mstoeck3/pseudodisk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
pseudodisk/README.md
overcuriousity 217951b632 updates, remove apfs
2025-10-20 23:11:43 +02:00

12 KiB
Raw Permalink Blame History

pseudodisk

A comprehensive toolkit for creating disk images with various filesystems for forensic analysis practice and education.

Features

  • Multiple Filesystem Support: NTFS, FAT32, exFAT, ext2/3/4, XFS, HFS+, swap
  • Preset Layouts: Pre-configured layouts for Windows, Linux, and macOS systems
  • Multi-Partition Support: Create up to 4 partitions in a single disk image
  • Partition Schemes: GPT (modern) and MBR (legacy)
  • Initialization Methods: Choose between /dev/zero (fast), /dev/urandom (realistic), or fallocate (sparse)
  • Interactive Configuration: User-friendly prompts for all parameters
  • Automatic Loop Device Management: Handles mounting and cleanup
  • Filesystem Availability Check: Verifies required tools before operation
  • Forensic-Ready: Pre-configured for hex editor and forensic tool analysis

Prerequisites

Required Packages

sudo apt-get update
sudo apt-get install -y \
    parted \
    util-linux \
    e2fsprogs \
    dosfstools \
    bc

Optional (for specific filesystems)

# For NTFS support
sudo apt-get install ntfs-3g

# For exFAT support
sudo apt-get install exfat-fuse exfat-utils

# For XFS support
sudo apt-get install xfsprogs

# For HFS+ support
sudo apt-get install hfsprogs

Preset Layouts

Choose from pre-configured layouts that simulate real operating systems:

Windows Presets:

  • Windows 11/10 (GPT, EFI + NTFS + Recovery)
  • Windows Vista/7/8 (MBR, System Reserved + NTFS)
  • Windows 2000/XP (MBR, Single NTFS)
  • Windows 98/ME (MBR, Single FAT32)
  • Windows 95 (MBR, Single FAT16)
  • Windows 3.1 (MBR, Single FAT16)
  • MS-DOS (MBR, Single FAT12)

Linux Presets:

  • Modern Linux (GPT, EFI + Root + Swap)
  • Linux with /home (GPT, EFI + Root + Home)
  • Classic Linux (MBR, Boot + Root + Swap)
  • Minimal Linux (MBR, Single ext4)

macOS Presets:

  • macOS (GPT, EFI + HFS+)

Custom Layout:

  • Full manual configuration with 1-4 partitions

All presets can be customized during setup or used as-is.

Initialization Methods

The script offers three methods for creating the disk image file:

  1. /dev/zero (Recommended for most cases)

    • Fast creation speed
    • Fills image with zeros
    • Forensically predictable and clean
    • Creates realistic empty disk structure

  2. /dev/urandom (For realistic random data)

    • Slow creation speed
    • Fills image with random data
    • More realistic for testing data recovery
    • Useful for simulating previously used disks

  3. fallocate (Fastest)

    • Very fast, creates sparse file
    • Does not actually write data to disk initially
    • Good for quick testing
    • May not be suitable for all forensic scenarios

Usage

Creating a Disk Image

Run the main script with sudo:

sudo ./pseudodisk.sh

The script will:

  1. Check filesystem tool availability
  2. Interactively prompt you for:
    • Filename: Output file name (default: forensic_disk.dd)
    • Size: Choose from presets (100MB, 500MB, 1GB, 5GB, 10GB) or custom
    • Initialization Method: /dev/zero, /dev/urandom, or fallocate
    • Layout: Select a preset or custom configuration
    • For Presets: Option to use as-is or customize
    • For Custom:
      • Partition Scheme: GPT or MBR
      • Partition Count: 1-4 partitions
      • Per-Partition Configuration:
        • Filesystem type (NTFS, FAT32, exFAT, ext2/3/4, XFS, HFS+, swap, etc.)
        • Size in MB (last partition uses remaining space)
        • Volume label (except for swap)
    • Mount: Option to mount filesystems immediately after creation

Example Session (with Preset)

==========================================
  Forensic Disk Image Creator
  Enhanced Edition v2.1
==========================================

Checking filesystem tool availability...

  ✓ FAT12/16 (mkfs.fat available)
  ✓ FAT32   (mkfs.vfat available)
  ✓ exFAT   (mkfs.exfat available)
  ✓ NTFS    (mkfs.ntfs available)
  ✓ ext2    (mke2fs/mkfs.ext2 available)
  ✓ ext3    (mke2fs/mkfs.ext3 available)
  ✓ ext4    (mkfs.ext4 available)
  ✓ XFS     (mkfs.xfs available)
  ✓ HFS+    (mkfs.hfsplus available)
  ✓ swap    (mkswap available)
  ✓ Unallocated (no mkfs required)

Enter output filename (default: forensic_disk.dd): win11.dd

Disk Size Options:
  1) 100 MB  (small, quick testing)
  2) 500 MB  (medium)
  3) 1 GB    (standard)
  4) 5 GB    (large)
  5) 10 GB   (very large)
  6) Custom size

Select disk size [1-6]: 3

Initialization Method:
  1) /dev/zero   (Fast, zeros - forensically predictable)
  2) /dev/urandom (Slow, random data - more realistic)
  3) fallocate   (Fastest, sparse file)

Select initialization method [1-3]: 1

==========================================
  Disk Layout
==========================================

Layout Presets:

  Windows Presets:
    1)  Windows 11/10 (GPT, EFI + NTFS + Recovery)
    2)  Windows Vista/7/8 (MBR, System Reserved + NTFS)
    3)  Windows 2000/XP (MBR, Single NTFS)
    4)  Windows 98/ME (MBR, Single FAT32)
    5)  Windows 95 (MBR, Single FAT16)
    6)  Windows 3.1 (MBR, Single FAT16)
    7)  MS-DOS (MBR, Single FAT12)

  Linux Presets:
    8)  Modern Linux (GPT, EFI + Root + Swap)
    9)  Linux with /home (GPT, EFI + Root + Home)
    10) Classic Linux (MBR, Boot + Root + Swap)
    11) Minimal Linux (MBR, Single ext4)

  macOS Presets:
    12) macOS (GPT, EFI + HFS+)

  Custom:
    13) Custom layout (manual configuration)

Select layout [1-13]: 1

[INFO] Preset: Windows 11/10 (GPT)
[NOTE] EFI System Partition (260MB) + Main Windows (auto) + Recovery (500MB)

Customize this preset? (y/n, default: n): n
[INFO] Using preset configuration as-is

Cleaning Up

When finished with your analysis, use the cleanup script:

# Clean up a specific disk image
sudo ./cleanup.sh
# Enter filename when prompted

# Or clean up all loop devices
sudo ./cleanup.sh
# Type 'all' when prompted

Forensic Analysis Guide

Basic Hex Analysis

View raw disk structure

# Using hexdump
hexdump -C win11.dd | less

# Using xxd
xxd win11.dd | less

# View first 512 bytes (boot sector)
xxd -l 512 win11.dd

# View specific offset (e.g., partition table at 0x1BE for MBR)
xxd -s 0x1BE -l 64 win11.dd

GUI Hex Editors

# Install Bless (GTK hex editor)
sudo apt-get install bless
bless win11.dd

# Or install GHex
sudo apt-get install ghex
ghex win11.dd

# Or install wxHexEditor (advanced)
sudo apt-get install wxhexeditor
wxhexeditor win11.dd

Partition Analysis

# View partition table
sudo parted win11.dd print

# Or using fdisk
sudo fdisk -l win11.dd

# For GPT, use gdisk
sudo apt-get install gdisk
sudo gdisk -l win11.dd

Using The Sleuth Kit (TSK)

# Install if not already present
sudo apt-get install sleuthkit

# Display partition layout
mmls win11.dd

# Show filesystem details (offset from mmls output)
fsstat -o 2048 win11.dd

# List files in filesystem
fls -o 2048 -r win11.dd

# Display file content by inode
icat -o 2048 win11.dd [inode_number]

# Show deleted files
fls -o 2048 -rd win11.dd

# Timeline analysis
fls -o 2048 -m / -r win11.dd > timeline.bodyfile
mactime -b timeline.bodyfile

Manual Loop Device Management

If you need more control over the loop device:

# Attach image to loop device
sudo losetup -f win11.dd

# List all loop devices
sudo losetup -l

# Find out which loop device is attached
sudo losetup -j win11.dd

# Mount the partition
sudo mkdir -p /mnt/forensic
sudo mount /dev/loop0p1 /mnt/forensic

# When done, unmount
sudo umount /mnt/forensic

# Detach loop device
sudo losetup -d /dev/loop0

Filesystem-Specific Analysis

NTFS Analysis

# View NTFS volume information
sudo apt-get install ntfs-3g
sudo ntfsinfo -m /dev/loop0p1

# Show NTFS file system usage
sudo ntfscluster -f /dev/loop0p1

# Recover deleted files
sudo apt-get install testdisk
sudo testdisk win11.dd

FAT32 Analysis

# View FAT information
sudo fsck.vfat -n /dev/loop0p1

# Or using sleuthkit
fsstat -o 2048 win11.dd

ext4 Analysis

# Dump ext4 superblock
sudo dumpe2fs /dev/loop0p1

# Check filesystem
sudo e2fsck -n /dev/loop0p1

# Show inode information
sudo debugfs -R 'stat <inode>' /dev/loop0p1

Key Forensic Structures to Examine

Master Boot Record (MBR)

  • Location: First 512 bytes (0x000-0x1FF)
  • Boot Code: 0x000-0x1BD (446 bytes)
  • Partition Table: 0x1BE-0x1FD (64 bytes, 4 entries × 16 bytes)
  • Signature: 0x1FE-0x1FF (0x55AA)

GUID Partition Table (GPT)

  • Protective MBR: Sector 0 (0x000-0x1FF)
  • GPT Header: Sector 1 (0x200-0x3FF)
  • Partition Entries: Sectors 2-33 (typically)
  • Backup GPT: Last sectors of disk

NTFS Boot Sector

  • Jump Instruction: 0x000-0x002
  • OEM ID: 0x003-0x00A ("NTFS ")
  • Bytes Per Sector: 0x00B-0x00C
  • Sectors Per Cluster: 0x00D
  • MFT Location: 0x030-0x037
  • Signature: 0x1FE-0x1FF (0x55AA)

FAT32 Boot Sector

  • Jump Instruction: 0x000-0x002
  • OEM Name: 0x003-0x00A
  • Bytes Per Sector: 0x00B-0x00C
  • Sectors Per Cluster: 0x00D
  • FAT Copies: 0x010
  • Signature: 0x1FE-0x1FF (0x55AA)

Practice Exercises

Beginner Level

  1. Identify Partition Scheme

    • Create disks with different Windows versions (MBR vs GPT)
    • Compare the first 512 bytes
    • Identify the signature differences

  2. Find the Filesystem Type

    • Create disks with different filesystems using presets
    • Examine boot sector signatures
    • Identify OEM strings

  3. Locate Partition Boundaries

    • Use hexdump to find partition start
    • Verify with parted output

Intermediate Level

  1. File Recovery Practice

    • Mount filesystem, create files, unmount
    • Delete files from another mount
    • Practice recovering deleted files

  2. Metadata Analysis

    • Create files with specific timestamps
    • Use TSK to extract timeline data
    • Correlate timestamps with hex data

  3. Slack Space Investigation

    • Create small files in large clusters
    • Examine slack space for data remnants
    • Understand cluster allocation

Advanced Level

  1. Steganography Detection

    • Hide data in slack space
    • Practice identifying hidden data
    • Compare expected vs actual cluster usage

  2. Partition Hiding

    • Create multiple partitions
    • Modify partition table
    • Practice recovering hidden partitions

  3. Anti-Forensics Techniques

    • Study timestamp manipulation
    • Examine wiping patterns
    • Analyze file system corruption

  4. Cross-OS Analysis

    • Create Windows and Linux dual-boot layout
    • Analyze different partition schemes
    • Practice identifying filesystem boundaries

Troubleshooting

Loop device not found

# Ensure loop module is loaded
sudo modprobe loop

# Check available loop devices
ls -la /dev/loop*

Permission denied

# Always use sudo for these operations
sudo ./pseudodisk.sh

Partition not showing up

# Force kernel to re-read partition table
sudo partprobe /dev/loopX

# Or detach and re-attach
sudo losetup -d /dev/loopX
sudo losetup -f win11.dd

Cannot unmount - device busy

# Find what's using it
sudo lsof | grep /mnt/forensic

# Force unmount (use with caution)
sudo umount -l /mnt/forensic

Notes on Filesystem Support

  • NTFS: Full read/write support via ntfs-3g
  • FAT12/16/32: Full support on all Linux systems
  • exFAT: Requires exfatprogs or exfat-utils
  • ext2/3/4: Native Linux support
  • XFS: Native Linux support
  • HFS+: Limited support (often read-only on Linux)
  • APFS: Not supported on Linux (requires macOS)