mstoeck3/pseudodisk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
pseudodisk/README.md
overcuriousity 217951b632 updates, remove apfs
2025-10-20 23:11:43 +02:00

484 lines
12 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# pseudodisk
A comprehensive toolkit for creating disk images with various filesystems for forensic analysis practice and education.
## Features
- **Multiple Filesystem Support**: NTFS, FAT32, exFAT, ext2/3/4, XFS, HFS+, swap
- **Preset Layouts**: Pre-configured layouts for Windows, Linux, and macOS systems
- **Multi-Partition Support**: Create up to 4 partitions in a single disk image
- **Partition Schemes**: GPT (modern) and MBR (legacy)
- **Initialization Methods**: Choose between /dev/zero (fast), /dev/urandom (realistic), or fallocate (sparse)
- **Interactive Configuration**: User-friendly prompts for all parameters
- **Automatic Loop Device Management**: Handles mounting and cleanup
- **Filesystem Availability Check**: Verifies required tools before operation
- **Forensic-Ready**: Pre-configured for hex editor and forensic tool analysis
## Prerequisites
### Required Packages
```bash
sudo apt-get update
sudo apt-get install -y \
parted \
util-linux \
e2fsprogs \
dosfstools \
bc
```
### Optional (for specific filesystems)
```bash
# For NTFS support
sudo apt-get install ntfs-3g
# For exFAT support
sudo apt-get install exfat-fuse exfat-utils
# For XFS support
sudo apt-get install xfsprogs
# For HFS+ support
sudo apt-get install hfsprogs
```
## Preset Layouts
Choose from pre-configured layouts that simulate real operating systems:
**Windows Presets:**
- Windows 11/10 (GPT, EFI + NTFS + Recovery)
- Windows Vista/7/8 (MBR, System Reserved + NTFS)
- Windows 2000/XP (MBR, Single NTFS)
- Windows 98/ME (MBR, Single FAT32)
- Windows 95 (MBR, Single FAT16)
- Windows 3.1 (MBR, Single FAT16)
- MS-DOS (MBR, Single FAT12)
**Linux Presets:**
- Modern Linux (GPT, EFI + Root + Swap)
- Linux with /home (GPT, EFI + Root + Home)
- Classic Linux (MBR, Boot + Root + Swap)
- Minimal Linux (MBR, Single ext4)
**macOS Presets:**
- macOS (GPT, EFI + HFS+)
**Custom Layout:**
- Full manual configuration with 1-4 partitions
All presets can be customized during setup or used as-is.
## Initialization Methods
The script offers three methods for creating the disk image file:
1. **`/dev/zero`** (Recommended for most cases)
- Fast creation speed
- Fills image with zeros
- Forensically predictable and clean
- Creates realistic empty disk structure
2. **`/dev/urandom`** (For realistic random data)
- Slow creation speed
- Fills image with random data
- More realistic for testing data recovery
- Useful for simulating previously used disks
3. **`fallocate`** (Fastest)
- Very fast, creates sparse file
- Does not actually write data to disk initially
- Good for quick testing
- May not be suitable for all forensic scenarios
## Usage
### Creating a Disk Image
Run the main script with sudo:
```bash
sudo ./pseudodisk.sh
```
The script will:
1. Check filesystem tool availability
2. Interactively prompt you for:
- **Filename**: Output file name (default: forensic_disk.dd)
- **Size**: Choose from presets (100MB, 500MB, 1GB, 5GB, 10GB) or custom
- **Initialization Method**: /dev/zero, /dev/urandom, or fallocate
- **Layout**: Select a preset or custom configuration
- **For Presets**: Option to use as-is or customize
- **For Custom**:
- Partition Scheme: GPT or MBR
- Partition Count: 1-4 partitions
- Per-Partition Configuration:
- Filesystem type (NTFS, FAT32, exFAT, ext2/3/4, XFS, HFS+, swap, etc.)
- Size in MB (last partition uses remaining space)
- Volume label (except for swap)
- **Mount**: Option to mount filesystems immediately after creation
### Example Session (with Preset)
```
==========================================
Forensic Disk Image Creator
Enhanced Edition v2.1
==========================================
Checking filesystem tool availability...
✓ FAT12/16 (mkfs.fat available)
✓ FAT32 (mkfs.vfat available)
✓ exFAT (mkfs.exfat available)
✓ NTFS (mkfs.ntfs available)
✓ ext2 (mke2fs/mkfs.ext2 available)
✓ ext3 (mke2fs/mkfs.ext3 available)
✓ ext4 (mkfs.ext4 available)
✓ XFS (mkfs.xfs available)
✓ HFS+ (mkfs.hfsplus available)
✓ swap (mkswap available)
✓ Unallocated (no mkfs required)
Enter output filename (default: forensic_disk.dd): win11.dd
Disk Size Options:
1) 100 MB (small, quick testing)
2) 500 MB (medium)
3) 1 GB (standard)
4) 5 GB (large)
5) 10 GB (very large)
6) Custom size
Select disk size [1-6]: 3
Initialization Method:
1) /dev/zero (Fast, zeros - forensically predictable)
2) /dev/urandom (Slow, random data - more realistic)
3) fallocate (Fastest, sparse file)
Select initialization method [1-3]: 1
==========================================
Disk Layout
==========================================
Layout Presets:
Windows Presets:
1) Windows 11/10 (GPT, EFI + NTFS + Recovery)
2) Windows Vista/7/8 (MBR, System Reserved + NTFS)
3) Windows 2000/XP (MBR, Single NTFS)
4) Windows 98/ME (MBR, Single FAT32)
5) Windows 95 (MBR, Single FAT16)
6) Windows 3.1 (MBR, Single FAT16)
7) MS-DOS (MBR, Single FAT12)
Linux Presets:
8) Modern Linux (GPT, EFI + Root + Swap)
9) Linux with /home (GPT, EFI + Root + Home)
10) Classic Linux (MBR, Boot + Root + Swap)
11) Minimal Linux (MBR, Single ext4)
macOS Presets:
12) macOS (GPT, EFI + HFS+)
Custom:
13) Custom layout (manual configuration)
Select layout [1-13]: 1
[INFO] Preset: Windows 11/10 (GPT)
[NOTE] EFI System Partition (260MB) + Main Windows (auto) + Recovery (500MB)
Customize this preset? (y/n, default: n): n
[INFO] Using preset configuration as-is
```
### Cleaning Up
When finished with your analysis, use the cleanup script:
```bash
# Clean up a specific disk image
sudo ./cleanup.sh
# Enter filename when prompted
# Or clean up all loop devices
sudo ./cleanup.sh
# Type 'all' when prompted
```
## Forensic Analysis Guide
### Basic Hex Analysis
#### View raw disk structure
```bash
# Using hexdump
hexdump -C win11.dd | less
# Using xxd
xxd win11.dd | less
# View first 512 bytes (boot sector)
xxd -l 512 win11.dd
# View specific offset (e.g., partition table at 0x1BE for MBR)
xxd -s 0x1BE -l 64 win11.dd
```
#### GUI Hex Editors
```bash
# Install Bless (GTK hex editor)
sudo apt-get install bless
bless win11.dd
# Or install GHex
sudo apt-get install ghex
ghex win11.dd
# Or install wxHexEditor (advanced)
sudo apt-get install wxhexeditor
wxhexeditor win11.dd
```
### Partition Analysis
```bash
# View partition table
sudo parted win11.dd print
# Or using fdisk
sudo fdisk -l win11.dd
# For GPT, use gdisk
sudo apt-get install gdisk
sudo gdisk -l win11.dd
```
### Using The Sleuth Kit (TSK)
```bash
# Install if not already present
sudo apt-get install sleuthkit
# Display partition layout
mmls win11.dd
# Show filesystem details (offset from mmls output)
fsstat -o 2048 win11.dd
# List files in filesystem
fls -o 2048 -r win11.dd
# Display file content by inode
icat -o 2048 win11.dd [inode_number]
# Show deleted files
fls -o 2048 -rd win11.dd
# Timeline analysis
fls -o 2048 -m / -r win11.dd > timeline.bodyfile
mactime -b timeline.bodyfile
```
### Manual Loop Device Management
If you need more control over the loop device:
```bash
# Attach image to loop device
sudo losetup -f win11.dd
# List all loop devices
sudo losetup -l
# Find out which loop device is attached
sudo losetup -j win11.dd
# Mount the partition
sudo mkdir -p /mnt/forensic
sudo mount /dev/loop0p1 /mnt/forensic
# When done, unmount
sudo umount /mnt/forensic
# Detach loop device
sudo losetup -d /dev/loop0
```
### Filesystem-Specific Analysis
#### NTFS Analysis
```bash
# View NTFS volume information
sudo apt-get install ntfs-3g
sudo ntfsinfo -m /dev/loop0p1
# Show NTFS file system usage
sudo ntfscluster -f /dev/loop0p1
# Recover deleted files
sudo apt-get install testdisk
sudo testdisk win11.dd
```
#### FAT32 Analysis
```bash
# View FAT information
sudo fsck.vfat -n /dev/loop0p1
# Or using sleuthkit
fsstat -o 2048 win11.dd
```
#### ext4 Analysis
```bash
# Dump ext4 superblock
sudo dumpe2fs /dev/loop0p1
# Check filesystem
sudo e2fsck -n /dev/loop0p1
# Show inode information
sudo debugfs -R 'stat <inode>' /dev/loop0p1
```
## Key Forensic Structures to Examine
### Master Boot Record (MBR)
- **Location**: First 512 bytes (0x000-0x1FF)
- **Boot Code**: 0x000-0x1BD (446 bytes)
- **Partition Table**: 0x1BE-0x1FD (64 bytes, 4 entries × 16 bytes)
- **Signature**: 0x1FE-0x1FF (0x55AA)
### GUID Partition Table (GPT)
- **Protective MBR**: Sector 0 (0x000-0x1FF)
- **GPT Header**: Sector 1 (0x200-0x3FF)
- **Partition Entries**: Sectors 2-33 (typically)
- **Backup GPT**: Last sectors of disk
### NTFS Boot Sector
- **Jump Instruction**: 0x000-0x002
- **OEM ID**: 0x003-0x00A ("NTFS ")
- **Bytes Per Sector**: 0x00B-0x00C
- **Sectors Per Cluster**: 0x00D
- **MFT Location**: 0x030-0x037
- **Signature**: 0x1FE-0x1FF (0x55AA)
### FAT32 Boot Sector
- **Jump Instruction**: 0x000-0x002
- **OEM Name**: 0x003-0x00A
- **Bytes Per Sector**: 0x00B-0x00C
- **Sectors Per Cluster**: 0x00D
- **FAT Copies**: 0x010
- **Signature**: 0x1FE-0x1FF (0x55AA)
## Practice Exercises
### Beginner Level
1. **Identify Partition Scheme**
- Create disks with different Windows versions (MBR vs GPT)
- Compare the first 512 bytes
- Identify the signature differences
2. **Find the Filesystem Type**
- Create disks with different filesystems using presets
- Examine boot sector signatures
- Identify OEM strings
3. **Locate Partition Boundaries**
- Use hexdump to find partition start
- Verify with `parted` output
### Intermediate Level
4. **File Recovery Practice**
- Mount filesystem, create files, unmount
- Delete files from another mount
- Practice recovering deleted files
5. **Metadata Analysis**
- Create files with specific timestamps
- Use TSK to extract timeline data
- Correlate timestamps with hex data
6. **Slack Space Investigation**
- Create small files in large clusters
- Examine slack space for data remnants
- Understand cluster allocation
### Advanced Level
7. **Steganography Detection**
- Hide data in slack space
- Practice identifying hidden data
- Compare expected vs actual cluster usage
8. **Partition Hiding**
- Create multiple partitions
- Modify partition table
- Practice recovering hidden partitions
9. **Anti-Forensics Techniques**
- Study timestamp manipulation
- Examine wiping patterns
- Analyze file system corruption
10. **Cross-OS Analysis**
- Create Windows and Linux dual-boot layout
- Analyze different partition schemes
- Practice identifying filesystem boundaries
## Troubleshooting
### Loop device not found
```bash
# Ensure loop module is loaded
sudo modprobe loop
# Check available loop devices
ls -la /dev/loop*
```
### Permission denied
```bash
# Always use sudo for these operations
sudo ./pseudodisk.sh
```
### Partition not showing up
```bash
# Force kernel to re-read partition table
sudo partprobe /dev/loopX
# Or detach and re-attach
sudo losetup -d /dev/loopX
sudo losetup -f win11.dd
```
### Cannot unmount - device busy
```bash
# Find what's using it
sudo lsof | grep /mnt/forensic
# Force unmount (use with caution)
sudo umount -l /mnt/forensic
```
## Notes on Filesystem Support
- **NTFS**: Full read/write support via ntfs-3g
- **FAT12/16/32**: Full support on all Linux systems
- **exFAT**: Requires exfatprogs or exfat-utils
- **ext2/3/4**: Native Linux support
- **XFS**: Native Linux support
- **HFS+**: Limited support (often read-only on Linux)
- **APFS**: Not supported on Linux (requires macOS)
Reference in New Issue View Git Blame Copy Permalink