Advanced counter-forensics framework. Multi-pass wiping. Nested encryption.
Filesystem implosion. Forensic artifact forgery. Embedded metadata poisoning.
Misdirection payloads.
Terminate all traces.
Pressing Delete leaves a body. SATAN2 buries it, burns the grave, poisons the soil, and plants false witnesses.
SATAN2 does not slow forensic analysts — it makes their findings false.
Classical wiping tools focus on data destruction. SATAN2 goes further: it combines hardware-level erasure, multi-layer nested encryption, OS artefact annihilation, and systematic deception — forging plausible activity trails that misdirect and exhaust incident-response analysis.
Hardware-level erasure: ATA Secure Erase, NVMe Format NVM, multi-pass overwrite, filesystem implosion, cluster tip & slack space wipe.
Triple-layer nested encryption: AES-256, Twofish-256, Camellia-256, Kuznyechik-256 in XTS mode. Survivors yield nothing.
Full OS artefact cleanup: logs, registry, journals, browser state, execution traces, NTFS journals, memory — across Linux and Windows.
Forge synthetic artefacts: fake Prefetch, ShimCache, BAM, LNK, event logs, login records — plus honey injection and compression traps.
Every module is independently usable. Combine freely based on your threat model.
DoD 5220.22-M / Gutmann / Schneier patterns. 0xFF → 0x00 → random → truncate → unlink. ATA Secure Erase & NVMe Format NVM for firmware-level erasure.
LiveGPT primary+backup headers, MBR, ext4 primary+backup superblocks (sparse groups), XFS AG superblocks, Btrfs at 64K / 64M / 256G / 1P offsets. Slack space & cluster tip wipe.
LiveAES-256-XTS → Twofish-256-XTS → Camellia-256-XTS → Kuznyechik-256. Independent keys per layer, PBKDF2-HMAC-SHA3-512 derivation. SATAN2CV container format.
Liveauth.log, syslog, audit.log, kern.log, wtmp/utmp, lastlog, systemd journal, NetworkManager, GNOME Tracker, shell history, browser state (Chrome/FF/Brave), SSH keys, Docker.
LivePrefetch, ShimCache, Amcache.hve, PCA, BAM/DAM, UserAssist, MUI Cache, BITS, $UsnJrnl, Event Logs, Windows Search (ESE + SQLite), SRUM, Timeline, JumpLists, RDP, PowerShell history.
LivePlant plausible fake trails: Prefetch v30 MAM (native Win10/11 format via ntdll!RtlCompressBuffer), ShimCache blobs, BAM entries, UserAssist, fake Event Logs, LNK files, MRU registry entries, browser history.
LiveSynthetic wtmp/utmp login records, lastlog per-UID entries, systemd journal injection via socket (undetectable even with FSS), auth.log / syslog forging, package install log fabrication.
Liveutimensat() with four strategies: random-plausible (2000–2024), random-full, epoch, clone-from-reference. File signature masking (magic bytes overwrite). Extended attribute removal.
LiveEXIF GPS coordinates (fake location), fake camera model, author, timestamps for JPEG/PNG/TIFF. PDF Creator/Author/ModDate. Office dc:creator / lastModifiedBy. Pure-Rust, no exiftool dependency.
PlannedZIP bombs (42 KB → 4.5 PB), recursive ZIP nesting, malformed RAR/7z headers, ZIP quines. Seeded as decoys. Designed to crash or hang binwalk, Autopsy, and forensic carving pipelines.
PlannedPlant fake "hidden messages" in JPEG/PNG LSB planes, PDF white-on-white layers, Office XML comments, WAV ID3 tags. Analyst finds "stego content" → decodes → discovers operationally empty garbage. Hours wasted.
PlannedEnumerate residual forensic artefacts after cleanup: severity scoring (HIGH / MED / LOW), per-category findings across auth logs, browser state, SSH keys, GNOME Tracker, swap, journal, wtmp.
LivePure Rust. No runtime. Cross-compile for Windows from Linux.
# Prerequisites $ rustup update stable # Build Linux binary $ cargo build --release -p satan2-cli # Binary lands at: $ ./target/release/satan2 --help
# Install cross-compile toolchain $ rustup target add x86_64-pc-windows-gnu $ sudo apt install gcc-mingw-w64-x86-64 # Build Windows binary from Linux $ cargo build --release -p satan2-win \ --target x86_64-pc-windows-gnu # Binary lands at: $ ./target/x86_64-pc-windows-gnu/release/satan2_win.exe
# Full workspace type-check (fast, all platforms) $ cargo check --workspace # Build all crates $ cargo build --workspace # Expected output: zero errors, zero warnings Finished `dev` profile target(s) in 10s
Select the right warhead for your operation. Combine freely.
satan2 wipe-logs satan2 wipe-journal satan2 wipe-browser satan2 wipe-wtmp satan2 wipe-shell-history satan2 wipe-ssh satan2 audit
satan2 forge-wtmp \ --ts-start 1745107200 \ --ts-end 1748736000 satan2 forge-journal \ --ts-start 1745107200 \ --ts-end 1748736000
satan2 timestomp /opt/tools \ --strategy random-plausible satan2 mask-signature ./binary satan2 strip-xattr /data/sensitive/
satan2 ata-erase /dev/sda satan2 nvme-erase /dev/nvme0 satan2 wipe-swap satan2 fs-kill /dev/sdb
.\satan2_win.exe destroy-all \ --verbose
.\satan2_win.exe forge-all \ --ts-start 1745107200 \ --ts-end 1748736000
.\satan2_win.exe forge-prefetch \ --n 15 --ts-base 1748736000 .\satan2_win.exe forge-shimcache \ --n 20 --ts-base 1748736000 .\satan2_win.exe forge-bam \ --n 10 --ts-start 1745107200 \ --ts-end 1748736000
satan2 encrypt-layers \
/path/to/sensitive.tar
# → sensitive.tar.s2cv
# Layer 1: AES-256-XTS
# Layer 2: Twofish-256-XTS
# Layer 3: Camellia-256-XTS
Most operations require NT AUTHORITY\SYSTEM or a high-integrity Administrator token. Registry and Event Log operations need at minimum local Administrator. Run from an elevated prompt or via token impersonation within an existing privileged session.
Yes. The forge-prefetch module produces v30 MAM-compressed files using ntdll!RtlCompressBuffer with XPRESS Huffman algorithm — the native format used by Windows 10/11 Sysmain. The Hsieh SuperFastHash is computed correctly over the full device path. Files are accepted and parsed by both the live OS and forensic tools (PECmd, Autopsy).
No — injection via /run/systemd/journal/socket is an architectural limitation of journald. FSS (Forward Secure Sealing) protects existing journal entries from retroactive modification, but injected entries appear as legitimate journal writes. Even with FSS active, a journal containing injected entries cannot be distinguished from a clean journal.
EventID 3079 is written by the NTFS driver to the Application event log when the USN journal is deleted. Sysmon will log EID 1 on the fsutil.exe process creation if Sysmon is running. The wipe-evtlog command removes these traces. Run in order: wipe-usn → wipe-evtlog.
Stego-detection tools (StegDetect, zsteg, stegseek) flag files with anomalous LSB planes or embedded payload signatures. SATAN2's honey injector plants content that looks like intentional covert channels — fake encrypted blobs, Base64-looking data, XOR'd patterns — but decodes to operationally empty garbage. The analyst confirms "steganographic activity detected", spends hours decoding, and finds nothing exploitable.
No — the drive must be the target (not the boot device). Most BIOS/UEFI will set drives to a "frozen" security state at boot, which prevents ATA Secure Erase from being issued. SATAN2 detects the frozen state and reports it. Common workaround: hot-unplug and re-plug the drive (not viable on servers), or use NVME Format NVM which has fewer restrictions.
Authorised use only. For Red Team engagements, security research, and privacy protection.