Doctrine Arsenal Deploy Ops Intel GitHub ↗
RS-28 SARMAT / SATAN-2
CLASSIFIED // TOP SECRET
CODEWORD: ANNIHILATOR
AUTHORISED USE ONLY
Р-36М · ВОЕВОДА · С-2 · SATAN II
☢ COUNTER-FORENSICS · RED TEAM OPS
SECURE ANTI-FORENSICS AND TOTAL ANNIHILATION OF INFORMATION
Top Secret
☢ Red Team Use Only

SATAN2

Р-36М · Counter-Forensics · Framework

Advanced counter-forensics framework. Multi-pass wiping. Nested encryption. Filesystem implosion. Forensic artifact forgery. Embedded metadata poisoning. Misdirection payloads.
Terminate all traces.

Rust Linux + Windows AGPLv3 Red Team OPSEC
УНИЧТОЖЬ ВСЕ СЛЕДЫ · TERMINATE ALL TRACES · 666

Classified
Pressing Delete leaves a body. SATAN2 buries it, burns the grave, poisons the soil, and plants false witnesses.

SATAN2 does not slow forensic analysts — it makes their findings false.

Classical wiping tools focus on data destruction. SATAN2 goes further: it combines hardware-level erasure, multi-layer nested encryption, OS artefact annihilation, and systematic deception — forging plausible activity trails that misdirect and exhaust incident-response analysis.

01 // DESTROY

Annihilate

Hardware-level erasure: ATA Secure Erase, NVMe Format NVM, multi-pass overwrite, filesystem implosion, cluster tip & slack space wipe.

02 // ENCRYPT

Seal

Triple-layer nested encryption: AES-256, Twofish-256, Camellia-256, Kuznyechik-256 in XTS mode. Survivors yield nothing.

03 // ERASE

Vanish

Full OS artefact cleanup: logs, registry, journals, browser state, execution traces, NTFS journals, memory — across Linux and Windows.

04 // DECEIVE

Misdirect

Forge synthetic artefacts: fake Prefetch, ShimCache, BAM, LNK, event logs, login records — plus honey injection and compression traps.

Counter-Forensics Capabilities

Every module is independently usable. Combine freely based on your threat model.

WARHEAD-01
Destruction · Hardware

Multi-Pass Shredding

DoD 5220.22-M / Gutmann / Schneier patterns. 0xFF → 0x00 → random → truncate → unlink. ATA Secure Erase & NVMe Format NVM for firmware-level erasure.

Live
WARHEAD-02
Destruction · Filesystem

Filesystem Implosion

GPT primary+backup headers, MBR, ext4 primary+backup superblocks (sparse groups), XFS AG superblocks, Btrfs at 64K / 64M / 256G / 1P offsets. Slack space & cluster tip wipe.

Live
WARHEAD-03
Encryption · Multi-Layer

Nested Triple Encryption

AES-256-XTS → Twofish-256-XTS → Camellia-256-XTS → Kuznyechik-256. Independent keys per layer, PBKDF2-HMAC-SHA3-512 derivation. SATAN2CV container format.

Live
WARHEAD-04
Linux · Auth Logs

Linux Artifact Annihilation

auth.log, syslog, audit.log, kern.log, wtmp/utmp, lastlog, systemd journal, NetworkManager, GNOME Tracker, shell history, browser state (Chrome/FF/Brave), SSH keys, Docker.

Live
WARHEAD-05
Windows · Execution Traces

Windows Forensic Wipe

Prefetch, ShimCache, Amcache.hve, PCA, BAM/DAM, UserAssist, MUI Cache, BITS, $UsnJrnl, Event Logs, Windows Search (ESE + SQLite), SRUM, Timeline, JumpLists, RDP, PowerShell history.

Live
WARHEAD-06
Forgery · Windows

Forensic Artifact Forgery

Plant plausible fake trails: Prefetch v30 MAM (native Win10/11 format via ntdll!RtlCompressBuffer), ShimCache blobs, BAM entries, UserAssist, fake Event Logs, LNK files, MRU registry entries, browser history.

Live
WARHEAD-07
Forgery · Linux

Linux Log Forgery

Synthetic wtmp/utmp login records, lastlog per-UID entries, systemd journal injection via socket (undetectable even with FSS), auth.log / syslog forging, package install log fabrication.

Live
WARHEAD-08
Metadata · Timestamps

MACE Timestamp Scrambling

utimensat() with four strategies: random-plausible (2000–2024), random-full, epoch, clone-from-reference. File signature masking (magic bytes overwrite). Extended attribute removal.

Live
WARHEAD-09
Metadata · Embedded — Planned

Embedded Metadata Poisoning

EXIF GPS coordinates (fake location), fake camera model, author, timestamps for JPEG/PNG/TIFF. PDF Creator/Author/ModDate. Office dc:creator / lastModifiedBy. Pure-Rust, no exiftool dependency.

Planned
WARHEAD-10
Misdirection · Traps — Planned

Compression Traps & Archive Bombs

ZIP bombs (42 KB → 4.5 PB), recursive ZIP nesting, malformed RAR/7z headers, ZIP quines. Seeded as decoys. Designed to crash or hang binwalk, Autopsy, and forensic carving pipelines.

Planned
WARHEAD-11
Misdirection · Honey — Planned

Steganography Honey Injection

Plant fake "hidden messages" in JPEG/PNG LSB planes, PDF white-on-white layers, Office XML comments, WAV ID3 tags. Analyst finds "stego content" → decodes → discovers operationally empty garbage. Hours wasted.

Planned
WARHEAD-12
Audit · OPSEC

Post-Cleanup Self-Audit

Enumerate residual forensic artefacts after cleanup: severity scoring (HIGH / MED / LOW), per-category findings across auth logs, browser state, SSH keys, GNOME Tracker, swap, journal, wtmp.

Live

Build & Deploy

Pure Rust. No runtime. Cross-compile for Windows from Linux.

satan2 — terminal
# Prerequisites
$ rustup update stable

# Build Linux binary
$ cargo build --release -p satan2-cli

# Binary lands at:
$ ./target/release/satan2 --help
# Install cross-compile toolchain
$ rustup target add x86_64-pc-windows-gnu
$ sudo apt install gcc-mingw-w64-x86-64

# Build Windows binary from Linux
$ cargo build --release -p satan2-win \
    --target x86_64-pc-windows-gnu

# Binary lands at:
$ ./target/x86_64-pc-windows-gnu/release/satan2_win.exe
# Full workspace type-check (fast, all platforms)
$ cargo check --workspace

# Build all crates
$ cargo build --workspace

# Expected output: zero errors, zero warnings
Finished `dev` profile target(s) in 10s

Usage

Select the right warhead for your operation. Combine freely.

Linux — Wipe

Full Cleanup Sequence

satan2 wipe-logs
satan2 wipe-journal
satan2 wipe-browser
satan2 wipe-wtmp
satan2 wipe-shell-history
satan2 wipe-ssh
satan2 audit
Linux — Forge

Plant Fake Login Trail

satan2 forge-wtmp \
  --ts-start 1745107200 \
  --ts-end 1748736000
satan2 forge-journal \
  --ts-start 1745107200 \
  --ts-end 1748736000
Linux — Metadata

Timestamp Scrambling

satan2 timestomp /opt/tools \
  --strategy random-plausible

satan2 mask-signature ./binary
satan2 strip-xattr /data/sensitive/
Linux — Destroy

Hardware Erasure

satan2 ata-erase /dev/sda
satan2 nvme-erase /dev/nvme0
satan2 wipe-swap
satan2 fs-kill /dev/sdb
Windows — Wipe All

One-Shot Full Cleanup

.\satan2_win.exe destroy-all \
  --verbose
Windows — Forge

Plant Fake Activity Trail

.\satan2_win.exe forge-all \
  --ts-start 1745107200 \
  --ts-end 1748736000
Windows — Targeted

Execution Trace Forgery

.\satan2_win.exe forge-prefetch \
  --n 15 --ts-base 1748736000
.\satan2_win.exe forge-shimcache \
  --n 20 --ts-base 1748736000
.\satan2_win.exe forge-bam \
  --n 10 --ts-start 1745107200 \
  --ts-end 1748736000
Linux — Encrypt

Triple-Layer Encryption

satan2 encrypt-layers \
  /path/to/sensitive.tar
# → sensitive.tar.s2cv
# Layer 1: AES-256-XTS
# Layer 2: Twofish-256-XTS
# Layer 3: Camellia-256-XTS

Frequently Asked

What privileges are required on Windows? +

Most operations require NT AUTHORITY\SYSTEM or a high-integrity Administrator token. Registry and Event Log operations need at minimum local Administrator. Run from an elevated prompt or via token impersonation within an existing privileged session.

Does forge-prefetch produce files accepted by the live Windows OS? +

Yes. The forge-prefetch module produces v30 MAM-compressed files using ntdll!RtlCompressBuffer with XPRESS Huffman algorithm — the native format used by Windows 10/11 Sysmain. The Hsieh SuperFastHash is computed correctly over the full device path. Files are accepted and parsed by both the live OS and forensic tools (PECmd, Autopsy).

Is journal injection detectable even with FSS enabled? +

No — injection via /run/systemd/journal/socket is an architectural limitation of journald. FSS (Forward Secure Sealing) protects existing journal entries from retroactive modification, but injected entries appear as legitimate journal writes. Even with FSS active, a journal containing injected entries cannot be distinguished from a clean journal.

What does wipe-usn leave behind? +

EventID 3079 is written by the NTFS driver to the Application event log when the USN journal is deleted. Sysmon will log EID 1 on the fsutil.exe process creation if Sysmon is running. The wipe-evtlog command removes these traces. Run in order: wipe-usnwipe-evtlog.

How does the steganography honey injection misdirect analysts? +

Stego-detection tools (StegDetect, zsteg, stegseek) flag files with anomalous LSB planes or embedded payload signatures. SATAN2's honey injector plants content that looks like intentional covert channels — fake encrypted blobs, Base64-looking data, XOR'd patterns — but decodes to operationally empty garbage. The analyst confirms "steganographic activity detected", spends hours decoding, and finds nothing exploitable.

Can ATA Secure Erase be used on a live system drive? +

No — the drive must be the target (not the boot device). Most BIOS/UEFI will set drives to a "frozen" security state at boot, which prevents ATA Secure Erase from being issued. SATAN2 detects the frozen state and reports it. Common workaround: hot-unplug and re-plug the drive (not viable on servers), or use NVME Format NVM which has fewer restrictions.

☢ Initiate Sequence

Terminate All Traces

Authorised use only. For Red Team engagements, security research, and privacy protection.