Portfolio Blog Code Repository Contact
March 01, 2026 1 min read

Ghost Mode: Burning the Evidence After the Mission

Black Phoenix Protocol Series
Building Black Phoenix Protocol A Security Engineering Blog

The Scenario Nobody Wants to Think About

Picture this. A journalist in a country with an authoritarian regime has been using BPP to communicate with a source for three months. The network layer is airtight traffic looks like regular Google Analytics requests. The DPI can't touch it.

Then, at 4 AM, there's a knock on the door. Police seize the laptop.

If BPP left behind log files, cached credentials, temporary files, or even fragments of encryption keys in RAM the journalist is compromised. Not because the protocol failed on the wire, but because it left breadcrumbs on the machine.

This is why Ghost Mode exists. And honestly, building it was one of the most paranoid engineering exercises I've ever done.

What "Secure Deletion" Actually Means

Most people think deleting a file means it's gone. It's not. When you delete a file, the operating system just removes the pointer the data stays on disk until something else overwrites it. Forensic tools like Autopsy, FTK, or even a simple dd command can recover "deleted" files months later.

Ghost Mode doesn't just delete. It overwrites.

We follow the DoD 5220.22-M standard the U.S. Department of Defense's specification for sanitizing classified storage media. The standard specifies a three-pass overwrite:

  1. Pass 1: Overwrite with 0x00 (all zeros)
  2. Pass 2: Overwrite with 0xFF (all ones)
  3. Pass 3: Overwrite with cryptographically random data

Only after all three passes does the file get deleted. Even with electron microscopy on the disk platters, recovery becomes impractical.

Memory: The Forgotten Attack Surface

Here's something that keeps me up at night: data in RAM.

When BPP holds your encryption keys, your password, or your chat messages in memory, that data exists as raw bytes in your computer's RAM. If the process crashes, gets killed, or the machine is seized while running, those bytes might still be there. Worse on some systems, RAM contents survive a reboot for a brief window (cold boot attacks).

Ghost Mode addresses this with explicit memory zeroing:

  • Shared secrets from the ECDH key exchange are overwritten byte-by-byte with zeros when the session closes
  • Passwords are overwritten with random data before the string is freed
  • Private keys are nullified references are set to nil after zeroing the underlying buffer
  • Session state is reset to its zero value

This isn't Go's garbage collector doing its thing eventually. This is immediate, deterministic, byte-level destruction of sensitive material.

The Windows Problem

Windows is forensics gold. The operating system hoards information about everything you do, often in places you'd never think to look:

Prefetch Files

Windows Prefetch (C:\Windows\Prefetch\) stores information about recently executed programs to speed up future launches. It records the executable name, execution count, timestamps, and even which DLLs were loaded. A forensic investigator's first stop.

Ghost Mode cleans Prefetch entries related to BPP execution. This requires admin privileges if the user runs BPP without elevation, Ghost Mode logs a warning but continues with other cleanup.

Jump Lists and Recent Documents

The Windows taskbar and Start Menu track recently opened files and applications. Ghost Mode scrubs these lists.

Temporary Files

BPP creates temporary files during file transfers (chunks being reassembled via SmartLink). Ghost Mode tracks every temp file created during the session and applies DoD 5220.22-M erasure to each one before deletion.

Environment Variables

During execution, BPP may store transient configuration in environment variables. On exit, Ghost Mode clears any BPP-related environment variables from the process space.

Cross-Platform: It's Not Just Windows

BPP is cross-platform, and Ghost Mode needed to be too.

We used Go's build tag system (//go:build windows and //go:build !windows) for platform-specific implementations:

On Unix/Linux:

  • Clears relevant syslog entries
  • Removes utmp and wtmp login records
  • Scrubs shell history entries that might reference BPP
  • Applies the same DoD 5220.22-M file overwrite

On all platforms:

  • Memory zeroing of all cryptographic material
  • Temp file destruction
  • Environment variable cleanup

The User Experience Question

There's a tension in Ghost Mode's design. Maximum security means maximum cleanup which means slower program exit and, in some cases, requiring admin privileges. We made these decisions:

  1. Ghost Mode is ON by default. You have to explicitly opt out with -ghost=false. The reasoning: if someone is using BPP, they're probably in a situation where forensic safety matters.
  2. Downloaded files are NOT wiped by default. If you received a document from a colleague, you probably want to keep it. But for high-risk scenarios, -wipe-downloads destroys everything received during the session.
  3. Failures are silent. If Ghost Mode can't clean Prefetch because the user isn't admin, it doesn't pop up an error dialog (which itself could be a forensic artifact). It moves on.
# Default: Ghost Mode enabled
./bpp-client

# For the truly paranoid
./bpp-client -wipe-downloads

# Only if you know what you're doing
./bpp-client -ghost=false

Testing Ghost Mode (Yes, You Can Test Anti-Forensics)

One of the more interesting challenges was validating that Ghost Mode actually works. You can't just trust that os.Remove() ran you need to prove the data is unrecoverable.

Our test suite for Ghost Mode includes kernel-level memory scanning:

  1. Deploy BPP server in a Docker container
  2. Send a known payload string ([BPP_AUTOMATED_PAYLOAD_TEST]) through an encrypted session
  3. After the session closes and Ghost Mode runs, mount /proc/<PID>/mem on the host
  4. Binary regex scan the entire process memory for the payload string
  5. If the string is found, the test fails.

After hundreds of test runs, the payload has never been found in memory post-cleanup. The bytes are gone.

A Personal Note on Ethics

Ghost Mode is, by design, a tool that destroys evidence. That raises uncomfortable questions. Could it be used by criminals to hide their tracks? Yes. Could it help a bad actor avoid accountability? Potentially.

But the same is true of every security tool ever built. HTTPS protects both banks and phishing sites. Tor protects both whistleblowers and criminals. The lock on your front door protects both your family and, hypothetically, contraband.

We built Ghost Mode because the people who need secure communications the most journalists, activists, dissidents, humanitarian workers are the ones most likely to have their devices seized. They deserve tools that don't betray them after the fact.

Sources

  1. Department of Defense. "National Industrial Security Program Operating Manual (NISPOM)." DoD 5220.22-M, 2006.
  2. Halderman, J. A. et al. "Lest We Remember: Cold Boot Attacks on Encryption Keys." USENIX Security Symposium, 2008.
  3. Casey, E. "Digital Evidence and Computer Crime." Academic Press, 3rd Edition, 2011.
  4. NIST. "Guidelines for Media Sanitization." SP 800-88 Rev. 1, 2014. csrc.nist.gov
  5. The Go Programming Language Team. "Build Constraints." go.dev
  6. Carrier, B. "File System Forensic Analysis." Addison-Wesley, 2005.
  7. OWASP Foundation. "Secure Coding Guidelines Memory Management." owasp.org

Amine Boutouil

Security Architect · Technical Polymath

boutouil.me →