diff --git a/README.md b/README.md index f41faee..b56b977 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,368 @@ # pseudodisk -Allows Creation of a file which then gets mounted as a hard drive under linux, allowing for hex editor practice. \ No newline at end of file +A comprehensive toolkit for creating disk images with various filesystems for forensic analysis practice and education. + +## Features + +- **Multiple Filesystem Support**: NTFS, FAT32, exFAT, ext2/3/4, XFS +- **Partition Schemes**: GPT (modern) and MBR (legacy) +- **Interactive Configuration**: User-friendly prompts for all parameters +- **Automatic Loop Device Management**: Handles mounting and cleanup +- **Forensic-Ready**: Pre-configured for hex editor and forensic tool analysis + +## Prerequisites + +### Required Packages + +```bash +sudo apt-get update +sudo apt-get install -y \ + parted \ + util-linux \ + e2fsprogs \ + dosfstools +``` + +### Optional (for specific filesystems) + +```bash +# For NTFS support +sudo apt-get install ntfs-3g + +# For exFAT support +sudo apt-get install exfat-fuse exfat-utils + +# For XFS support +sudo apt-get install xfsprogs + +# For forensic analysis tools +sudo apt-get install sleuthkit +``` + +## Usage + +### Creating a Disk Image + +Run the main script with sudo: + +```bash +sudo ./create_forensic_disk.sh +``` + +The script will interactively prompt you for: + +1. **Filename**: Output file name (default: forensic_disk.dd) +2. **Size**: Choose from presets (100MB, 500MB, 1GB, 5GB) or custom +3. **Partition Scheme**: GPT or MBR +4. **Filesystem**: NTFS, FAT32, exFAT, ext2/3/4, XFS +5. **Volume Label**: Custom label for the filesystem +6. **Mount**: Option to mount immediately after creation + +### Example Session + +``` +========================================== + Forensic Disk Image Creator +========================================== + +Enter output filename (default: forensic_disk.dd): ntfsdisk.dd + +Disk Size Options: + 1) 100 MB (small, quick testing) + 2) 500 MB (medium) + 3) 1 GB (standard) + 4) 5 GB (large) + 5) Custom size + +Select disk size [1-5]: 2 + +Partition Scheme: + 1) GPT (GUID Partition Table) - Modern, Windows 10/11 default + 2) MBR (Master Boot Record) - Legacy, compatible with older systems + +Select partition scheme [1-2]: 1 + +Filesystem Type: + 1) NTFS (Windows default, requires ntfs-3g) + 2) FAT32 (Universal compatibility, 4GB file limit) + 3) exFAT (Modern, large file support) + 4) ext4 (Linux default) + 5) ext3 (Older Linux) + 6) ext2 (Legacy Linux, no journaling) + 7) XFS (High-performance Linux) + +Select filesystem [1-7]: 1 + +Enter volume label (default: FORENSIC): EVIDENCE +``` + +### Cleaning Up + +When finished with your analysis, use the cleanup script: + +```bash +# Clean up a specific disk image +sudo ./cleanup_forensic_disk.sh +# Enter filename when prompted + +# Or clean up all loop devices +sudo ./cleanup_forensic_disk.sh +# Type 'all' when prompted +``` + +## Forensic Analysis Guide + +### Basic Hex Analysis + +#### View raw disk structure +```bash +# Using hexdump +hexdump -C ntfsdisk.dd | less + +# Using xxd +xxd ntfsdisk.dd | less + +# View first 512 bytes (boot sector) +xxd -l 512 ntfsdisk.dd + +# View specific offset (e.g., partition table at 0x1BE for MBR) +xxd -s 0x1BE -l 64 ntfsdisk.dd +``` + +#### GUI Hex Editors +```bash +# Install Bless (GTK hex editor) +sudo apt-get install bless +bless ntfsdisk.dd + +# Or install GHex +sudo apt-get install ghex +ghex ntfsdisk.dd + +# Or install wxHexEditor (advanced) +sudo apt-get install wxhexeditor +wxhexeditor ntfsdisk.dd +``` + +### Partition Analysis + +```bash +# View partition table +sudo parted ntfsdisk.dd print + +# Or using fdisk +sudo fdisk -l ntfsdisk.dd + +# For GPT, use gdisk +sudo apt-get install gdisk +sudo gdisk -l ntfsdisk.dd +``` + +### Using The Sleuth Kit (TSK) + +```bash +# Install if not already present +sudo apt-get install sleuthkit + +# Display partition layout +mmls ntfsdisk.dd + +# Show filesystem details (offset from mmls output) +fsstat -o 2048 ntfsdisk.dd + +# List files in filesystem +fls -o 2048 -r ntfsdisk.dd + +# Display file content by inode +icat -o 2048 ntfsdisk.dd [inode_number] + +# Show deleted files +fls -o 2048 -rd ntfsdisk.dd + +# Timeline analysis +fls -o 2048 -m / -r ntfsdisk.dd > timeline.bodyfile +mactime -b timeline.bodyfile +``` + +### Manual Loop Device Management + +If you need more control over the loop device: + +```bash +# Attach image to loop device +sudo losetup -f ntfsdisk.dd + +# List all loop devices +sudo losetup -l + +# Find out which loop device is attached +sudo losetup -j ntfsdisk.dd + +# Mount the partition +sudo mkdir -p /mnt/forensic +sudo mount /dev/loop0p1 /mnt/forensic + +# When done, unmount +sudo umount /mnt/forensic + +# Detach loop device +sudo losetup -d /dev/loop0 +``` + +### Filesystem-Specific Analysis + +#### NTFS Analysis + +```bash +# View NTFS volume information +sudo apt-get install ntfs-3g +sudo ntfsinfo -m /dev/loop0p1 + +# Show NTFS file system usage +sudo ntfscluster -f /dev/loop0p1 + +# Recover deleted files +sudo apt-get install testdisk +sudo testdisk ntfsdisk.dd +``` + +#### FAT32 Analysis + +```bash +# View FAT information +sudo fsck.vfat -n /dev/loop0p1 + +# Or using sleuthkit +fsstat -o 2048 ntfsdisk.dd +``` + +#### ext4 Analysis + +```bash +# Dump ext4 superblock +sudo dumpe2fs /dev/loop0p1 + +# Check filesystem +sudo e2fsck -n /dev/loop0p1 + +# Show inode information +sudo debugfs -R 'stat ' /dev/loop0p1 +``` + +## Key Forensic Structures to Examine + +### Master Boot Record (MBR) +- **Location**: First 512 bytes (0x000-0x1FF) +- **Boot Code**: 0x000-0x1BD (446 bytes) +- **Partition Table**: 0x1BE-0x1FD (64 bytes, 4 entries × 16 bytes) +- **Signature**: 0x1FE-0x1FF (0x55AA) + +### GUID Partition Table (GPT) +- **Protective MBR**: Sector 0 (0x000-0x1FF) +- **GPT Header**: Sector 1 (0x200-0x3FF) +- **Partition Entries**: Sectors 2-33 (typically) +- **Backup GPT**: Last sectors of disk + +### NTFS Boot Sector +- **Jump Instruction**: 0x000-0x002 +- **OEM ID**: 0x003-0x00A ("NTFS ") +- **Bytes Per Sector**: 0x00B-0x00C +- **Sectors Per Cluster**: 0x00D +- **MFT Location**: 0x030-0x037 +- **Signature**: 0x1FE-0x1FF (0x55AA) + +### FAT32 Boot Sector +- **Jump Instruction**: 0x000-0x002 +- **OEM Name**: 0x003-0x00A +- **Bytes Per Sector**: 0x00B-0x00C +- **Sectors Per Cluster**: 0x00D +- **FAT Copies**: 0x010 +- **Signature**: 0x1FE-0x1FF (0x55AA) + +## Practice Exercises + +### Beginner Level + +1. **Identify Partition Scheme** + - Create disks with GPT and MBR + - Compare the first 512 bytes + - Identify the signature differences + +2. **Find the Filesystem Type** + - Create disks with different filesystems + - Examine boot sector signatures + - Identify OEM strings + +3. **Locate Partition Boundaries** + - Use hexdump to find partition start + - Verify with `parted` output + +### Intermediate Level + +4. **File Recovery Practice** + - Mount filesystem, create files, unmount + - Delete files from another mount + - Practice recovering deleted files + +5. **Metadata Analysis** + - Create files with specific timestamps + - Use TSK to extract timeline data + - Correlate timestamps with hex data + +6. **Slack Space Investigation** + - Create small files in large clusters + - Examine slack space for data remnants + - Understand cluster allocation + +### Advanced Level + +7. **Steganography Detection** + - Hide data in slack space + - Practice identifying hidden data + - Compare expected vs actual cluster usage + +8. **Partition Hiding** + - Create multiple partitions + - Modify partition table + - Practice recovering hidden partitions + +9. **Anti-Forensics Techniques** + - Study timestamp manipulation + - Examine wiping patterns + - Analyze file system corruption + +## Troubleshooting + +### Loop device not found +```bash +# Ensure loop module is loaded +sudo modprobe loop + +# Check available loop devices +ls -la /dev/loop* +``` + +### Permission denied +```bash +# Always use sudo for these operations +sudo ./create_forensic_disk.sh +``` + +### Partition not showing up +```bash +# Force kernel to re-read partition table +sudo partprobe /dev/loopX + +# Or detach and re-attach +sudo losetup -d /dev/loopX +sudo losetup -f ntfsdisk.dd +``` + +### Cannot unmount - device busy +```bash +# Find what's using it +sudo lsof | grep /mnt/forensic + +# Force unmount (use with caution) +sudo umount -l /mnt/forensic +``` \ No newline at end of file diff --git a/cleanup.sh b/cleanup.sh new file mode 100755 index 0000000..699b6fa --- /dev/null +++ b/cleanup.sh @@ -0,0 +1,116 @@ +#!/bin/bash + +# Forensic Disk Image Cleanup Helper +# Safely unmounts and detaches loop devices + +set -e + +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' + +print_info() { + echo -e "${BLUE}[INFO]${NC} $1" +} + +print_success() { + echo -e "${GREEN}[SUCCESS]${NC} $1" +} + +print_warning() { + echo -e "${YELLOW}[WARNING]${NC} $1" +} + +print_error() { + echo -e "${RED}[ERROR]${NC} $1" +} + +if [ "$EUID" -ne 0 ]; then + print_error "This script must be run as root (use sudo)" + exit 1 +fi + +echo "" +echo "==========================================" +echo " Forensic Disk Cleanup Tool" +echo "==========================================" +echo "" + +# Show current loop devices +print_info "Current loop devices:" +losetup -l + +echo "" +read -p "Enter the disk image filename to clean up (or 'all' for all loop devices): " TARGET + +if [ "$TARGET" = "all" ]; then + print_warning "This will unmount and detach ALL loop devices!" + read -p "Are you sure? (yes/no): " CONFIRM + + if [ "$CONFIRM" = "yes" ]; then + # Get all loop devices + LOOP_DEVICES=$(losetup -l -n -O NAME | tail -n +2) + + for LOOP in $LOOP_DEVICES; do + print_info "Processing $LOOP..." + + # Try to unmount all partitions + for PART in ${LOOP}p* ${LOOP}[0-9]*; do + if [ -e "$PART" ]; then + MOUNT_POINT=$(findmnt -n -o TARGET "$PART" 2>/dev/null || true) + if [ -n "$MOUNT_POINT" ]; then + print_info "Unmounting $PART from $MOUNT_POINT" + umount "$PART" || print_warning "Failed to unmount $PART" + fi + fi + done + + # Detach loop device + print_info "Detaching $LOOP" + losetup -d "$LOOP" || print_warning "Failed to detach $LOOP" + done + + print_success "Cleanup complete" + else + print_info "Cancelled" + fi +else + if [ ! -f "$TARGET" ]; then + print_error "File not found: $TARGET" + exit 1 + fi + + # Find loop device associated with this file + LOOP_DEVICE=$(losetup -l -n -O NAME,BACK-FILE | grep "$(realpath $TARGET)" | awk '{print $1}') + + if [ -z "$LOOP_DEVICE" ]; then + print_warning "No loop device found for $TARGET" + exit 0 + fi + + print_info "Found loop device: $LOOP_DEVICE" + + # Try to unmount all partitions + for PART in ${LOOP_DEVICE}p* ${LOOP_DEVICE}[0-9]*; do + if [ -e "$PART" ]; then + MOUNT_POINT=$(findmnt -n -o TARGET "$PART" 2>/dev/null || true) + if [ -n "$MOUNT_POINT" ]; then + print_info "Unmounting $PART from $MOUNT_POINT" + umount "$PART" || print_warning "Failed to unmount $PART" + fi + fi + done + + # Detach loop device + print_info "Detaching $LOOP_DEVICE" + losetup -d "$LOOP_DEVICE" + + print_success "Cleanup complete for $TARGET" +fi + +echo "" +print_info "Current loop devices after cleanup:" +losetup -l +echo "" \ No newline at end of file diff --git a/pseudodisk.sh b/pseudodisk.sh new file mode 100755 index 0000000..4e7bd74 --- /dev/null +++ b/pseudodisk.sh @@ -0,0 +1,394 @@ +#!/bin/bash + +# Forensic Practice Disk Image Creator +# Creates disk images with various filesystems for forensic analysis practice + +set -e # Exit on error + +# Color codes for output +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' # No Color + +# Function to print colored messages +print_info() { + echo -e "${BLUE}[INFO]${NC} $1" +} + +print_success() { + echo -e "${GREEN}[SUCCESS]${NC} $1" +} + +print_warning() { + echo -e "${YELLOW}[WARNING]${NC} $1" +} + +print_error() { + echo -e "${RED}[ERROR]${NC} $1" +} + +# Check if running as root +check_root() { + if [ "$EUID" -ne 0 ]; then + print_error "This script must be run as root (use sudo)" + exit 1 + fi +} + +# Function to check required tools +check_dependencies() { + local missing_tools=() + + command -v dd >/dev/null 2>&1 || missing_tools+=("coreutils") + command -v losetup >/dev/null 2>&1 || missing_tools+=("util-linux") + command -v parted >/dev/null 2>&1 || missing_tools+=("parted") + command -v mkfs.ext4 >/dev/null 2>&1 || missing_tools+=("e2fsprogs") + + if [ ${#missing_tools[@]} -gt 0 ]; then + print_error "Missing required packages: ${missing_tools[*]}" + print_info "Install with: sudo apt-get install ${missing_tools[*]}" + exit 1 + fi +} + +# Display banner +show_banner() { + echo "" + echo "==========================================" + echo " Forensic Disk Image Creator" + echo "==========================================" + echo "" +} + +# Get filename from user +get_filename() { + echo "" + read -p "Enter output filename (default: forensic_disk.dd): " FILENAME + FILENAME=${FILENAME:-forensic_disk.dd} + + if [ -f "$FILENAME" ]; then + read -p "File already exists. Overwrite? (y/n): " OVERWRITE + if [ "$OVERWRITE" != "y" ]; then + print_info "Exiting..." + exit 0 + fi + fi +} + +# Get disk size from user +get_disk_size() { + echo "" + echo "Disk Size Options:" + echo " 1) 100 MB (small, quick testing)" + echo " 2) 500 MB (medium)" + echo " 3) 1 GB (standard)" + echo " 4) 5 GB (large)" + echo " 5) Custom size" + echo "" + read -p "Select disk size [1-5]: " SIZE_CHOICE + + case $SIZE_CHOICE in + 1) DISK_SIZE_MB=100 ;; + 2) DISK_SIZE_MB=500 ;; + 3) DISK_SIZE_MB=1024 ;; + 4) DISK_SIZE_MB=5120 ;; + 5) + read -p "Enter size in MB: " DISK_SIZE_MB + if ! [[ "$DISK_SIZE_MB" =~ ^[0-9]+$ ]] || [ "$DISK_SIZE_MB" -lt 10 ]; then + print_error "Invalid size. Must be at least 10 MB" + exit 1 + fi + ;; + *) + print_error "Invalid choice" + exit 1 + ;; + esac + + print_info "Selected disk size: ${DISK_SIZE_MB} MB" +} + +# Get partition scheme +get_partition_scheme() { + echo "" + echo "Partition Scheme:" + echo " 1) GPT (GUID Partition Table) - Modern, Windows 10/11 default" + echo " 2) MBR (Master Boot Record) - Legacy, compatible with older systems" + echo "" + read -p "Select partition scheme [1-2]: " PARTITION_CHOICE + + case $PARTITION_CHOICE in + 1) PARTITION_SCHEME="gpt" ;; + 2) PARTITION_SCHEME="msdos" ;; + *) + print_error "Invalid choice" + exit 1 + ;; + esac + + print_info "Selected partition scheme: $PARTITION_SCHEME" +} + +# Get filesystem type +get_filesystem() { + echo "" + echo "Filesystem Type:" + echo " 1) NTFS (Windows default, requires ntfs-3g)" + echo " 2) FAT32 (Universal compatibility, 4GB file limit)" + echo " 3) exFAT (Modern, large file support)" + echo " 4) ext4 (Linux default)" + echo " 5) ext3 (Older Linux)" + echo " 6) ext2 (Legacy Linux, no journaling)" + echo " 7) XFS (High-performance Linux)" + echo "" + read -p "Select filesystem [1-7]: " FS_CHOICE + + case $FS_CHOICE in + 1) + FILESYSTEM="ntfs" + if ! command -v mkfs.ntfs >/dev/null 2>&1; then + print_error "mkfs.ntfs not found. Install with: sudo apt-get install ntfs-3g" + exit 1 + fi + ;; + 2) FILESYSTEM="vfat" ;; + 3) + FILESYSTEM="exfat" + if ! command -v mkfs.exfat >/dev/null 2>&1; then + print_error "mkfs.exfat not found. Install with: sudo apt-get install exfat-utils" + exit 1 + fi + ;; + 4) FILESYSTEM="ext4" ;; + 5) FILESYSTEM="ext3" ;; + 6) FILESYSTEM="ext2" ;; + 7) + FILESYSTEM="xfs" + if ! command -v mkfs.xfs >/dev/null 2>&1; then + print_error "mkfs.xfs not found. Install with: sudo apt-get install xfsprogs" + exit 1 + fi + ;; + *) + print_error "Invalid choice" + exit 1 + ;; + esac + + print_info "Selected filesystem: $FILESYSTEM" +} + +# Get volume label +get_volume_label() { + echo "" + read -p "Enter volume label (default: FORENSIC): " VOLUME_LABEL + VOLUME_LABEL=${VOLUME_LABEL:-FORENSIC} +} + +# Create the disk image +create_disk_image() { + print_info "Creating disk image file: $FILENAME (${DISK_SIZE_MB} MB)..." + + # Use fallocate for faster creation if available + if command -v fallocate >/dev/null 2>&1; then + fallocate -l ${DISK_SIZE_MB}M "$FILENAME" + else + dd if=/dev/zero of="$FILENAME" bs=1M count=$DISK_SIZE_MB status=progress + fi + + print_success "Disk image created" +} + +# Setup loop device +setup_loop_device() { + print_info "Setting up loop device..." + LOOP_DEVICE=$(losetup -f) + losetup "$LOOP_DEVICE" "$FILENAME" + print_success "Loop device created: $LOOP_DEVICE" +} + +# Create partition table and partition +create_partitions() { + print_info "Creating $PARTITION_SCHEME partition table..." + + parted -s "$LOOP_DEVICE" mklabel "$PARTITION_SCHEME" + + print_info "Creating partition..." + + if [ "$PARTITION_SCHEME" = "gpt" ]; then + # For GPT, leave 1MB at start and end for alignment + parted -s "$LOOP_DEVICE" mkpart primary 1MiB 100% + else + # For MBR + parted -s "$LOOP_DEVICE" mkpart primary 1MiB 100% + fi + + # Inform kernel about partition table changes + partprobe "$LOOP_DEVICE" + sleep 1 + + print_success "Partition created" +} + +# Format the partition +format_partition() { + PARTITION="${LOOP_DEVICE}p1" + + # Check if partition device exists + if [ ! -e "$PARTITION" ]; then + print_warning "Partition device $PARTITION not found, trying alternative..." + PARTITION="${LOOP_DEVICE}1" + fi + + if [ ! -e "$PARTITION" ]; then + print_error "Cannot find partition device" + cleanup + exit 1 + fi + + print_info "Formatting partition with $FILESYSTEM filesystem..." + + case $FILESYSTEM in + ntfs) + mkfs.ntfs -f -L "$VOLUME_LABEL" "$PARTITION" + ;; + vfat) + mkfs.vfat -n "$VOLUME_LABEL" "$PARTITION" + ;; + exfat) + mkfs.exfat -n "$VOLUME_LABEL" "$PARTITION" + ;; + ext2|ext3|ext4) + mkfs."$FILESYSTEM" -L "$VOLUME_LABEL" "$PARTITION" + ;; + xfs) + mkfs.xfs -f -L "$VOLUME_LABEL" "$PARTITION" + ;; + esac + + print_success "Filesystem created" +} + +# Cleanup function +cleanup() { + if [ -n "$LOOP_DEVICE" ]; then + print_info "Cleaning up loop device..." + losetup -d "$LOOP_DEVICE" 2>/dev/null || true + fi +} + +# Mount the filesystem +mount_filesystem() { + echo "" + read -p "Do you want to mount the filesystem now? (y/n): " MOUNT_NOW + + if [ "$MOUNT_NOW" = "y" ]; then + MOUNT_POINT="/mnt/forensic_disk_$$" + mkdir -p "$MOUNT_POINT" + + print_info "Mounting to $MOUNT_POINT..." + mount "$PARTITION" "$MOUNT_POINT" + + print_success "Filesystem mounted at: $MOUNT_POINT" + print_info "To unmount: sudo umount $MOUNT_POINT" + + MOUNTED=true + fi +} + +# Display summary +show_summary() { + echo "" + echo "==========================================" + echo " Disk Image Creation Complete!" + echo "==========================================" + echo "" + echo "Image File: $(realpath $FILENAME)" + echo "Size: ${DISK_SIZE_MB} MB" + echo "Partition Scheme: $PARTITION_SCHEME" + echo "Filesystem: $FILESYSTEM" + echo "Volume Label: $VOLUME_LABEL" + echo "Loop Device: $LOOP_DEVICE" + echo "Partition: $PARTITION" + if [ "$MOUNTED" = true ]; then + echo "Mount Point: $MOUNT_POINT" + fi + echo "" + echo "==========================================" + echo " Forensic Analysis Commands" + echo "==========================================" + echo "" + echo "View partition table:" + echo " sudo parted $FILENAME print" + echo " sudo fdisk -l $FILENAME" + echo "" + echo "Hex editor analysis:" + echo " hexdump -C $FILENAME | less" + echo " xxd $FILENAME | less" + echo " sudo apt-get install bless # GUI hex editor" + echo " bless $FILENAME" + echo "" + echo "Mount the image later:" + echo " sudo losetup -f $FILENAME" + echo " sudo losetup -l # List loop devices" + echo " sudo mount /dev/loopXp1 /mnt/mountpoint" + echo "" + echo "Analyze with forensic tools:" + echo " sudo apt-get install sleuthkit" + echo " mmls $FILENAME # Show partition layout" + echo " fsstat -o 2048 $FILENAME # Filesystem details" + echo " fls -o 2048 $FILENAME # List files" + echo "" + echo "Clean up (when done):" + if [ "$MOUNTED" = true ]; then + echo " sudo umount $MOUNT_POINT" + fi + echo " sudo losetup -d $LOOP_DEVICE" + echo "" +} + +# Trap to ensure cleanup on exit +trap cleanup EXIT + +# Main execution +main() { + show_banner + check_root + check_dependencies + + get_filename + get_disk_size + get_partition_scheme + get_filesystem + get_volume_label + + echo "" + echo "==========================================" + echo " Summary" + echo "==========================================" + echo "Filename: $FILENAME" + echo "Size: ${DISK_SIZE_MB} MB" + echo "Partition Scheme: $PARTITION_SCHEME" + echo "Filesystem: $FILESYSTEM" + echo "Volume Label: $VOLUME_LABEL" + echo "" + read -p "Proceed with creation? (y/n): " CONFIRM + + if [ "$CONFIRM" != "y" ]; then + print_info "Cancelled" + exit 0 + fi + + create_disk_image + setup_loop_device + create_partitions + format_partition + mount_filesystem + + show_summary +} + +# Run main function +main \ No newline at end of file