From c29225d40bd8567d662f85f04fc282f40057a0b0 Mon Sep 17 00:00:00 2001 From: overcuriousity Date: Mon, 20 Oct 2025 13:42:19 +0200 Subject: [PATCH] default layouts added --- README.md | 183 ++++++++++++++++++--------------- pseudodisk.sh | 278 ++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 369 insertions(+), 92 deletions(-) diff --git a/README.md b/README.md index 40962d2..f96efff 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ A comprehensive toolkit for creating disk images with various filesystems for fo ## Features - **Multiple Filesystem Support**: NTFS, FAT32, exFAT, ext2/3/4, XFS, swap +- **Preset Layouts**: Pre-configured layouts for Windows, Linux, and macOS systems - **Multi-Partition Support**: Create up to 4 partitions in a single disk image - **Partition Schemes**: GPT (modern) and MBR (legacy) - **Initialization Methods**: Choose between /dev/zero (fast), /dev/urandom (realistic), or fallocate (sparse) @@ -43,6 +44,34 @@ sudo apt-get install xfsprogs sudo apt-get install sleuthkit ``` +## Preset Layouts + +Choose from pre-configured layouts that simulate real operating systems: + +**Windows Presets:** +- Windows 11/10 (GPT, EFI + NTFS + Recovery) +- Windows Vista/7/8 (MBR, System Reserved + NTFS) +- Windows 2000/XP (MBR, Single NTFS) +- Windows 98/ME (MBR, Single FAT32) +- Windows 95 (MBR, Single FAT16) +- Windows 3.1 (MBR, Single FAT16) +- MS-DOS (MBR, Single FAT12) + +**Linux Presets:** +- Modern Linux (GPT, EFI + Root + Swap) +- Linux with /home (GPT, EFI + Root + Home) +- Classic Linux (MBR, Boot + Root + Swap) +- Minimal Linux (MBR, Single ext4) + +**macOS Presets:** +- Modern macOS (GPT, EFI + APFS) +- Legacy macOS (GPT, Single HFS+) + +**Custom Layout:** +- Full manual configuration with 1-4 partitions + +All presets can be customized during setup or used as-is. + ## Initialization Methods The script offers three methods for creating the disk image file: @@ -65,16 +94,6 @@ The script offers three methods for creating the disk image file: - Good for quick testing - May not be suitable for all forensic scenarios -## Multi-Partition Support - -Create complex disk layouts with up to 4 partitions: - -- Each partition can have a different filesystem -- Mix operating system types (Windows NTFS + Linux ext4) -- Include swap partitions for realistic Linux setups -- The last partition automatically uses remaining space -- Perfect for practicing partition table analysis - ## Usage ### Creating a Disk Image @@ -89,21 +108,25 @@ The script will: 1. Check filesystem tool availability 2. Interactively prompt you for: - **Filename**: Output file name (default: forensic_disk.dd) - - **Size**: Choose from presets (100MB, 500MB, 1GB, 5GB) or custom + - **Size**: Choose from presets (100MB, 500MB, 1GB, 5GB, 10GB) or custom - **Initialization Method**: /dev/zero, /dev/urandom, or fallocate - - **Partition Scheme**: GPT or MBR - - **Partition Count**: 1-4 partitions - - **Per-Partition Configuration**: - - Filesystem type (NTFS, FAT32, exFAT, ext2/3/4, XFS, swap) - - Size in MB (last partition uses remaining space) - - Volume label (except for swap) + - **Layout**: Select a preset or custom configuration + - **For Presets**: Option to use as-is or customize + - **For Custom**: + - Partition Scheme: GPT or MBR + - Partition Count: 1-4 partitions + - Per-Partition Configuration: + - Filesystem type (NTFS, FAT32, exFAT, ext2/3/4, XFS, swap, etc.) + - Size in MB (last partition uses remaining space) + - Volume label (except for swap) - **Mount**: Option to mount filesystems immediately after creation -### Example Session +### Example Session (with Preset) ``` ========================================== Forensic Disk Image Creator + Enhanced Edition v2.1 ========================================== Checking filesystem tool availability... @@ -115,71 +138,60 @@ Checking filesystem tool availability... ✓ XFS (mkfs.xfs available) ✓ swap (mkswap available) -Enter output filename (default: forensic_disk.dd): ntfsdisk.dd +Enter output filename (default: forensic_disk.dd): win11.dd Disk Size Options: 1) 100 MB (small, quick testing) 2) 500 MB (medium) 3) 1 GB (standard) 4) 5 GB (large) - 5) Custom size + 5) 10 GB (very large) + 6) Custom size -Select disk size [1-5]: 2 +Select disk size [1-6]: 3 Initialization Method: 1) /dev/zero (Fast, zeros - forensically predictable) - 2) /dev/random (Slow, random data - more realistic) + 2) /dev/urandom (Slow, random data - more realistic) 3) fallocate (Fastest, sparse file) Select initialization method [1-3]: 1 -Partition Scheme: - 1) GPT (GUID Partition Table) - Modern, Windows 10/11 default - 2) MBR (Master Boot Record) - Legacy, compatible with older systems - -Select partition scheme [1-2]: 1 - -How many partitions? (1-4): 2 - ========================================== - Partition 1 Configuration + Disk Layout ========================================== -Filesystem Type: - 1) NTFS (Windows default) - 2) FAT32 (Universal compatibility) - 3) exFAT (Modern, large file support) - 4) ext4 (Linux default) - 5) ext3 (Older Linux) - 6) ext2 (Legacy Linux, no journaling) - 7) XFS (High-performance Linux) - 8) swap (Linux swap space) +Layout Presets: -Select filesystem for partition 1 [1-8]: 1 + Windows Presets: + 1) Windows 11/10 (GPT, EFI + NTFS + Recovery) + 2) Windows Vista/7/8 (MBR, System Reserved + NTFS) + 3) Windows 2000/XP (MBR, Single NTFS) + 4) Windows 98/ME (MBR, Single FAT32) + 5) Windows 95 (MBR, Single FAT16) + 6) Windows 3.1 (MBR, Single FAT16) + 7) MS-DOS (MBR, Single FAT12) -Size for partition 1 in MB: 400 + Linux Presets: + 8) Modern Linux (GPT, EFI + Root + Swap) + 9) Linux with /home (GPT, EFI + Root + Home) + 10) Classic Linux (MBR, Boot + Root + Swap) + 11) Minimal Linux (MBR, Single ext4) -Volume label for partition 1 (default: PART1): EVIDENCE + macOS Presets: + 12) Modern macOS (GPT, EFI + APFS) + 13) Legacy macOS (GPT, Single HFS+) -========================================== - Partition 2 Configuration -========================================== + Custom: + 14) Custom layout (manual configuration) -Filesystem Type: - 1) NTFS (Windows default) - 2) FAT32 (Universal compatibility) - 3) exFAT (Modern, large file support) - 4) ext4 (Linux default) - 5) ext3 (Older Linux) - 6) ext2 (Legacy Linux, no journaling) - 7) XFS (High-performance Linux) - 8) swap (Linux swap space) +Select layout [1-14]: 1 -Select filesystem for partition 2 [1-8]: 4 +[INFO] Preset: Windows 11/10 (GPT) +[NOTE] EFI System Partition (260MB) + Main Windows (auto) + Recovery (500MB) -[INFO] Partition 2 will use remaining space - -Volume label for partition 2 (default: PART2): DATA +Customize this preset? (y/n, default: n): n +[INFO] Using preset configuration as-is ``` ### Cleaning Up @@ -203,45 +215,45 @@ sudo ./cleanup.sh #### View raw disk structure ```bash # Using hexdump -hexdump -C ntfsdisk.dd | less +hexdump -C win11.dd | less # Using xxd -xxd ntfsdisk.dd | less +xxd win11.dd | less # View first 512 bytes (boot sector) -xxd -l 512 ntfsdisk.dd +xxd -l 512 win11.dd # View specific offset (e.g., partition table at 0x1BE for MBR) -xxd -s 0x1BE -l 64 ntfsdisk.dd +xxd -s 0x1BE -l 64 win11.dd ``` #### GUI Hex Editors ```bash # Install Bless (GTK hex editor) sudo apt-get install bless -bless ntfsdisk.dd +bless win11.dd # Or install GHex sudo apt-get install ghex -ghex ntfsdisk.dd +ghex win11.dd # Or install wxHexEditor (advanced) sudo apt-get install wxhexeditor -wxhexeditor ntfsdisk.dd +wxhexeditor win11.dd ``` ### Partition Analysis ```bash # View partition table -sudo parted ntfsdisk.dd print +sudo parted win11.dd print # Or using fdisk -sudo fdisk -l ntfsdisk.dd +sudo fdisk -l win11.dd # For GPT, use gdisk sudo apt-get install gdisk -sudo gdisk -l ntfsdisk.dd +sudo gdisk -l win11.dd ``` ### Using The Sleuth Kit (TSK) @@ -251,22 +263,22 @@ sudo gdisk -l ntfsdisk.dd sudo apt-get install sleuthkit # Display partition layout -mmls ntfsdisk.dd +mmls win11.dd # Show filesystem details (offset from mmls output) -fsstat -o 2048 ntfsdisk.dd +fsstat -o 2048 win11.dd # List files in filesystem -fls -o 2048 -r ntfsdisk.dd +fls -o 2048 -r win11.dd # Display file content by inode -icat -o 2048 ntfsdisk.dd [inode_number] +icat -o 2048 win11.dd [inode_number] # Show deleted files -fls -o 2048 -rd ntfsdisk.dd +fls -o 2048 -rd win11.dd # Timeline analysis -fls -o 2048 -m / -r ntfsdisk.dd > timeline.bodyfile +fls -o 2048 -m / -r win11.dd > timeline.bodyfile mactime -b timeline.bodyfile ``` @@ -276,13 +288,13 @@ If you need more control over the loop device: ```bash # Attach image to loop device -sudo losetup -f ntfsdisk.dd +sudo losetup -f win11.dd # List all loop devices sudo losetup -l # Find out which loop device is attached -sudo losetup -j ntfsdisk.dd +sudo losetup -j win11.dd # Mount the partition sudo mkdir -p /mnt/forensic @@ -309,7 +321,7 @@ sudo ntfscluster -f /dev/loop0p1 # Recover deleted files sudo apt-get install testdisk -sudo testdisk ntfsdisk.dd +sudo testdisk win11.dd ``` #### FAT32 Analysis @@ -319,7 +331,7 @@ sudo testdisk ntfsdisk.dd sudo fsck.vfat -n /dev/loop0p1 # Or using sleuthkit -fsstat -o 2048 ntfsdisk.dd +fsstat -o 2048 win11.dd ``` #### ext4 Analysis @@ -370,12 +382,12 @@ sudo debugfs -R 'stat ' /dev/loop0p1 ### Beginner Level 1. **Identify Partition Scheme** - - Create disks with GPT and MBR + - Create disks with different Windows versions (MBR vs GPT) - Compare the first 512 bytes - Identify the signature differences 2. **Find the Filesystem Type** - - Create disks with different filesystems + - Create disks with different filesystems using presets - Examine boot sector signatures - Identify OEM strings @@ -417,6 +429,11 @@ sudo debugfs -R 'stat ' /dev/loop0p1 - Examine wiping patterns - Analyze file system corruption +10. **Cross-OS Analysis** + - Create Windows and Linux dual-boot layout + - Analyze different partition schemes + - Practice identifying filesystem boundaries + ## Troubleshooting ### Loop device not found @@ -431,7 +448,7 @@ ls -la /dev/loop* ### Permission denied ```bash # Always use sudo for these operations -sudo ./create_forensic_disk.sh +sudo ./pseudodisk.sh ``` ### Partition not showing up @@ -441,7 +458,7 @@ sudo partprobe /dev/loopX # Or detach and re-attach sudo losetup -d /dev/loopX -sudo losetup -f ntfsdisk.dd +sudo losetup -f win11.dd ``` ### Cannot unmount - device busy diff --git a/pseudodisk.sh b/pseudodisk.sh index c8fb275..b6139b2 100755 --- a/pseudodisk.sh +++ b/pseudodisk.sh @@ -4,7 +4,7 @@ # Creates disk images with various filesystems for forensic analysis practice # Now with improved UX, sanity checks, and extended filesystem support -set -e # Exit on error +#set -e # Exit on error # Color codes for output RED='\033[0;31m' @@ -285,7 +285,7 @@ show_banner() { echo "" echo "==========================================" echo " Forensic Disk Image Creator" - echo " Enhanced Edition v2.0" + echo " Enhanced Edition v2.1" echo "==========================================" echo "" } @@ -396,6 +396,239 @@ get_init_method() { print_info "Selected initialization method: $INIT_METHOD" } +# Get preset or custom layout +get_preset_or_custom() { + USE_PRESET=false + + echo "" + echo "==========================================" + echo " Disk Layout" + echo "==========================================" + echo "" + echo "Layout Presets:" + echo "" + echo " Windows Presets:" + echo " 1) Windows 11/10 (GPT, EFI + NTFS + Recovery)" + echo " 2) Windows Vista/7/8 (MBR, System Reserved + NTFS)" + echo " 3) Windows 2000/XP (MBR, Single NTFS)" + echo " 4) Windows 98/ME (MBR, Single FAT32)" + echo " 5) Windows 95 (MBR, Single FAT16)" + echo " 6) Windows 3.1 (MBR, Single FAT16)" + echo " 7) MS-DOS (MBR, Single FAT12)" + echo "" + echo " Linux Presets:" + echo " 8) Modern Linux (GPT, EFI + Root + Swap)" + echo " 9) Linux with /home (GPT, EFI + Root + Home)" + echo " 10) Classic Linux (MBR, Boot + Root + Swap)" + echo " 11) Minimal Linux (MBR, Single ext4)" + echo "" + echo " macOS Presets:" + echo " 12) Modern macOS (GPT, EFI + APFS)" + echo " 13) Legacy macOS (GPT, Single HFS+)" + echo "" + echo " Custom:" + echo " 14) Custom layout (manual configuration)" + echo "" + read -p "Select layout [1-14]: " PRESET_CHOICE + + case $PRESET_CHOICE in + 1) # Windows 11/10 + USE_PRESET=true + PARTITION_SCHEME="gpt" + PARTITION_COUNT=3 + print_info "Preset: Windows 11/10 (GPT)" + print_note "EFI System Partition (260MB) + Main Windows (auto) + Recovery (500MB)" + ;; + 2) # Windows Vista/7/8 + USE_PRESET=true + PARTITION_SCHEME="msdos" + PARTITION_COUNT=2 + print_info "Preset: Windows Vista/7/8 (MBR)" + print_note "System Reserved (100MB) + Main Windows (auto)" + ;; + 3) # Windows 2000/XP + USE_PRESET=true + PARTITION_SCHEME="msdos" + PARTITION_COUNT=1 + print_info "Preset: Windows 2000/XP (MBR)" + print_note "Single NTFS partition" + ;; + 4) # Windows 98/ME + USE_PRESET=true + PARTITION_SCHEME="msdos" + PARTITION_COUNT=1 + print_info "Preset: Windows 98/ME (MBR)" + print_note "Single FAT32 partition" + ;; + 5) # Windows 95 + USE_PRESET=true + PARTITION_SCHEME="msdos" + PARTITION_COUNT=1 + print_info "Preset: Windows 95 (MBR)" + print_note "Single FAT16 partition" + ;; + 6) # Windows 3.1 + USE_PRESET=true + PARTITION_SCHEME="msdos" + PARTITION_COUNT=1 + print_info "Preset: Windows 3.1 (MBR)" + print_note "Single FAT16 partition" + ;; + 7) # MS-DOS + USE_PRESET=true + PARTITION_SCHEME="msdos" + PARTITION_COUNT=1 + print_info "Preset: MS-DOS (MBR)" + print_note "Single FAT12 partition (max 16MB)" + if [ "$DISK_SIZE_MB" -gt 16 ]; then + print_warning "MS-DOS typically uses FAT12 which is limited to 16MB" + print_info "Consider reducing disk size or the partition will use FAT16" + fi + ;; + 8) # Modern Linux + USE_PRESET=true + PARTITION_SCHEME="gpt" + PARTITION_COUNT=3 + print_info "Preset: Modern Linux (GPT)" + print_note "EFI (260MB) + Root ext4 (auto) + Swap (2GB)" + ;; + 9) # Linux with /home + USE_PRESET=true + PARTITION_SCHEME="gpt" + PARTITION_COUNT=3 + print_info "Preset: Linux with separate /home (GPT)" + print_note "EFI (260MB) + Root ext4 (auto) + Home ext4 (auto)" + ;; + 10) # Classic Linux + USE_PRESET=true + PARTITION_SCHEME="msdos" + PARTITION_COUNT=3 + print_info "Preset: Classic Linux (MBR)" + print_note "Boot ext4 (500MB) + Root ext4 (auto) + Swap (2GB)" + ;; + 11) # Minimal Linux + USE_PRESET=true + PARTITION_SCHEME="msdos" + PARTITION_COUNT=1 + print_info "Preset: Minimal Linux (MBR)" + print_note "Single ext4 partition" + ;; + 12) # Modern macOS + USE_PRESET=true + PARTITION_SCHEME="gpt" + PARTITION_COUNT=2 + print_info "Preset: Modern macOS (GPT)" + print_note "EFI (200MB) + APFS (auto)" + print_warning "APFS support on Linux is very limited" + ;; + 13) # Legacy macOS + USE_PRESET=true + PARTITION_SCHEME="gpt" + PARTITION_COUNT=1 + print_info "Preset: Legacy macOS (GPT)" + print_note "Single HFS+ partition" + print_warning "HFS+ support on Linux is limited" + ;; + 14) # Custom + USE_PRESET=false + print_info "Custom layout selected" + ;; + *) + print_error "Invalid choice" + get_preset_or_custom + return + ;; + esac + + if [ "$USE_PRESET" = true ]; then + echo "" + read -p "Customize this preset? (y/n, default: n): " CUSTOMIZE + CUSTOMIZE=${CUSTOMIZE:-n} + + if [ "$CUSTOMIZE" = "y" ]; then + ALLOW_PRESET_CUSTOMIZATION=true + print_info "You can modify the preset configuration in the next steps" + else + ALLOW_PRESET_CUSTOMIZATION=false + print_info "Using preset configuration as-is" + fi + fi +} + +# Apply preset configuration +apply_preset() { + PARTITION_CONFIGS=() + + case $PRESET_CHOICE in + 1) # Windows 11/10 + PARTITION_CONFIGS+=("vfat|260|EFI") + PARTITION_CONFIGS+=("ntfs|remaining|Windows") + PARTITION_CONFIGS+=("ntfs|500|Recovery") + ;; + 2) # Windows Vista/7/8 + PARTITION_CONFIGS+=("ntfs|100|System") + PARTITION_CONFIGS+=("ntfs|remaining|Windows") + ;; + 3) # Windows 2000/XP + PARTITION_CONFIGS+=("ntfs|remaining|Windows") + ;; + 4) # Windows 98/ME + PARTITION_CONFIGS+=("vfat|remaining|WIN98") + ;; + 5) # Windows 95 + if [ "$DISK_SIZE_MB" -le 2048 ]; then + PARTITION_CONFIGS+=("fat16|remaining|WIN95") + else + PARTITION_CONFIGS+=("vfat|remaining|WIN95") + print_warning "Disk >2GB, using FAT32 instead of FAT16" + fi + ;; + 6) # Windows 3.1 + PARTITION_CONFIGS+=("fat16|remaining|WIN31") + ;; + 7) # MS-DOS + if [ "$DISK_SIZE_MB" -le 16 ]; then + PARTITION_CONFIGS+=("fat12|remaining|MSDOS") + else + PARTITION_CONFIGS+=("fat16|remaining|MSDOS") + print_warning "Disk >16MB, using FAT16 instead of FAT12" + fi + ;; + 8) # Modern Linux + PARTITION_CONFIGS+=("vfat|260|EFI") + PARTITION_CONFIGS+=("ext4|remaining|rootfs") + PARTITION_CONFIGS+=("swap|2048|") + ;; + 9) # Linux with /home + local root_size=$((DISK_SIZE_MB / 4)) + if [ "$root_size" -lt 5120 ]; then + root_size=5120 # Minimum 5GB for root + fi + if [ "$root_size" -gt $((DISK_SIZE_MB - 1024)) ]; then + root_size=$((DISK_SIZE_MB / 2)) # If not enough space, use half + fi + PARTITION_CONFIGS+=("vfat|260|EFI") + PARTITION_CONFIGS+=("ext4|${root_size}|rootfs") + PARTITION_CONFIGS+=("ext4|remaining|home") + ;; + 10) # Classic Linux + PARTITION_CONFIGS+=("ext4|500|boot") + PARTITION_CONFIGS+=("ext4|remaining|rootfs") + PARTITION_CONFIGS+=("swap|2048|") + ;; + 11) # Minimal Linux + PARTITION_CONFIGS+=("ext4|remaining|rootfs") + ;; + 12) # Modern macOS + PARTITION_CONFIGS+=("vfat|200|EFI") + PARTITION_CONFIGS+=("apfs|remaining|MacintoshHD") + ;; + 13) # Legacy macOS + PARTITION_CONFIGS+=("hfsplus|remaining|MacintoshHD") + ;; + esac +} + # Get partition scheme get_partition_scheme() { echo "" @@ -405,9 +638,9 @@ get_partition_scheme() { echo "" print_tip "GPT is recommended for modern systems and disks >2TB" echo "" - read -p "Select partition scheme [1-2]: " PARTITION_CHOICE + read -p "Select partition scheme [1-2]: " PARTITION_CHOICE_SCHEME - case $PARTITION_CHOICE in + case $PARTITION_CHOICE_SCHEME in 1) PARTITION_SCHEME="gpt" ;; 2) PARTITION_SCHEME="msdos" @@ -1030,9 +1263,36 @@ main() { get_filename get_disk_size get_init_method - get_partition_scheme - get_partition_count - get_partition_configs + get_preset_or_custom + + if [ "$USE_PRESET" = true ]; then + apply_preset + + if [ "$ALLOW_PRESET_CUSTOMIZATION" = true ]; then + # Show current config and allow modifications + echo "" + echo "Current preset configuration:" + for i in $(seq 1 ${#PARTITION_CONFIGS[@]}); do + config="${PARTITION_CONFIGS[$((i-1))]}" + IFS='|' read -r fs size label <<< "$config" + if [ "$fs" = "swap" ]; then + echo " [$i] $fs (${size}MB)" + else + echo " [$i] $fs (${size}MB) - '$label'" + fi + done + echo "" + read -p "Modify partition configurations? (y/n): " modify + if [ "$modify" = "y" ]; then + get_partition_configs + fi + fi + else + # Custom layout + get_partition_scheme + get_partition_count + get_partition_configs + fi # Show final summary and confirm echo "" @@ -1043,9 +1303,9 @@ main() { echo "Size: ${DISK_SIZE_MB} MB ($(echo "scale=2; $DISK_SIZE_MB/1024" | bc) GB)" echo "Init Method: $INIT_METHOD" echo "Partition Scheme: $PARTITION_SCHEME" - echo "Partitions: $PARTITION_COUNT" + echo "Partitions: ${#PARTITION_CONFIGS[@]}" - for i in $(seq 1 $PARTITION_COUNT); do + for i in $(seq 1 ${#PARTITION_CONFIGS[@]}); do config="${PARTITION_CONFIGS[$((i-1))]}" IFS='|' read -r fs size label <<< "$config" if [ "$fs" = "swap" ]; then