394 lines
10 KiB
Bash
Executable File
394 lines
10 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Forensic Practice Disk Image Creator
|
|
# Creates disk images with various filesystems for forensic analysis practice
|
|
|
|
set -e # Exit on error
|
|
|
|
# Color codes for output
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m' # No Color
|
|
|
|
# Function to print colored messages
|
|
print_info() {
|
|
echo -e "${BLUE}[INFO]${NC} $1"
|
|
}
|
|
|
|
print_success() {
|
|
echo -e "${GREEN}[SUCCESS]${NC} $1"
|
|
}
|
|
|
|
print_warning() {
|
|
echo -e "${YELLOW}[WARNING]${NC} $1"
|
|
}
|
|
|
|
print_error() {
|
|
echo -e "${RED}[ERROR]${NC} $1"
|
|
}
|
|
|
|
# Check if running as root
|
|
check_root() {
|
|
if [ "$EUID" -ne 0 ]; then
|
|
print_error "This script must be run as root (use sudo)"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
# Function to check required tools
|
|
check_dependencies() {
|
|
local missing_tools=()
|
|
|
|
command -v dd >/dev/null 2>&1 || missing_tools+=("coreutils")
|
|
command -v losetup >/dev/null 2>&1 || missing_tools+=("util-linux")
|
|
command -v parted >/dev/null 2>&1 || missing_tools+=("parted")
|
|
command -v mkfs.ext4 >/dev/null 2>&1 || missing_tools+=("e2fsprogs")
|
|
|
|
if [ ${#missing_tools[@]} -gt 0 ]; then
|
|
print_error "Missing required packages: ${missing_tools[*]}"
|
|
print_info "Install with: sudo apt-get install ${missing_tools[*]}"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
# Display banner
|
|
show_banner() {
|
|
echo ""
|
|
echo "=========================================="
|
|
echo " Forensic Disk Image Creator"
|
|
echo "=========================================="
|
|
echo ""
|
|
}
|
|
|
|
# Get filename from user
|
|
get_filename() {
|
|
echo ""
|
|
read -p "Enter output filename (default: forensic_disk.dd): " FILENAME
|
|
FILENAME=${FILENAME:-forensic_disk.dd}
|
|
|
|
if [ -f "$FILENAME" ]; then
|
|
read -p "File already exists. Overwrite? (y/n): " OVERWRITE
|
|
if [ "$OVERWRITE" != "y" ]; then
|
|
print_info "Exiting..."
|
|
exit 0
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# Get disk size from user
|
|
get_disk_size() {
|
|
echo ""
|
|
echo "Disk Size Options:"
|
|
echo " 1) 100 MB (small, quick testing)"
|
|
echo " 2) 500 MB (medium)"
|
|
echo " 3) 1 GB (standard)"
|
|
echo " 4) 5 GB (large)"
|
|
echo " 5) Custom size"
|
|
echo ""
|
|
read -p "Select disk size [1-5]: " SIZE_CHOICE
|
|
|
|
case $SIZE_CHOICE in
|
|
1) DISK_SIZE_MB=100 ;;
|
|
2) DISK_SIZE_MB=500 ;;
|
|
3) DISK_SIZE_MB=1024 ;;
|
|
4) DISK_SIZE_MB=5120 ;;
|
|
5)
|
|
read -p "Enter size in MB: " DISK_SIZE_MB
|
|
if ! [[ "$DISK_SIZE_MB" =~ ^[0-9]+$ ]] || [ "$DISK_SIZE_MB" -lt 10 ]; then
|
|
print_error "Invalid size. Must be at least 10 MB"
|
|
exit 1
|
|
fi
|
|
;;
|
|
*)
|
|
print_error "Invalid choice"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
print_info "Selected disk size: ${DISK_SIZE_MB} MB"
|
|
}
|
|
|
|
# Get partition scheme
|
|
get_partition_scheme() {
|
|
echo ""
|
|
echo "Partition Scheme:"
|
|
echo " 1) GPT (GUID Partition Table) - Modern, Windows 10/11 default"
|
|
echo " 2) MBR (Master Boot Record) - Legacy, compatible with older systems"
|
|
echo ""
|
|
read -p "Select partition scheme [1-2]: " PARTITION_CHOICE
|
|
|
|
case $PARTITION_CHOICE in
|
|
1) PARTITION_SCHEME="gpt" ;;
|
|
2) PARTITION_SCHEME="msdos" ;;
|
|
*)
|
|
print_error "Invalid choice"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
print_info "Selected partition scheme: $PARTITION_SCHEME"
|
|
}
|
|
|
|
# Get filesystem type
|
|
get_filesystem() {
|
|
echo ""
|
|
echo "Filesystem Type:"
|
|
echo " 1) NTFS (Windows default, requires ntfs-3g)"
|
|
echo " 2) FAT32 (Universal compatibility, 4GB file limit)"
|
|
echo " 3) exFAT (Modern, large file support)"
|
|
echo " 4) ext4 (Linux default)"
|
|
echo " 5) ext3 (Older Linux)"
|
|
echo " 6) ext2 (Legacy Linux, no journaling)"
|
|
echo " 7) XFS (High-performance Linux)"
|
|
echo ""
|
|
read -p "Select filesystem [1-7]: " FS_CHOICE
|
|
|
|
case $FS_CHOICE in
|
|
1)
|
|
FILESYSTEM="ntfs"
|
|
if ! command -v mkfs.ntfs >/dev/null 2>&1; then
|
|
print_error "mkfs.ntfs not found. Install with: sudo apt-get install ntfs-3g"
|
|
exit 1
|
|
fi
|
|
;;
|
|
2) FILESYSTEM="vfat" ;;
|
|
3)
|
|
FILESYSTEM="exfat"
|
|
if ! command -v mkfs.exfat >/dev/null 2>&1; then
|
|
print_error "mkfs.exfat not found. Install with: sudo apt-get install exfat-utils"
|
|
exit 1
|
|
fi
|
|
;;
|
|
4) FILESYSTEM="ext4" ;;
|
|
5) FILESYSTEM="ext3" ;;
|
|
6) FILESYSTEM="ext2" ;;
|
|
7)
|
|
FILESYSTEM="xfs"
|
|
if ! command -v mkfs.xfs >/dev/null 2>&1; then
|
|
print_error "mkfs.xfs not found. Install with: sudo apt-get install xfsprogs"
|
|
exit 1
|
|
fi
|
|
;;
|
|
*)
|
|
print_error "Invalid choice"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
print_info "Selected filesystem: $FILESYSTEM"
|
|
}
|
|
|
|
# Get volume label
|
|
get_volume_label() {
|
|
echo ""
|
|
read -p "Enter volume label (default: FORENSIC): " VOLUME_LABEL
|
|
VOLUME_LABEL=${VOLUME_LABEL:-FORENSIC}
|
|
}
|
|
|
|
# Create the disk image
|
|
create_disk_image() {
|
|
print_info "Creating disk image file: $FILENAME (${DISK_SIZE_MB} MB)..."
|
|
|
|
# Use fallocate for faster creation if available
|
|
if command -v fallocate >/dev/null 2>&1; then
|
|
fallocate -l ${DISK_SIZE_MB}M "$FILENAME"
|
|
else
|
|
dd if=/dev/zero of="$FILENAME" bs=1M count=$DISK_SIZE_MB status=progress
|
|
fi
|
|
|
|
print_success "Disk image created"
|
|
}
|
|
|
|
# Setup loop device
|
|
setup_loop_device() {
|
|
print_info "Setting up loop device..."
|
|
LOOP_DEVICE=$(losetup -f)
|
|
losetup "$LOOP_DEVICE" "$FILENAME"
|
|
print_success "Loop device created: $LOOP_DEVICE"
|
|
}
|
|
|
|
# Create partition table and partition
|
|
create_partitions() {
|
|
print_info "Creating $PARTITION_SCHEME partition table..."
|
|
|
|
parted -s "$LOOP_DEVICE" mklabel "$PARTITION_SCHEME"
|
|
|
|
print_info "Creating partition..."
|
|
|
|
if [ "$PARTITION_SCHEME" = "gpt" ]; then
|
|
# For GPT, leave 1MB at start and end for alignment
|
|
parted -s "$LOOP_DEVICE" mkpart primary 1MiB 100%
|
|
else
|
|
# For MBR
|
|
parted -s "$LOOP_DEVICE" mkpart primary 1MiB 100%
|
|
fi
|
|
|
|
# Inform kernel about partition table changes
|
|
partprobe "$LOOP_DEVICE"
|
|
sleep 1
|
|
|
|
print_success "Partition created"
|
|
}
|
|
|
|
# Format the partition
|
|
format_partition() {
|
|
PARTITION="${LOOP_DEVICE}p1"
|
|
|
|
# Check if partition device exists
|
|
if [ ! -e "$PARTITION" ]; then
|
|
print_warning "Partition device $PARTITION not found, trying alternative..."
|
|
PARTITION="${LOOP_DEVICE}1"
|
|
fi
|
|
|
|
if [ ! -e "$PARTITION" ]; then
|
|
print_error "Cannot find partition device"
|
|
cleanup
|
|
exit 1
|
|
fi
|
|
|
|
print_info "Formatting partition with $FILESYSTEM filesystem..."
|
|
|
|
case $FILESYSTEM in
|
|
ntfs)
|
|
mkfs.ntfs -f -L "$VOLUME_LABEL" "$PARTITION"
|
|
;;
|
|
vfat)
|
|
mkfs.vfat -n "$VOLUME_LABEL" "$PARTITION"
|
|
;;
|
|
exfat)
|
|
mkfs.exfat -n "$VOLUME_LABEL" "$PARTITION"
|
|
;;
|
|
ext2|ext3|ext4)
|
|
mkfs."$FILESYSTEM" -L "$VOLUME_LABEL" "$PARTITION"
|
|
;;
|
|
xfs)
|
|
mkfs.xfs -f -L "$VOLUME_LABEL" "$PARTITION"
|
|
;;
|
|
esac
|
|
|
|
print_success "Filesystem created"
|
|
}
|
|
|
|
# Cleanup function
|
|
cleanup() {
|
|
if [ -n "$LOOP_DEVICE" ]; then
|
|
print_info "Cleaning up loop device..."
|
|
losetup -d "$LOOP_DEVICE" 2>/dev/null || true
|
|
fi
|
|
}
|
|
|
|
# Mount the filesystem
|
|
mount_filesystem() {
|
|
echo ""
|
|
read -p "Do you want to mount the filesystem now? (y/n): " MOUNT_NOW
|
|
|
|
if [ "$MOUNT_NOW" = "y" ]; then
|
|
MOUNT_POINT="/mnt/forensic_disk_$$"
|
|
mkdir -p "$MOUNT_POINT"
|
|
|
|
print_info "Mounting to $MOUNT_POINT..."
|
|
mount "$PARTITION" "$MOUNT_POINT"
|
|
|
|
print_success "Filesystem mounted at: $MOUNT_POINT"
|
|
print_info "To unmount: sudo umount $MOUNT_POINT"
|
|
|
|
MOUNTED=true
|
|
fi
|
|
}
|
|
|
|
# Display summary
|
|
show_summary() {
|
|
echo ""
|
|
echo "=========================================="
|
|
echo " Disk Image Creation Complete!"
|
|
echo "=========================================="
|
|
echo ""
|
|
echo "Image File: $(realpath $FILENAME)"
|
|
echo "Size: ${DISK_SIZE_MB} MB"
|
|
echo "Partition Scheme: $PARTITION_SCHEME"
|
|
echo "Filesystem: $FILESYSTEM"
|
|
echo "Volume Label: $VOLUME_LABEL"
|
|
echo "Loop Device: $LOOP_DEVICE"
|
|
echo "Partition: $PARTITION"
|
|
if [ "$MOUNTED" = true ]; then
|
|
echo "Mount Point: $MOUNT_POINT"
|
|
fi
|
|
echo ""
|
|
echo "=========================================="
|
|
echo " Forensic Analysis Commands"
|
|
echo "=========================================="
|
|
echo ""
|
|
echo "View partition table:"
|
|
echo " sudo parted $FILENAME print"
|
|
echo " sudo fdisk -l $FILENAME"
|
|
echo ""
|
|
echo "Hex editor analysis:"
|
|
echo " hexdump -C $FILENAME | less"
|
|
echo " xxd $FILENAME | less"
|
|
echo " sudo apt-get install bless # GUI hex editor"
|
|
echo " bless $FILENAME"
|
|
echo ""
|
|
echo "Mount the image later:"
|
|
echo " sudo losetup -f $FILENAME"
|
|
echo " sudo losetup -l # List loop devices"
|
|
echo " sudo mount /dev/loopXp1 /mnt/mountpoint"
|
|
echo ""
|
|
echo "Analyze with forensic tools:"
|
|
echo " sudo apt-get install sleuthkit"
|
|
echo " mmls $FILENAME # Show partition layout"
|
|
echo " fsstat -o 2048 $FILENAME # Filesystem details"
|
|
echo " fls -o 2048 $FILENAME # List files"
|
|
echo ""
|
|
echo "Clean up (when done):"
|
|
if [ "$MOUNTED" = true ]; then
|
|
echo " sudo umount $MOUNT_POINT"
|
|
fi
|
|
echo " sudo losetup -d $LOOP_DEVICE"
|
|
echo ""
|
|
}
|
|
|
|
# Trap to ensure cleanup on exit
|
|
trap cleanup EXIT
|
|
|
|
# Main execution
|
|
main() {
|
|
show_banner
|
|
check_root
|
|
check_dependencies
|
|
|
|
get_filename
|
|
get_disk_size
|
|
get_partition_scheme
|
|
get_filesystem
|
|
get_volume_label
|
|
|
|
echo ""
|
|
echo "=========================================="
|
|
echo " Summary"
|
|
echo "=========================================="
|
|
echo "Filename: $FILENAME"
|
|
echo "Size: ${DISK_SIZE_MB} MB"
|
|
echo "Partition Scheme: $PARTITION_SCHEME"
|
|
echo "Filesystem: $FILESYSTEM"
|
|
echo "Volume Label: $VOLUME_LABEL"
|
|
echo ""
|
|
read -p "Proceed with creation? (y/n): " CONFIRM
|
|
|
|
if [ "$CONFIRM" != "y" ]; then
|
|
print_info "Cancelled"
|
|
exit 0
|
|
fi
|
|
|
|
create_disk_image
|
|
setup_loop_device
|
|
create_partitions
|
|
format_partition
|
|
mount_filesystem
|
|
|
|
show_summary
|
|
}
|
|
|
|
# Run main function
|
|
main |