mstoeck3/pseudodisk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
overcuriousity 2025-10-20 12:14:33 +02:00
parent 1e08476cc6
commit 454aab1df3
3 changed files with 876 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

367
README.md
View File

@ -1,3 +1,368 @@
# pseudodisk # pseudodisk
Allows Creation of a file which then gets mounted as a hard drive under linux, allowing for hex editor practice. A comprehensive toolkit for creating disk images with various filesystems for forensic analysis practice and education.
## Features
- **Multiple Filesystem Support**: NTFS, FAT32, exFAT, ext2/3/4, XFS
- **Partition Schemes**: GPT (modern) and MBR (legacy)
- **Interactive Configuration**: User-friendly prompts for all parameters
- **Automatic Loop Device Management**: Handles mounting and cleanup
- **Forensic-Ready**: Pre-configured for hex editor and forensic tool analysis
## Prerequisites
### Required Packages
```bash
sudo apt-get update
sudo apt-get install -y \
parted \
util-linux \
e2fsprogs \
dosfstools
```
### Optional (for specific filesystems)
```bash
# For NTFS support
sudo apt-get install ntfs-3g
# For exFAT support
sudo apt-get install exfat-fuse exfat-utils
# For XFS support
sudo apt-get install xfsprogs
# For forensic analysis tools
sudo apt-get install sleuthkit
```
## Usage
### Creating a Disk Image
Run the main script with sudo:
```bash
sudo ./create_forensic_disk.sh
```
The script will interactively prompt you for:
1. **Filename**: Output file name (default: forensic_disk.dd)
2. **Size**: Choose from presets (100MB, 500MB, 1GB, 5GB) or custom
3. **Partition Scheme**: GPT or MBR
4. **Filesystem**: NTFS, FAT32, exFAT, ext2/3/4, XFS
5. **Volume Label**: Custom label for the filesystem
6. **Mount**: Option to mount immediately after creation
### Example Session
```
==========================================
Forensic Disk Image Creator
==========================================
Enter output filename (default: forensic_disk.dd): ntfsdisk.dd
Disk Size Options:
1) 100 MB (small, quick testing)
2) 500 MB (medium)
3) 1 GB (standard)
4) 5 GB (large)
5) Custom size
Select disk size [1-5]: 2
Partition Scheme:
1) GPT (GUID Partition Table) - Modern, Windows 10/11 default
2) MBR (Master Boot Record) - Legacy, compatible with older systems
Select partition scheme [1-2]: 1
Filesystem Type:
1) NTFS (Windows default, requires ntfs-3g)
2) FAT32 (Universal compatibility, 4GB file limit)
3) exFAT (Modern, large file support)
4) ext4 (Linux default)
5) ext3 (Older Linux)
6) ext2 (Legacy Linux, no journaling)
7) XFS (High-performance Linux)
Select filesystem [1-7]: 1
Enter volume label (default: FORENSIC): EVIDENCE
```
### Cleaning Up
When finished with your analysis, use the cleanup script:
```bash
# Clean up a specific disk image
sudo ./cleanup_forensic_disk.sh
# Enter filename when prompted
# Or clean up all loop devices
sudo ./cleanup_forensic_disk.sh
# Type 'all' when prompted
```
## Forensic Analysis Guide
### Basic Hex Analysis
#### View raw disk structure
```bash
# Using hexdump
hexdump -C ntfsdisk.dd | less
# Using xxd
xxd ntfsdisk.dd | less
# View first 512 bytes (boot sector)
xxd -l 512 ntfsdisk.dd
# View specific offset (e.g., partition table at 0x1BE for MBR)
xxd -s 0x1BE -l 64 ntfsdisk.dd
```
#### GUI Hex Editors
```bash
# Install Bless (GTK hex editor)
sudo apt-get install bless
bless ntfsdisk.dd
# Or install GHex
sudo apt-get install ghex
ghex ntfsdisk.dd
# Or install wxHexEditor (advanced)
sudo apt-get install wxhexeditor
wxhexeditor ntfsdisk.dd
```
### Partition Analysis
```bash
# View partition table
sudo parted ntfsdisk.dd print
# Or using fdisk
sudo fdisk -l ntfsdisk.dd
# For GPT, use gdisk
sudo apt-get install gdisk
sudo gdisk -l ntfsdisk.dd
```
### Using The Sleuth Kit (TSK)
```bash
# Install if not already present
sudo apt-get install sleuthkit
# Display partition layout
mmls ntfsdisk.dd
# Show filesystem details (offset from mmls output)
fsstat -o 2048 ntfsdisk.dd
# List files in filesystem
fls -o 2048 -r ntfsdisk.dd
# Display file content by inode
icat -o 2048 ntfsdisk.dd [inode_number]
# Show deleted files
fls -o 2048 -rd ntfsdisk.dd
# Timeline analysis
fls -o 2048 -m / -r ntfsdisk.dd > timeline.bodyfile
mactime -b timeline.bodyfile
```
### Manual Loop Device Management
If you need more control over the loop device:
```bash
# Attach image to loop device
sudo losetup -f ntfsdisk.dd
# List all loop devices
sudo losetup -l
# Find out which loop device is attached
sudo losetup -j ntfsdisk.dd
# Mount the partition
sudo mkdir -p /mnt/forensic
sudo mount /dev/loop0p1 /mnt/forensic
# When done, unmount
sudo umount /mnt/forensic
# Detach loop device
sudo losetup -d /dev/loop0
```
### Filesystem-Specific Analysis
#### NTFS Analysis
```bash
# View NTFS volume information
sudo apt-get install ntfs-3g
sudo ntfsinfo -m /dev/loop0p1
# Show NTFS file system usage
sudo ntfscluster -f /dev/loop0p1
# Recover deleted files
sudo apt-get install testdisk
sudo testdisk ntfsdisk.dd
```
#### FAT32 Analysis
```bash
# View FAT information
sudo fsck.vfat -n /dev/loop0p1
# Or using sleuthkit
fsstat -o 2048 ntfsdisk.dd
```
#### ext4 Analysis
```bash
# Dump ext4 superblock
sudo dumpe2fs /dev/loop0p1
# Check filesystem
sudo e2fsck -n /dev/loop0p1
# Show inode information
sudo debugfs -R 'stat <inode>' /dev/loop0p1
```
## Key Forensic Structures to Examine
### Master Boot Record (MBR)
- **Location**: First 512 bytes (0x000-0x1FF)
- **Boot Code**: 0x000-0x1BD (446 bytes)
- **Partition Table**: 0x1BE-0x1FD (64 bytes, 4 entries × 16 bytes)
- **Signature**: 0x1FE-0x1FF (0x55AA)
### GUID Partition Table (GPT)
- **Protective MBR**: Sector 0 (0x000-0x1FF)
- **GPT Header**: Sector 1 (0x200-0x3FF)
- **Partition Entries**: Sectors 2-33 (typically)
- **Backup GPT**: Last sectors of disk
### NTFS Boot Sector
- **Jump Instruction**: 0x000-0x002
- **OEM ID**: 0x003-0x00A ("NTFS ")
- **Bytes Per Sector**: 0x00B-0x00C
- **Sectors Per Cluster**: 0x00D
- **MFT Location**: 0x030-0x037
- **Signature**: 0x1FE-0x1FF (0x55AA)
### FAT32 Boot Sector
- **Jump Instruction**: 0x000-0x002
- **OEM Name**: 0x003-0x00A
- **Bytes Per Sector**: 0x00B-0x00C
- **Sectors Per Cluster**: 0x00D
- **FAT Copies**: 0x010
- **Signature**: 0x1FE-0x1FF (0x55AA)
## Practice Exercises
### Beginner Level
1. **Identify Partition Scheme**
- Create disks with GPT and MBR
- Compare the first 512 bytes
- Identify the signature differences
2. **Find the Filesystem Type**
- Create disks with different filesystems
- Examine boot sector signatures
- Identify OEM strings
3. **Locate Partition Boundaries**
- Use hexdump to find partition start
- Verify with `parted` output
### Intermediate Level
4. **File Recovery Practice**
- Mount filesystem, create files, unmount
- Delete files from another mount
- Practice recovering deleted files
5. **Metadata Analysis**
- Create files with specific timestamps
- Use TSK to extract timeline data
- Correlate timestamps with hex data
6. **Slack Space Investigation**
- Create small files in large clusters
- Examine slack space for data remnants
- Understand cluster allocation
### Advanced Level
7. **Steganography Detection**
- Hide data in slack space
- Practice identifying hidden data
- Compare expected vs actual cluster usage
8. **Partition Hiding**
- Create multiple partitions
- Modify partition table
- Practice recovering hidden partitions
9. **Anti-Forensics Techniques**
- Study timestamp manipulation
- Examine wiping patterns
- Analyze file system corruption
## Troubleshooting
### Loop device not found
```bash
# Ensure loop module is loaded
sudo modprobe loop
# Check available loop devices
ls -la /dev/loop*
```
### Permission denied
```bash
# Always use sudo for these operations
sudo ./create_forensic_disk.sh
```
### Partition not showing up
```bash
# Force kernel to re-read partition table
sudo partprobe /dev/loopX
# Or detach and re-attach
sudo losetup -d /dev/loopX
sudo losetup -f ntfsdisk.dd
```
### Cannot unmount - device busy
```bash
# Find what's using it
sudo lsof | grep /mnt/forensic
# Force unmount (use with caution)
sudo umount -l /mnt/forensic
```

116
cleanup.sh Executable file
View File

@ -0,0 +1,116 @@
#!/bin/bash
# Forensic Disk Image Cleanup Helper
# Safely unmounts and detaches loop devices
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
print_info() {
echo -e "${BLUE}[INFO]${NC} $1"
}
print_success() {
echo -e "${GREEN}[SUCCESS]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
if [ "$EUID" -ne 0 ]; then
print_error "This script must be run as root (use sudo)"
exit 1
fi
echo ""
echo "=========================================="
echo " Forensic Disk Cleanup Tool"
echo "=========================================="
echo ""
# Show current loop devices
print_info "Current loop devices:"
losetup -l
echo ""
read -p "Enter the disk image filename to clean up (or 'all' for all loop devices): " TARGET
if [ "$TARGET" = "all" ]; then
print_warning "This will unmount and detach ALL loop devices!"
read -p "Are you sure? (yes/no): " CONFIRM
if [ "$CONFIRM" = "yes" ]; then
# Get all loop devices
LOOP_DEVICES=$(losetup -l -n -O NAME | tail -n +2)
for LOOP in $LOOP_DEVICES; do
print_info "Processing $LOOP..."
# Try to unmount all partitions
for PART in ${LOOP}p* ${LOOP}[0-9]*; do
if [ -e "$PART" ]; then
MOUNT_POINT=$(findmnt -n -o TARGET "$PART" 2>/dev/null || true)
if [ -n "$MOUNT_POINT" ]; then
print_info "Unmounting $PART from $MOUNT_POINT"
umount "$PART" || print_warning "Failed to unmount $PART"
fi
fi
done
# Detach loop device
print_info "Detaching $LOOP"
losetup -d "$LOOP" || print_warning "Failed to detach $LOOP"
done
print_success "Cleanup complete"
else
print_info "Cancelled"
fi
else
if [ ! -f "$TARGET" ]; then
print_error "File not found: $TARGET"
exit 1
fi
# Find loop device associated with this file
LOOP_DEVICE=$(losetup -l -n -O NAME,BACK-FILE | grep "$(realpath $TARGET)" | awk '{print $1}')
if [ -z "$LOOP_DEVICE" ]; then
print_warning "No loop device found for $TARGET"
exit 0
fi
print_info "Found loop device: $LOOP_DEVICE"
# Try to unmount all partitions
for PART in ${LOOP_DEVICE}p* ${LOOP_DEVICE}[0-9]*; do
if [ -e "$PART" ]; then
MOUNT_POINT=$(findmnt -n -o TARGET "$PART" 2>/dev/null || true)
if [ -n "$MOUNT_POINT" ]; then
print_info "Unmounting $PART from $MOUNT_POINT"
umount "$PART" || print_warning "Failed to unmount $PART"
fi
fi
done
# Detach loop device
print_info "Detaching $LOOP_DEVICE"
losetup -d "$LOOP_DEVICE"
print_success "Cleanup complete for $TARGET"
fi
echo ""
print_info "Current loop devices after cleanup:"
losetup -l
echo ""

394
pseudodisk.sh Executable file
View File

@ -0,0 +1,394 @@
#!/bin/bash
# Forensic Practice Disk Image Creator
# Creates disk images with various filesystems for forensic analysis practice
set -e # Exit on error
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Function to print colored messages
print_info() {
echo -e "${BLUE}[INFO]${NC} $1"
}
print_success() {
echo -e "${GREEN}[SUCCESS]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Check if running as root
check_root() {
if [ "$EUID" -ne 0 ]; then
print_error "This script must be run as root (use sudo)"
exit 1
fi
}
# Function to check required tools
check_dependencies() {
local missing_tools=()
command -v dd >/dev/null 2>&1 || missing_tools+=("coreutils")
command -v losetup >/dev/null 2>&1 || missing_tools+=("util-linux")
command -v parted >/dev/null 2>&1 || missing_tools+=("parted")
command -v mkfs.ext4 >/dev/null 2>&1 || missing_tools+=("e2fsprogs")
if [ ${#missing_tools[@]} -gt 0 ]; then
print_error "Missing required packages: ${missing_tools[*]}"
print_info "Install with: sudo apt-get install ${missing_tools[*]}"
exit 1
fi
}
# Display banner
show_banner() {
echo ""
echo "=========================================="
echo " Forensic Disk Image Creator"
echo "=========================================="
echo ""
}
# Get filename from user
get_filename() {
echo ""
read -p "Enter output filename (default: forensic_disk.dd): " FILENAME
FILENAME=${FILENAME:-forensic_disk.dd}
if [ -f "$FILENAME" ]; then
read -p "File already exists. Overwrite? (y/n): " OVERWRITE
if [ "$OVERWRITE" != "y" ]; then
print_info "Exiting..."
exit 0
fi
fi
}
# Get disk size from user
get_disk_size() {
echo ""
echo "Disk Size Options:"
echo " 1) 100 MB (small, quick testing)"
echo " 2) 500 MB (medium)"
echo " 3) 1 GB (standard)"
echo " 4) 5 GB (large)"
echo " 5) Custom size"
echo ""
read -p "Select disk size [1-5]: " SIZE_CHOICE
case $SIZE_CHOICE in
1) DISK_SIZE_MB=100 ;;
2) DISK_SIZE_MB=500 ;;
3) DISK_SIZE_MB=1024 ;;
4) DISK_SIZE_MB=5120 ;;
5)
read -p "Enter size in MB: " DISK_SIZE_MB
if ! [[ "$DISK_SIZE_MB" =~ ^[0-9]+$ ]] || [ "$DISK_SIZE_MB" -lt 10 ]; then
print_error "Invalid size. Must be at least 10 MB"
exit 1
fi
;;
*)
print_error "Invalid choice"
exit 1
;;
esac
print_info "Selected disk size: ${DISK_SIZE_MB} MB"
}
# Get partition scheme
get_partition_scheme() {
echo ""
echo "Partition Scheme:"
echo " 1) GPT (GUID Partition Table) - Modern, Windows 10/11 default"
echo " 2) MBR (Master Boot Record) - Legacy, compatible with older systems"
echo ""
read -p "Select partition scheme [1-2]: " PARTITION_CHOICE
case $PARTITION_CHOICE in
1) PARTITION_SCHEME="gpt" ;;
2) PARTITION_SCHEME="msdos" ;;
*)
print_error "Invalid choice"
exit 1
;;
esac
print_info "Selected partition scheme: $PARTITION_SCHEME"
}
# Get filesystem type
get_filesystem() {
echo ""
echo "Filesystem Type:"
echo " 1) NTFS (Windows default, requires ntfs-3g)"
echo " 2) FAT32 (Universal compatibility, 4GB file limit)"
echo " 3) exFAT (Modern, large file support)"
echo " 4) ext4 (Linux default)"
echo " 5) ext3 (Older Linux)"
echo " 6) ext2 (Legacy Linux, no journaling)"
echo " 7) XFS (High-performance Linux)"
echo ""
read -p "Select filesystem [1-7]: " FS_CHOICE
case $FS_CHOICE in
1)
FILESYSTEM="ntfs"
if ! command -v mkfs.ntfs >/dev/null 2>&1; then
print_error "mkfs.ntfs not found. Install with: sudo apt-get install ntfs-3g"
exit 1
fi
;;
2) FILESYSTEM="vfat" ;;
3)
FILESYSTEM="exfat"
if ! command -v mkfs.exfat >/dev/null 2>&1; then
print_error "mkfs.exfat not found. Install with: sudo apt-get install exfat-utils"
exit 1
fi
;;
4) FILESYSTEM="ext4" ;;
5) FILESYSTEM="ext3" ;;
6) FILESYSTEM="ext2" ;;
7)
FILESYSTEM="xfs"
if ! command -v mkfs.xfs >/dev/null 2>&1; then
print_error "mkfs.xfs not found. Install with: sudo apt-get install xfsprogs"
exit 1
fi
;;
*)
print_error "Invalid choice"
exit 1
;;
esac
print_info "Selected filesystem: $FILESYSTEM"
}
# Get volume label
get_volume_label() {
echo ""
read -p "Enter volume label (default: FORENSIC): " VOLUME_LABEL
VOLUME_LABEL=${VOLUME_LABEL:-FORENSIC}
}
# Create the disk image
create_disk_image() {
print_info "Creating disk image file: $FILENAME (${DISK_SIZE_MB} MB)..."
# Use fallocate for faster creation if available
if command -v fallocate >/dev/null 2>&1; then
fallocate -l ${DISK_SIZE_MB}M "$FILENAME"
else
dd if=/dev/zero of="$FILENAME" bs=1M count=$DISK_SIZE_MB status=progress
fi
print_success "Disk image created"
}
# Setup loop device
setup_loop_device() {
print_info "Setting up loop device..."
LOOP_DEVICE=$(losetup -f)
losetup "$LOOP_DEVICE" "$FILENAME"
print_success "Loop device created: $LOOP_DEVICE"
}
# Create partition table and partition
create_partitions() {
print_info "Creating $PARTITION_SCHEME partition table..."
parted -s "$LOOP_DEVICE" mklabel "$PARTITION_SCHEME"
print_info "Creating partition..."
if [ "$PARTITION_SCHEME" = "gpt" ]; then
# For GPT, leave 1MB at start and end for alignment
parted -s "$LOOP_DEVICE" mkpart primary 1MiB 100%
else
# For MBR
parted -s "$LOOP_DEVICE" mkpart primary 1MiB 100%
fi
# Inform kernel about partition table changes
partprobe "$LOOP_DEVICE"
sleep 1
print_success "Partition created"
}
# Format the partition
format_partition() {
PARTITION="${LOOP_DEVICE}p1"
# Check if partition device exists
if [ ! -e "$PARTITION" ]; then
print_warning "Partition device $PARTITION not found, trying alternative..."
PARTITION="${LOOP_DEVICE}1"
fi
if [ ! -e "$PARTITION" ]; then
print_error "Cannot find partition device"
cleanup
exit 1
fi
print_info "Formatting partition with $FILESYSTEM filesystem..."
case $FILESYSTEM in
ntfs)
mkfs.ntfs -f -L "$VOLUME_LABEL" "$PARTITION"
;;
vfat)
mkfs.vfat -n "$VOLUME_LABEL" "$PARTITION"
;;
exfat)
mkfs.exfat -n "$VOLUME_LABEL" "$PARTITION"
;;
ext2|ext3|ext4)
mkfs."$FILESYSTEM" -L "$VOLUME_LABEL" "$PARTITION"
;;
xfs)
mkfs.xfs -f -L "$VOLUME_LABEL" "$PARTITION"
;;
esac
print_success "Filesystem created"
}
# Cleanup function
cleanup() {
if [ -n "$LOOP_DEVICE" ]; then
print_info "Cleaning up loop device..."
losetup -d "$LOOP_DEVICE" 2>/dev/null || true
fi
}
# Mount the filesystem
mount_filesystem() {
echo ""
read -p "Do you want to mount the filesystem now? (y/n): " MOUNT_NOW
if [ "$MOUNT_NOW" = "y" ]; then
MOUNT_POINT="/mnt/forensic_disk_$$"
mkdir -p "$MOUNT_POINT"
print_info "Mounting to $MOUNT_POINT..."
mount "$PARTITION" "$MOUNT_POINT"
print_success "Filesystem mounted at: $MOUNT_POINT"
print_info "To unmount: sudo umount $MOUNT_POINT"
MOUNTED=true
fi
}
# Display summary
show_summary() {
echo ""
echo "=========================================="
echo " Disk Image Creation Complete!"
echo "=========================================="
echo ""
echo "Image File: $(realpath $FILENAME)"
echo "Size: ${DISK_SIZE_MB} MB"
echo "Partition Scheme: $PARTITION_SCHEME"
echo "Filesystem: $FILESYSTEM"
echo "Volume Label: $VOLUME_LABEL"
echo "Loop Device: $LOOP_DEVICE"
echo "Partition: $PARTITION"
if [ "$MOUNTED" = true ]; then
echo "Mount Point: $MOUNT_POINT"
fi
echo ""
echo "=========================================="
echo " Forensic Analysis Commands"
echo "=========================================="
echo ""
echo "View partition table:"
echo " sudo parted $FILENAME print"
echo " sudo fdisk -l $FILENAME"
echo ""
echo "Hex editor analysis:"
echo " hexdump -C $FILENAME | less"
echo " xxd $FILENAME | less"
echo " sudo apt-get install bless # GUI hex editor"
echo " bless $FILENAME"
echo ""
echo "Mount the image later:"
echo " sudo losetup -f $FILENAME"
echo " sudo losetup -l # List loop devices"
echo " sudo mount /dev/loopXp1 /mnt/mountpoint"
echo ""
echo "Analyze with forensic tools:"
echo " sudo apt-get install sleuthkit"
echo " mmls $FILENAME # Show partition layout"
echo " fsstat -o 2048 $FILENAME # Filesystem details"
echo " fls -o 2048 $FILENAME # List files"
echo ""
echo "Clean up (when done):"
if [ "$MOUNTED" = true ]; then
echo " sudo umount $MOUNT_POINT"
fi
echo " sudo losetup -d $LOOP_DEVICE"
echo ""
}
# Trap to ensure cleanup on exit
trap cleanup EXIT
# Main execution
main() {
show_banner
check_root
check_dependencies
get_filename
get_disk_size
get_partition_scheme
get_filesystem
get_volume_label
echo ""
echo "=========================================="
echo " Summary"
echo "=========================================="
echo "Filename: $FILENAME"
echo "Size: ${DISK_SIZE_MB} MB"
echo "Partition Scheme: $PARTITION_SCHEME"
echo "Filesystem: $FILESYSTEM"
echo "Volume Label: $VOLUME_LABEL"
echo ""
read -p "Proceed with creation? (y/n): " CONFIRM
if [ "$CONFIRM" != "y" ]; then
print_info "Cancelled"
exit 0
fi
create_disk_image
setup_loop_device
create_partitions
format_partition
mount_filesystem
show_summary
}
# Run main function
main