergency shutdown test
python3 rigmaiden.py --emergency-test

📱 Module-Specific Commands 

# USB Protection Module
python3 modules/usb_protection.py --scan
python3 modules/usb_protection.py --whitelist-add 1234:5678

# Cellular Surveillance Detection
python3 modules/cellular_monitor.py --scan-towers
python3 modules/cellular_monitor.py --detect-imsi

# Cellebrite Protection
python3 modules/cellebrite_block.py --monitor
python3 modules/cellebrite_block.py --block-ios

# Jiggler Detection
python3 modules/jiggler_detect.py --sensitivity high
python3 modules/jiggler_detect.py --auto-block

🔧 Configuration Management 

# Generate default configuration
python3 rigmaiden.py --generate-config

# Validate current configuration
python3 rigmaiden.py --validate-config

# Backup current settings
python3 scripts/backup_config.py

# Restore from backup
python3 scripts/restore_config.py --file backup_20250105.tar.gz

# Reset to factory defaults
python3 scripts/reset_config.py --confirm

# Import/Export whitelist
python3 scripts/manage_whitelist.py --export whitelist.json
python3 scripts/manage_whitelist.py --import whitelist.json