pseudodisk
A comprehensive toolkit for creating disk images with various filesystems for forensic analysis practice and education.
Features
- Multiple Filesystem Support: NTFS, FAT32, exFAT, ext2/3/4, XFS, swap
- Multi-Partition Support: Create up to 4 partitions in a single disk image
- Partition Schemes: GPT (modern) and MBR (legacy)
- Initialization Methods: Choose between /dev/zero (fast), /dev/urandom (realistic), or fallocate (sparse)
- Interactive Configuration: User-friendly prompts for all parameters
- Automatic Loop Device Management: Handles mounting and cleanup
- Filesystem Availability Check: Verifies required tools before operation
- Forensic-Ready: Pre-configured for hex editor and forensic tool analysis
Prerequisites
Required Packages
sudo apt-get update
sudo apt-get install -y \
parted \
util-linux \
e2fsprogs \
dosfstools \
bc
Optional (for specific filesystems)
# For NTFS support
sudo apt-get install ntfs-3g
# For exFAT support
sudo apt-get install exfat-fuse exfat-utils
# For XFS support
sudo apt-get install xfsprogs
# For forensic analysis tools
sudo apt-get install sleuthkit
Initialization Methods
The script offers three methods for creating the disk image file:
-
/dev/zero(Recommended for most cases)- Fast creation speed
- Fills image with zeros
- Forensically predictable and clean
- Creates realistic empty disk structure
-
/dev/urandom(For realistic random data)- Slow creation speed
- Fills image with random data
- More realistic for testing data recovery
- Useful for simulating previously used disks
-
fallocate(Fastest)- Very fast, creates sparse file
- Does not actually write data to disk initially
- Good for quick testing
- May not be suitable for all forensic scenarios
Multi-Partition Support
Create complex disk layouts with up to 4 partitions:
- Each partition can have a different filesystem
- Mix operating system types (Windows NTFS + Linux ext4)
- Include swap partitions for realistic Linux setups
- The last partition automatically uses remaining space
- Perfect for practicing partition table analysis
Usage
Creating a Disk Image
Run the main script with sudo:
sudo ./pseudodisk.sh
The script will:
- Check filesystem tool availability
- Interactively prompt you for:
- Filename: Output file name (default: forensic_disk.dd)
- Size: Choose from presets (100MB, 500MB, 1GB, 5GB) or custom
- Initialization Method: /dev/zero, /dev/urandom, or fallocate
- Partition Scheme: GPT or MBR
- Partition Count: 1-4 partitions
- Per-Partition Configuration:
- Filesystem type (NTFS, FAT32, exFAT, ext2/3/4, XFS, swap)
- Size in MB (last partition uses remaining space)
- Volume label (except for swap)
- Mount: Option to mount filesystems immediately after creation
Example Session
==========================================
Forensic Disk Image Creator
==========================================
Checking filesystem tool availability...
✓ NTFS (mkfs.ntfs available)
✓ FAT32 (mkfs.vfat available)
✓ exFAT (mkfs.exfat available)
✓ ext2/3/4 (mkfs.ext4 available)
✓ XFS (mkfs.xfs available)
✓ swap (mkswap available)
Enter output filename (default: forensic_disk.dd): ntfsdisk.dd
Disk Size Options:
1) 100 MB (small, quick testing)
2) 500 MB (medium)
3) 1 GB (standard)
4) 5 GB (large)
5) Custom size
Select disk size [1-5]: 2
Initialization Method:
1) /dev/zero (Fast, zeros - forensically predictable)
2) /dev/random (Slow, random data - more realistic)
3) fallocate (Fastest, sparse file)
Select initialization method [1-3]: 1
Partition Scheme:
1) GPT (GUID Partition Table) - Modern, Windows 10/11 default
2) MBR (Master Boot Record) - Legacy, compatible with older systems
Select partition scheme [1-2]: 1
How many partitions? (1-4): 2
==========================================
Partition 1 Configuration
==========================================
Filesystem Type:
1) NTFS (Windows default)
2) FAT32 (Universal compatibility)
3) exFAT (Modern, large file support)
4) ext4 (Linux default)
5) ext3 (Older Linux)
6) ext2 (Legacy Linux, no journaling)
7) XFS (High-performance Linux)
8) swap (Linux swap space)
Select filesystem for partition 1 [1-8]: 1
Size for partition 1 in MB: 400
Volume label for partition 1 (default: PART1): EVIDENCE
==========================================
Partition 2 Configuration
==========================================
Filesystem Type:
1) NTFS (Windows default)
2) FAT32 (Universal compatibility)
3) exFAT (Modern, large file support)
4) ext4 (Linux default)
5) ext3 (Older Linux)
6) ext2 (Legacy Linux, no journaling)
7) XFS (High-performance Linux)
8) swap (Linux swap space)
Select filesystem for partition 2 [1-8]: 4
[INFO] Partition 2 will use remaining space
Volume label for partition 2 (default: PART2): DATA
Cleaning Up
When finished with your analysis, use the cleanup script:
# Clean up a specific disk image
sudo ./cleanup.sh
# Enter filename when prompted
# Or clean up all loop devices
sudo ./cleanup.sh
# Type 'all' when prompted
Forensic Analysis Guide
Basic Hex Analysis
View raw disk structure
# Using hexdump
hexdump -C ntfsdisk.dd | less
# Using xxd
xxd ntfsdisk.dd | less
# View first 512 bytes (boot sector)
xxd -l 512 ntfsdisk.dd
# View specific offset (e.g., partition table at 0x1BE for MBR)
xxd -s 0x1BE -l 64 ntfsdisk.dd
GUI Hex Editors
# Install Bless (GTK hex editor)
sudo apt-get install bless
bless ntfsdisk.dd
# Or install GHex
sudo apt-get install ghex
ghex ntfsdisk.dd
# Or install wxHexEditor (advanced)
sudo apt-get install wxhexeditor
wxhexeditor ntfsdisk.dd
Partition Analysis
# View partition table
sudo parted ntfsdisk.dd print
# Or using fdisk
sudo fdisk -l ntfsdisk.dd
# For GPT, use gdisk
sudo apt-get install gdisk
sudo gdisk -l ntfsdisk.dd
Using The Sleuth Kit (TSK)
# Install if not already present
sudo apt-get install sleuthkit
# Display partition layout
mmls ntfsdisk.dd
# Show filesystem details (offset from mmls output)
fsstat -o 2048 ntfsdisk.dd
# List files in filesystem
fls -o 2048 -r ntfsdisk.dd
# Display file content by inode
icat -o 2048 ntfsdisk.dd [inode_number]
# Show deleted files
fls -o 2048 -rd ntfsdisk.dd
# Timeline analysis
fls -o 2048 -m / -r ntfsdisk.dd > timeline.bodyfile
mactime -b timeline.bodyfile
Manual Loop Device Management
If you need more control over the loop device:
# Attach image to loop device
sudo losetup -f ntfsdisk.dd
# List all loop devices
sudo losetup -l
# Find out which loop device is attached
sudo losetup -j ntfsdisk.dd
# Mount the partition
sudo mkdir -p /mnt/forensic
sudo mount /dev/loop0p1 /mnt/forensic
# When done, unmount
sudo umount /mnt/forensic
# Detach loop device
sudo losetup -d /dev/loop0
Filesystem-Specific Analysis
NTFS Analysis
# View NTFS volume information
sudo apt-get install ntfs-3g
sudo ntfsinfo -m /dev/loop0p1
# Show NTFS file system usage
sudo ntfscluster -f /dev/loop0p1
# Recover deleted files
sudo apt-get install testdisk
sudo testdisk ntfsdisk.dd
FAT32 Analysis
# View FAT information
sudo fsck.vfat -n /dev/loop0p1
# Or using sleuthkit
fsstat -o 2048 ntfsdisk.dd
ext4 Analysis
# Dump ext4 superblock
sudo dumpe2fs /dev/loop0p1
# Check filesystem
sudo e2fsck -n /dev/loop0p1
# Show inode information
sudo debugfs -R 'stat <inode>' /dev/loop0p1
Key Forensic Structures to Examine
Master Boot Record (MBR)
- Location: First 512 bytes (0x000-0x1FF)
- Boot Code: 0x000-0x1BD (446 bytes)
- Partition Table: 0x1BE-0x1FD (64 bytes, 4 entries × 16 bytes)
- Signature: 0x1FE-0x1FF (0x55AA)
GUID Partition Table (GPT)
- Protective MBR: Sector 0 (0x000-0x1FF)
- GPT Header: Sector 1 (0x200-0x3FF)
- Partition Entries: Sectors 2-33 (typically)
- Backup GPT: Last sectors of disk
NTFS Boot Sector
- Jump Instruction: 0x000-0x002
- OEM ID: 0x003-0x00A ("NTFS ")
- Bytes Per Sector: 0x00B-0x00C
- Sectors Per Cluster: 0x00D
- MFT Location: 0x030-0x037
- Signature: 0x1FE-0x1FF (0x55AA)
FAT32 Boot Sector
- Jump Instruction: 0x000-0x002
- OEM Name: 0x003-0x00A
- Bytes Per Sector: 0x00B-0x00C
- Sectors Per Cluster: 0x00D
- FAT Copies: 0x010
- Signature: 0x1FE-0x1FF (0x55AA)
Practice Exercises
Beginner Level
-
Identify Partition Scheme
- Create disks with GPT and MBR
- Compare the first 512 bytes
- Identify the signature differences
-
Find the Filesystem Type
- Create disks with different filesystems
- Examine boot sector signatures
- Identify OEM strings
-
Locate Partition Boundaries
- Use hexdump to find partition start
- Verify with
partedoutput
Intermediate Level
-
File Recovery Practice
- Mount filesystem, create files, unmount
- Delete files from another mount
- Practice recovering deleted files
-
Metadata Analysis
- Create files with specific timestamps
- Use TSK to extract timeline data
- Correlate timestamps with hex data
-
Slack Space Investigation
- Create small files in large clusters
- Examine slack space for data remnants
- Understand cluster allocation
Advanced Level
-
Steganography Detection
- Hide data in slack space
- Practice identifying hidden data
- Compare expected vs actual cluster usage
-
Partition Hiding
- Create multiple partitions
- Modify partition table
- Practice recovering hidden partitions
-
Anti-Forensics Techniques
- Study timestamp manipulation
- Examine wiping patterns
- Analyze file system corruption
Troubleshooting
Loop device not found
# Ensure loop module is loaded
sudo modprobe loop
# Check available loop devices
ls -la /dev/loop*
Permission denied
# Always use sudo for these operations
sudo ./create_forensic_disk.sh
Partition not showing up
# Force kernel to re-read partition table
sudo partprobe /dev/loopX
# Or detach and re-attach
sudo losetup -d /dev/loopX
sudo losetup -f ntfsdisk.dd
Cannot unmount - device busy
# Find what's using it
sudo lsof | grep /mnt/forensic
# Force unmount (use with caution)
sudo umount -l /mnt/forensic