mstoeck3/pseudodisk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

default layouts added

Browse Source
This commit is contained in:
overcuriousity 2025-10-20 13:42:19 +02:00
parent 4cc66fe47a
commit c29225d40b
2 changed files with 369 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
README.md
View File

@ -5,6 +5,7 @@ A comprehensive toolkit for creating disk images with various filesystems for fo
## Features
- **Multiple Filesystem Support**: NTFS, FAT32, exFAT, ext2/3/4, XFS, swap
- **Preset Layouts**: Pre-configured layouts for Windows, Linux, and macOS systems
- **Multi-Partition Support**: Create up to 4 partitions in a single disk image
- **Partition Schemes**: GPT (modern) and MBR (legacy)
- **Initialization Methods**: Choose between /dev/zero (fast), /dev/urandom (realistic), or fallocate (sparse)
@ -43,6 +44,34 @@ sudo apt-get install xfsprogs
sudo apt-get install sleuthkit
```
## Preset Layouts
Choose from pre-configured layouts that simulate real operating systems:
**Windows Presets:**
- Windows 11/10 (GPT, EFI + NTFS + Recovery)
- Windows Vista/7/8 (MBR, System Reserved + NTFS)
- Windows 2000/XP (MBR, Single NTFS)
- Windows 98/ME (MBR, Single FAT32)
- Windows 95 (MBR, Single FAT16)
- Windows 3.1 (MBR, Single FAT16)
- MS-DOS (MBR, Single FAT12)
**Linux Presets:**
- Modern Linux (GPT, EFI + Root + Swap)
- Linux with /home (GPT, EFI + Root + Home)
- Classic Linux (MBR, Boot + Root + Swap)
- Minimal Linux (MBR, Single ext4)
**macOS Presets:**
- Modern macOS (GPT, EFI + APFS)
- Legacy macOS (GPT, Single HFS+)
**Custom Layout:**
- Full manual configuration with 1-4 partitions
All presets can be customized during setup or used as-is.
## Initialization Methods
The script offers three methods for creating the disk image file:
@ -65,16 +94,6 @@ The script offers three methods for creating the disk image file:
- Good for quick testing
- May not be suitable for all forensic scenarios
## Multi-Partition Support
Create complex disk layouts with up to 4 partitions:
- Each partition can have a different filesystem
- Mix operating system types (Windows NTFS + Linux ext4)
- Include swap partitions for realistic Linux setups
- The last partition automatically uses remaining space
- Perfect for practicing partition table analysis
## Usage
### Creating a Disk Image
@ -89,21 +108,25 @@ The script will:
1. Check filesystem tool availability
2. Interactively prompt you for:
- **Filename**: Output file name (default: forensic_disk.dd)
- **Size**: Choose from presets (100MB, 500MB, 1GB, 5GB) or custom
- **Size**: Choose from presets (100MB, 500MB, 1GB, 5GB, 10GB) or custom
- **Initialization Method**: /dev/zero, /dev/urandom, or fallocate
- **Partition Scheme**: GPT or MBR
- **Partition Count**: 1-4 partitions
- **Per-Partition Configuration**:
- Filesystem type (NTFS, FAT32, exFAT, ext2/3/4, XFS, swap)
- Size in MB (last partition uses remaining space)
- Volume label (except for swap)
- **Layout**: Select a preset or custom configuration
- **For Presets**: Option to use as-is or customize
- **For Custom**:
- Partition Scheme: GPT or MBR
- Partition Count: 1-4 partitions
- Per-Partition Configuration:
- Filesystem type (NTFS, FAT32, exFAT, ext2/3/4, XFS, swap, etc.)
- Size in MB (last partition uses remaining space)
- Volume label (except for swap)
- **Mount**: Option to mount filesystems immediately after creation
### Example Session
### Example Session (with Preset)
```
==========================================
Forensic Disk Image Creator
Enhanced Edition v2.1
==========================================
Checking filesystem tool availability...
@ -115,71 +138,60 @@ Checking filesystem tool availability...
✓ XFS (mkfs.xfs available)
✓ swap (mkswap available)
Enter output filename (default: forensic_disk.dd): ntfsdisk.dd
Enter output filename (default: forensic_disk.dd): win11.dd
Disk Size Options:
1) 100 MB (small, quick testing)
2) 500 MB (medium)
3) 1 GB (standard)
4) 5 GB (large)
5) Custom size
5) 10 GB (very large)
6) Custom size
Select disk size [1-5]: 2
Select disk size [1-6]: 3
Initialization Method:
1) /dev/zero (Fast, zeros - forensically predictable)
2) /dev/random (Slow, random data - more realistic)
2) /dev/urandom (Slow, random data - more realistic)
3) fallocate (Fastest, sparse file)
Select initialization method [1-3]: 1
Partition Scheme:
1) GPT (GUID Partition Table) - Modern, Windows 10/11 default
2) MBR (Master Boot Record) - Legacy, compatible with older systems
Select partition scheme [1-2]: 1
How many partitions? (1-4): 2
==========================================
Partition 1 Configuration
Disk Layout
==========================================
Filesystem Type:
1) NTFS (Windows default)
2) FAT32 (Universal compatibility)
3) exFAT (Modern, large file support)
4) ext4 (Linux default)
5) ext3 (Older Linux)
6) ext2 (Legacy Linux, no journaling)
7) XFS (High-performance Linux)
8) swap (Linux swap space)
Layout Presets:
Select filesystem for partition 1 [1-8]: 1
Windows Presets:
1) Windows 11/10 (GPT, EFI + NTFS + Recovery)
2) Windows Vista/7/8 (MBR, System Reserved + NTFS)
3) Windows 2000/XP (MBR, Single NTFS)
4) Windows 98/ME (MBR, Single FAT32)
5) Windows 95 (MBR, Single FAT16)
6) Windows 3.1 (MBR, Single FAT16)
7) MS-DOS (MBR, Single FAT12)
Size for partition 1 in MB: 400
Linux Presets:
8) Modern Linux (GPT, EFI + Root + Swap)
9) Linux with /home (GPT, EFI + Root + Home)
10) Classic Linux (MBR, Boot + Root + Swap)
11) Minimal Linux (MBR, Single ext4)
Volume label for partition 1 (default: PART1): EVIDENCE
macOS Presets:
12) Modern macOS (GPT, EFI + APFS)
13) Legacy macOS (GPT, Single HFS+)
==========================================
Partition 2 Configuration
==========================================
Custom:
14) Custom layout (manual configuration)
Filesystem Type:
1) NTFS (Windows default)
2) FAT32 (Universal compatibility)
3) exFAT (Modern, large file support)
4) ext4 (Linux default)
5) ext3 (Older Linux)
6) ext2 (Legacy Linux, no journaling)
7) XFS (High-performance Linux)
8) swap (Linux swap space)
Select layout [1-14]: 1
Select filesystem for partition 2 [1-8]: 4
[INFO] Preset: Windows 11/10 (GPT)
[NOTE] EFI System Partition (260MB) + Main Windows (auto) + Recovery (500MB)
[INFO] Partition 2 will use remaining space
Volume label for partition 2 (default: PART2): DATA
Customize this preset? (y/n, default: n): n
[INFO] Using preset configuration as-is
```
### Cleaning Up
@ -203,45 +215,45 @@ sudo ./cleanup.sh
#### View raw disk structure
```bash
# Using hexdump
hexdump -C ntfsdisk.dd | less
hexdump -C win11.dd | less
# Using xxd
xxd ntfsdisk.dd | less
xxd win11.dd | less
# View first 512 bytes (boot sector)
xxd -l 512 ntfsdisk.dd
xxd -l 512 win11.dd
# View specific offset (e.g., partition table at 0x1BE for MBR)
xxd -s 0x1BE -l 64 ntfsdisk.dd
xxd -s 0x1BE -l 64 win11.dd
```
#### GUI Hex Editors
```bash
# Install Bless (GTK hex editor)
sudo apt-get install bless
bless ntfsdisk.dd
bless win11.dd
# Or install GHex
sudo apt-get install ghex
ghex ntfsdisk.dd
ghex win11.dd
# Or install wxHexEditor (advanced)
sudo apt-get install wxhexeditor
wxhexeditor ntfsdisk.dd
wxhexeditor win11.dd
```
### Partition Analysis
```bash
# View partition table
sudo parted ntfsdisk.dd print
sudo parted win11.dd print
# Or using fdisk
sudo fdisk -l ntfsdisk.dd
sudo fdisk -l win11.dd
# For GPT, use gdisk
sudo apt-get install gdisk
sudo gdisk -l ntfsdisk.dd
sudo gdisk -l win11.dd
```
### Using The Sleuth Kit (TSK)
@ -251,22 +263,22 @@ sudo gdisk -l ntfsdisk.dd
sudo apt-get install sleuthkit
# Display partition layout
mmls ntfsdisk.dd
mmls win11.dd
# Show filesystem details (offset from mmls output)
fsstat -o 2048 ntfsdisk.dd
fsstat -o 2048 win11.dd
# List files in filesystem
fls -o 2048 -r ntfsdisk.dd
fls -o 2048 -r win11.dd
# Display file content by inode
icat -o 2048 ntfsdisk.dd [inode_number]
icat -o 2048 win11.dd [inode_number]
# Show deleted files
fls -o 2048 -rd ntfsdisk.dd
fls -o 2048 -rd win11.dd
# Timeline analysis
fls -o 2048 -m / -r ntfsdisk.dd > timeline.bodyfile
fls -o 2048 -m / -r win11.dd > timeline.bodyfile
mactime -b timeline.bodyfile
```
@ -276,13 +288,13 @@ If you need more control over the loop device:
```bash
# Attach image to loop device
sudo losetup -f ntfsdisk.dd
sudo losetup -f win11.dd
# List all loop devices
sudo losetup -l
# Find out which loop device is attached
sudo losetup -j ntfsdisk.dd
sudo losetup -j win11.dd
# Mount the partition
sudo mkdir -p /mnt/forensic
@ -309,7 +321,7 @@ sudo ntfscluster -f /dev/loop0p1
# Recover deleted files
sudo apt-get install testdisk
sudo testdisk ntfsdisk.dd
sudo testdisk win11.dd
```
#### FAT32 Analysis
@ -319,7 +331,7 @@ sudo testdisk ntfsdisk.dd
sudo fsck.vfat -n /dev/loop0p1
# Or using sleuthkit
fsstat -o 2048 ntfsdisk.dd
fsstat -o 2048 win11.dd
```
#### ext4 Analysis
@ -370,12 +382,12 @@ sudo debugfs -R 'stat <inode>' /dev/loop0p1
### Beginner Level
1. **Identify Partition Scheme**
- Create disks with GPT and MBR
- Create disks with different Windows versions (MBR vs GPT)
- Compare the first 512 bytes
- Identify the signature differences
2. **Find the Filesystem Type**
- Create disks with different filesystems
- Create disks with different filesystems using presets
- Examine boot sector signatures
- Identify OEM strings
@ -417,6 +429,11 @@ sudo debugfs -R 'stat <inode>' /dev/loop0p1
- Examine wiping patterns
- Analyze file system corruption
10. **Cross-OS Analysis**
- Create Windows and Linux dual-boot layout
- Analyze different partition schemes
- Practice identifying filesystem boundaries
## Troubleshooting
### Loop device not found
@ -431,7 +448,7 @@ ls -la /dev/loop*
### Permission denied
```bash
# Always use sudo for these operations
sudo ./create_forensic_disk.sh
sudo ./pseudodisk.sh
```
### Partition not showing up
@ -441,7 +458,7 @@ sudo partprobe /dev/loopX
# Or detach and re-attach
sudo losetup -d /dev/loopX
sudo losetup -f ntfsdisk.dd
sudo losetup -f win11.dd
```
### Cannot unmount - device busy

278
pseudodisk.sh
View File

@ -4,7 +4,7 @@
# Creates disk images with various filesystems for forensic analysis practice
# Now with improved UX, sanity checks, and extended filesystem support
set -e # Exit on error
#set -e # Exit on error
# Color codes for output
RED='\033[0;31m'
@ -285,7 +285,7 @@ show_banner() {
echo ""
echo "=========================================="
echo " Forensic Disk Image Creator"
echo " Enhanced Edition v2.0"
echo " Enhanced Edition v2.1"
echo "=========================================="
echo ""
}
@ -396,6 +396,239 @@ get_init_method() {
print_info "Selected initialization method: $INIT_METHOD"
}
# Get preset or custom layout
get_preset_or_custom() {
USE_PRESET=false
echo ""
echo "=========================================="
echo " Disk Layout"
echo "=========================================="
echo ""
echo "Layout Presets:"
echo ""
echo " Windows Presets:"
echo " 1) Windows 11/10 (GPT, EFI + NTFS + Recovery)"
echo " 2) Windows Vista/7/8 (MBR, System Reserved + NTFS)"
echo " 3) Windows 2000/XP (MBR, Single NTFS)"
echo " 4) Windows 98/ME (MBR, Single FAT32)"
echo " 5) Windows 95 (MBR, Single FAT16)"
echo " 6) Windows 3.1 (MBR, Single FAT16)"
echo " 7) MS-DOS (MBR, Single FAT12)"
echo ""
echo " Linux Presets:"
echo " 8) Modern Linux (GPT, EFI + Root + Swap)"
echo " 9) Linux with /home (GPT, EFI + Root + Home)"
echo " 10) Classic Linux (MBR, Boot + Root + Swap)"
echo " 11) Minimal Linux (MBR, Single ext4)"
echo ""
echo " macOS Presets:"
echo " 12) Modern macOS (GPT, EFI + APFS)"
echo " 13) Legacy macOS (GPT, Single HFS+)"
echo ""
echo " Custom:"
echo " 14) Custom layout (manual configuration)"
echo ""
read -p "Select layout [1-14]: " PRESET_CHOICE
case $PRESET_CHOICE in
1) # Windows 11/10
USE_PRESET=true
PARTITION_SCHEME="gpt"
PARTITION_COUNT=3
print_info "Preset: Windows 11/10 (GPT)"
print_note "EFI System Partition (260MB) + Main Windows (auto) + Recovery (500MB)"
;;
2) # Windows Vista/7/8
USE_PRESET=true
PARTITION_SCHEME="msdos"
PARTITION_COUNT=2
print_info "Preset: Windows Vista/7/8 (MBR)"
print_note "System Reserved (100MB) + Main Windows (auto)"
;;
3) # Windows 2000/XP
USE_PRESET=true
PARTITION_SCHEME="msdos"
PARTITION_COUNT=1
print_info "Preset: Windows 2000/XP (MBR)"
print_note "Single NTFS partition"
;;
4) # Windows 98/ME
USE_PRESET=true
PARTITION_SCHEME="msdos"
PARTITION_COUNT=1
print_info "Preset: Windows 98/ME (MBR)"
print_note "Single FAT32 partition"
;;
5) # Windows 95
USE_PRESET=true
PARTITION_SCHEME="msdos"
PARTITION_COUNT=1
print_info "Preset: Windows 95 (MBR)"
print_note "Single FAT16 partition"
;;
6) # Windows 3.1
USE_PRESET=true
PARTITION_SCHEME="msdos"
PARTITION_COUNT=1
print_info "Preset: Windows 3.1 (MBR)"
print_note "Single FAT16 partition"
;;
7) # MS-DOS
USE_PRESET=true
PARTITION_SCHEME="msdos"
PARTITION_COUNT=1
print_info "Preset: MS-DOS (MBR)"
print_note "Single FAT12 partition (max 16MB)"
if [ "$DISK_SIZE_MB" -gt 16 ]; then
print_warning "MS-DOS typically uses FAT12 which is limited to 16MB"
print_info "Consider reducing disk size or the partition will use FAT16"
fi
;;
8) # Modern Linux
USE_PRESET=true
PARTITION_SCHEME="gpt"
PARTITION_COUNT=3
print_info "Preset: Modern Linux (GPT)"
print_note "EFI (260MB) + Root ext4 (auto) + Swap (2GB)"
;;
9) # Linux with /home
USE_PRESET=true
PARTITION_SCHEME="gpt"
PARTITION_COUNT=3
print_info "Preset: Linux with separate /home (GPT)"
print_note "EFI (260MB) + Root ext4 (auto) + Home ext4 (auto)"
;;
10) # Classic Linux
USE_PRESET=true
PARTITION_SCHEME="msdos"
PARTITION_COUNT=3
print_info "Preset: Classic Linux (MBR)"
print_note "Boot ext4 (500MB) + Root ext4 (auto) + Swap (2GB)"
;;
11) # Minimal Linux
USE_PRESET=true
PARTITION_SCHEME="msdos"
PARTITION_COUNT=1
print_info "Preset: Minimal Linux (MBR)"
print_note "Single ext4 partition"
;;
12) # Modern macOS
USE_PRESET=true
PARTITION_SCHEME="gpt"
PARTITION_COUNT=2
print_info "Preset: Modern macOS (GPT)"
print_note "EFI (200MB) + APFS (auto)"
print_warning "APFS support on Linux is very limited"
;;
13) # Legacy macOS
USE_PRESET=true
PARTITION_SCHEME="gpt"
PARTITION_COUNT=1
print_info "Preset: Legacy macOS (GPT)"
print_note "Single HFS+ partition"
print_warning "HFS+ support on Linux is limited"
;;
14) # Custom
USE_PRESET=false
print_info "Custom layout selected"
;;
*)
print_error "Invalid choice"
get_preset_or_custom
return
;;
esac
if [ "$USE_PRESET" = true ]; then
echo ""
read -p "Customize this preset? (y/n, default: n): " CUSTOMIZE
CUSTOMIZE=${CUSTOMIZE:-n}
if [ "$CUSTOMIZE" = "y" ]; then
ALLOW_PRESET_CUSTOMIZATION=true
print_info "You can modify the preset configuration in the next steps"
else
ALLOW_PRESET_CUSTOMIZATION=false
print_info "Using preset configuration as-is"
fi
fi
}
# Apply preset configuration
apply_preset() {
PARTITION_CONFIGS=()
case $PRESET_CHOICE in
1) # Windows 11/10
PARTITION_CONFIGS+=("vfat|260|EFI")
PARTITION_CONFIGS+=("ntfs|remaining|Windows")
PARTITION_CONFIGS+=("ntfs|500|Recovery")
;;
2) # Windows Vista/7/8
PARTITION_CONFIGS+=("ntfs|100|System")
PARTITION_CONFIGS+=("ntfs|remaining|Windows")
;;
3) # Windows 2000/XP
PARTITION_CONFIGS+=("ntfs|remaining|Windows")
;;
4) # Windows 98/ME
PARTITION_CONFIGS+=("vfat|remaining|WIN98")
;;
5) # Windows 95
if [ "$DISK_SIZE_MB" -le 2048 ]; then
PARTITION_CONFIGS+=("fat16|remaining|WIN95")
else
PARTITION_CONFIGS+=("vfat|remaining|WIN95")
print_warning "Disk >2GB, using FAT32 instead of FAT16"
fi
;;
6) # Windows 3.1
PARTITION_CONFIGS+=("fat16|remaining|WIN31")
;;
7) # MS-DOS
if [ "$DISK_SIZE_MB" -le 16 ]; then
PARTITION_CONFIGS+=("fat12|remaining|MSDOS")
else
PARTITION_CONFIGS+=("fat16|remaining|MSDOS")
print_warning "Disk >16MB, using FAT16 instead of FAT12"
fi
;;
8) # Modern Linux
PARTITION_CONFIGS+=("vfat|260|EFI")
PARTITION_CONFIGS+=("ext4|remaining|rootfs")
PARTITION_CONFIGS+=("swap|2048|")
;;
9) # Linux with /home
local root_size=$((DISK_SIZE_MB / 4))
if [ "$root_size" -lt 5120 ]; then
root_size=5120 # Minimum 5GB for root
fi
if [ "$root_size" -gt $((DISK_SIZE_MB - 1024)) ]; then
root_size=$((DISK_SIZE_MB / 2)) # If not enough space, use half
fi
PARTITION_CONFIGS+=("vfat|260|EFI")
PARTITION_CONFIGS+=("ext4|${root_size}|rootfs")
PARTITION_CONFIGS+=("ext4|remaining|home")
;;
10) # Classic Linux
PARTITION_CONFIGS+=("ext4|500|boot")
PARTITION_CONFIGS+=("ext4|remaining|rootfs")
PARTITION_CONFIGS+=("swap|2048|")
;;
11) # Minimal Linux
PARTITION_CONFIGS+=("ext4|remaining|rootfs")
;;
12) # Modern macOS
PARTITION_CONFIGS+=("vfat|200|EFI")
PARTITION_CONFIGS+=("apfs|remaining|MacintoshHD")
;;
13) # Legacy macOS
PARTITION_CONFIGS+=("hfsplus|remaining|MacintoshHD")
;;
esac
}
# Get partition scheme
get_partition_scheme() {
echo ""
@ -405,9 +638,9 @@ get_partition_scheme() {
echo ""
print_tip "GPT is recommended for modern systems and disks >2TB"
echo ""
read -p "Select partition scheme [1-2]: " PARTITION_CHOICE
read -p "Select partition scheme [1-2]: " PARTITION_CHOICE_SCHEME
case $PARTITION_CHOICE in
case $PARTITION_CHOICE_SCHEME in
1) PARTITION_SCHEME="gpt" ;;
2)
PARTITION_SCHEME="msdos"
@ -1030,9 +1263,36 @@ main() {
get_filename
get_disk_size
get_init_method
get_partition_scheme
get_partition_count
get_partition_configs
get_preset_or_custom
if [ "$USE_PRESET" = true ]; then
apply_preset
if [ "$ALLOW_PRESET_CUSTOMIZATION" = true ]; then
# Show current config and allow modifications
echo ""
echo "Current preset configuration:"
for i in $(seq 1 ${#PARTITION_CONFIGS[@]}); do
config="${PARTITION_CONFIGS[$((i-1))]}"
IFS='|' read -r fs size label <<< "$config"
if [ "$fs" = "swap" ]; then
echo " [$i] $fs (${size}MB)"
else
echo " [$i] $fs (${size}MB) - '$label'"
fi
done
echo ""
read -p "Modify partition configurations? (y/n): " modify
if [ "$modify" = "y" ]; then
get_partition_configs
fi
fi
else
# Custom layout
get_partition_scheme
get_partition_count
get_partition_configs
fi
# Show final summary and confirm
echo ""
@ -1043,9 +1303,9 @@ main() {
echo "Size: ${DISK_SIZE_MB} MB ($(echo "scale=2; $DISK_SIZE_MB/1024" | bc) GB)"
echo "Init Method: $INIT_METHOD"
echo "Partition Scheme: $PARTITION_SCHEME"
echo "Partitions: $PARTITION_COUNT"
echo "Partitions: ${#PARTITION_CONFIGS[@]}"
for i in $(seq 1 $PARTITION_COUNT); do
for i in $(seq 1 ${#PARTITION_CONFIGS[@]}); do
config="${PARTITION_CONFIGS[$((i-1))]}"
IFS='|' read -r fs size label <<< "$config"
if [ "$fs" = "swap" ]; then