---
name: pentest-opsec-evidence
description: Operator OPSEC + evidence handling — operator identity hygiene, source IP design, burner infrastructure, evidence chain of custody, log retention advisory. Triggers on OPSEC, operator anonymity, source IP hygiene, burner infrastructure, evidence chain, chain of custody, log retention, attribution, fingerprint hygiene.
license: MIT
compatibility: Works with Claude Code
allowed-tools: Read Write Edit Grep
metadata:
  author: badi
  badi-version: ">=1.24.0"
  category: pentest
  scope: advisory
  inspired-by: 0xSteph/pentest-ai-agents opsec-anonymizer
---

# pentest-opsec-evidence

Operator OPSEC + engagement evidence handling. Pentest sirasinda **operator izinin** hedef sistemde minimize edilmesi + evidence'in legal-grade saklanmasi.

## Triggers

- "OPSEC degerlendir"
- "source IP gizleme"
- "burner infrastructure"
- "fingerprint hygiene"
- "evidence chain of custody"
- "log retention politikasi"

## Operator Identity Hygiene

### Source IP Design

```
1. Burner cloud VM (AWS / DO / Linode)
   - Hesap: pentest-firma adi, gercek isim (yasal hesabi gizleme)
   - VM: tek engagement, sonunda kapat
   - Region: musteri'nin gozlemleyebilecegi region SECIM

2. Residential proxy (selective use)
   - Yasal yetkili olmadan kullanim hatalı (Tor bile attribution potansiyel)
   - Bug bounty / authorized engagement icindeki test icin

3. Bastion + jump host
   - Operator <-> Bastion (kendi) <-> Cloud VM <-> hedef
   - Bastion log: timestamp + komut + operator
```

### Browser/HTTP Fingerprint Hygiene

```bash
# Burp / proxy konfig
- User-Agent: realistic, version-current
- Accept-Language: hedef locale
- JA3 fingerprint: yaygin browser (Chrome 119 default)

# Tool customization
nmap --max-rate 100 --randomize-hosts
curl -A "Mozilla/5.0 (compatible)" --resolve ...
```

### DNS / SNI Hygiene

```bash
# DNS over HTTPS (DoH)
# Hedef tarafa DNS query yapilirken kendi ISP DNS yerine 1.1.1.1 DoH

# SNI: cloudfront / cloudflare cover behind
# (yetkili authorized icin — yasal cerceve)
```

### Tooling Footprint

| Tool | Default Footprint | Stealthy Alternative |
|------|------------------|---------------------|
| nmap (default) | -sC -sV LOUD | -sT -sV --top-ports 100 --max-rate 100 |
| sqlmap (default) | Many requests, banner | --random-agent --delay 2 --threads 1 |
| BloodHound (default) | Mass LDAP | --throttle 30 --jitter 20 |
| ffuf | 1000 req/s | -t 5 -p 1 |
| nuclei | All templates | -tags sqli,xss only |

## Burner Infrastructure

```
Engagement basina:
1. VM kur (cloud / kendi VPS)
2. Ayri SSH key pair (engagement-specific)
3. Tooling stack install (Kali Light / Parrot)
4. Engagement sonu: snapshot + destroy
5. Snapshot: encrypted (BitLocker / VeraCrypt) cold storage

Kalici:
- Bug bounty researcher: dedicated workstation (1)
- Pentest firma: per-customer VM template
- Red team operator: 3 tier (recon/exploit/post-ex izoleli)
```

## Evidence Chain of Custody

Forensic-grade evidence saklamak icin:

```markdown
# Evidence Log Entry

## EVIDENCE ID: EVD-2026-05-15-001
**Engagement**: ACME Corp Pentest 2026 Q2
**Acquired**: 2026-05-15 14:23:01 UTC
**Acquired by**: <analyst name>, <analyst signature/badge>
**From**: ACME-WEB-PROD-01 (192.168.50.10) — authorized via Letter of Auth
**Tool**: nmap 7.93 — `nmap -sV --top-ports 1000 ...`
**File**: evidence/nmap_acme-web-prod-01_20260515_142301.xml
**Size**: 12,432 bytes
**SHA-256**: abc123def456...

## Chain
- 2026-05-15 14:23 — Acquired by <analyst>
- 2026-05-15 14:25 — Hashed + signed (SHA-256 + GPG)
- 2026-05-15 18:00 — Transferred to encrypted vault (LUKS)
- 2026-05-15 18:01 — Hash re-verified (matches)
- 2026-05-22 09:00 — Used in report writing (read-only)
- 2026-06-15 12:00 — Engagement closeout, vault sealed
- 2027-05-15 — Scheduled destruction (retention 1 yr)
```

## Log Retention Policy

```markdown
| Tip | Retention | Encryption | Format |
|-----|-----------|------------|--------|
| Raw tool output | Engagement + 1 yil | At rest + GPG | Original (xml, json, txt) |
| Screen recording | Engagement + 1 yil | At rest | mp4 |
| HAR file (browser) | Engagement + 1 yil | At rest | har.gz |
| Command history | Engagement + 1 yil | At rest | shell history |
| Sensitive data (PII evidence) | Engagement + 30 gun | Strong + 2FA | Encrypted, restricted |
| Cred-related | Engagement + 7 gun | Strong | hashed, never plain |
```

## Engagement Closeout Checklist

```markdown
- [ ] Tum evidence dosyalari hash kontrolu
- [ ] Encrypted vault'a transfer
- [ ] Burner VM snapshot + destroy
- [ ] Source IP whitelist musteri tarafindan removed
- [ ] VPN config destroyed
- [ ] Engagement-spesifik SSH key destroyed
- [ ] Tools cache temizlendi (~/.cache/, ~/.local/share/sqlmap, ...)
- [ ] Browser history / Burp project temizlendi
- [ ] Client communications archived
- [ ] Retention timer started
```

## Anti-Attribution (Yetkili Engagement)

```
- Tool default banner suppression (nmap --send-eth)
- HTTP User-Agent normalization
- Time-zone alignment (operator TZ != server log TZ pattern)
- Username convention (no "admin", "root" account)
- File timestamp normalization (touch -t after copy)
- Persistent identity sigorta yok (tek engagement)
```

## Out-of-Scope

- Yetki disi false-flag operasyonu
- Identity creation for non-pentest purpose
- Privacy-coin / cryptocurrency mixing (not in scope)
- 3. tarafi kasıtli olarak yanlislatma (hard refusal)