mstoeck3/pseudodisk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
pseudodisk/README.md
overcuriousity a2fd3dab69 updates
2025-10-20 12:35:20 +02:00

454 lines
10 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# pseudodisk
A comprehensive toolkit for creating disk images with various filesystems for forensic analysis practice and education.
## Features
- **Multiple Filesystem Support**: NTFS, FAT32, exFAT, ext2/3/4, XFS, swap
- **Multi-Partition Support**: Create up to 4 partitions in a single disk image
- **Partition Schemes**: GPT (modern) and MBR (legacy)
- **Initialization Methods**: Choose between /dev/zero (fast), /dev/urandom (realistic), or fallocate (sparse)
- **Interactive Configuration**: User-friendly prompts for all parameters
- **Automatic Loop Device Management**: Handles mounting and cleanup
- **Filesystem Availability Check**: Verifies required tools before operation
- **Forensic-Ready**: Pre-configured for hex editor and forensic tool analysis
## Prerequisites
### Required Packages
```bash
sudo apt-get update
sudo apt-get install -y \
parted \
util-linux \
e2fsprogs \
dosfstools \
bc
```
### Optional (for specific filesystems)
```bash
# For NTFS support
sudo apt-get install ntfs-3g
# For exFAT support
sudo apt-get install exfat-fuse exfat-utils
# For XFS support
sudo apt-get install xfsprogs
# For forensic analysis tools
sudo apt-get install sleuthkit
```
## Initialization Methods
The script offers three methods for creating the disk image file:
1. **`/dev/zero`** (Recommended for most cases)
- Fast creation speed
- Fills image with zeros
- Forensically predictable and clean
- Creates realistic empty disk structure
2. **`/dev/urandom`** (For realistic random data)
- Slow creation speed
- Fills image with random data
- More realistic for testing data recovery
- Useful for simulating previously used disks
3. **`fallocate`** (Fastest)
- Very fast, creates sparse file
- Does not actually write data to disk initially
- Good for quick testing
- May not be suitable for all forensic scenarios
## Multi-Partition Support
Create complex disk layouts with up to 4 partitions:
- Each partition can have a different filesystem
- Mix operating system types (Windows NTFS + Linux ext4)
- Include swap partitions for realistic Linux setups
- The last partition automatically uses remaining space
- Perfect for practicing partition table analysis
## Usage
### Creating a Disk Image
Run the main script with sudo:
```bash
sudo ./pseudodisk.sh
```
The script will:
1. Check filesystem tool availability
2. Interactively prompt you for:
- **Filename**: Output file name (default: forensic_disk.dd)
- **Size**: Choose from presets (100MB, 500MB, 1GB, 5GB) or custom
- **Initialization Method**: /dev/zero, /dev/urandom, or fallocate
- **Partition Scheme**: GPT or MBR
- **Partition Count**: 1-4 partitions
- **Per-Partition Configuration**:
- Filesystem type (NTFS, FAT32, exFAT, ext2/3/4, XFS, swap)
- Size in MB (last partition uses remaining space)
- Volume label (except for swap)
- **Mount**: Option to mount filesystems immediately after creation
### Example Session
```
==========================================
Forensic Disk Image Creator
==========================================
Checking filesystem tool availability...
✓ NTFS (mkfs.ntfs available)
✓ FAT32 (mkfs.vfat available)
✓ exFAT (mkfs.exfat available)
✓ ext2/3/4 (mkfs.ext4 available)
✓ XFS (mkfs.xfs available)
✓ swap (mkswap available)
Enter output filename (default: forensic_disk.dd): ntfsdisk.dd
Disk Size Options:
1) 100 MB (small, quick testing)
2) 500 MB (medium)
3) 1 GB (standard)
4) 5 GB (large)
5) Custom size
Select disk size [1-5]: 2
Initialization Method:
1) /dev/zero (Fast, zeros - forensically predictable)
2) /dev/random (Slow, random data - more realistic)
3) fallocate (Fastest, sparse file)
Select initialization method [1-3]: 1
Partition Scheme:
1) GPT (GUID Partition Table) - Modern, Windows 10/11 default
2) MBR (Master Boot Record) - Legacy, compatible with older systems
Select partition scheme [1-2]: 1
How many partitions? (1-4): 2
==========================================
Partition 1 Configuration
==========================================
Filesystem Type:
1) NTFS (Windows default)
2) FAT32 (Universal compatibility)
3) exFAT (Modern, large file support)
4) ext4 (Linux default)
5) ext3 (Older Linux)
6) ext2 (Legacy Linux, no journaling)
7) XFS (High-performance Linux)
8) swap (Linux swap space)
Select filesystem for partition 1 [1-8]: 1
Size for partition 1 in MB: 400
Volume label for partition 1 (default: PART1): EVIDENCE
==========================================
Partition 2 Configuration
==========================================
Filesystem Type:
1) NTFS (Windows default)
2) FAT32 (Universal compatibility)
3) exFAT (Modern, large file support)
4) ext4 (Linux default)
5) ext3 (Older Linux)
6) ext2 (Legacy Linux, no journaling)
7) XFS (High-performance Linux)
8) swap (Linux swap space)
Select filesystem for partition 2 [1-8]: 4
[INFO] Partition 2 will use remaining space
Volume label for partition 2 (default: PART2): DATA
```
### Cleaning Up
When finished with your analysis, use the cleanup script:
```bash
# Clean up a specific disk image
sudo ./cleanup.sh
# Enter filename when prompted
# Or clean up all loop devices
sudo ./cleanup.sh
# Type 'all' when prompted
```
## Forensic Analysis Guide
### Basic Hex Analysis
#### View raw disk structure
```bash
# Using hexdump
hexdump -C ntfsdisk.dd | less
# Using xxd
xxd ntfsdisk.dd | less
# View first 512 bytes (boot sector)
xxd -l 512 ntfsdisk.dd
# View specific offset (e.g., partition table at 0x1BE for MBR)
xxd -s 0x1BE -l 64 ntfsdisk.dd
```
#### GUI Hex Editors
```bash
# Install Bless (GTK hex editor)
sudo apt-get install bless
bless ntfsdisk.dd
# Or install GHex
sudo apt-get install ghex
ghex ntfsdisk.dd
# Or install wxHexEditor (advanced)
sudo apt-get install wxhexeditor
wxhexeditor ntfsdisk.dd
```
### Partition Analysis
```bash
# View partition table
sudo parted ntfsdisk.dd print
# Or using fdisk
sudo fdisk -l ntfsdisk.dd
# For GPT, use gdisk
sudo apt-get install gdisk
sudo gdisk -l ntfsdisk.dd
```
### Using The Sleuth Kit (TSK)
```bash
# Install if not already present
sudo apt-get install sleuthkit
# Display partition layout
mmls ntfsdisk.dd
# Show filesystem details (offset from mmls output)
fsstat -o 2048 ntfsdisk.dd
# List files in filesystem
fls -o 2048 -r ntfsdisk.dd
# Display file content by inode
icat -o 2048 ntfsdisk.dd [inode_number]
# Show deleted files
fls -o 2048 -rd ntfsdisk.dd
# Timeline analysis
fls -o 2048 -m / -r ntfsdisk.dd > timeline.bodyfile
mactime -b timeline.bodyfile
```
### Manual Loop Device Management
If you need more control over the loop device:
```bash
# Attach image to loop device
sudo losetup -f ntfsdisk.dd
# List all loop devices
sudo losetup -l
# Find out which loop device is attached
sudo losetup -j ntfsdisk.dd
# Mount the partition
sudo mkdir -p /mnt/forensic
sudo mount /dev/loop0p1 /mnt/forensic
# When done, unmount
sudo umount /mnt/forensic
# Detach loop device
sudo losetup -d /dev/loop0
```
### Filesystem-Specific Analysis
#### NTFS Analysis
```bash
# View NTFS volume information
sudo apt-get install ntfs-3g
sudo ntfsinfo -m /dev/loop0p1
# Show NTFS file system usage
sudo ntfscluster -f /dev/loop0p1
# Recover deleted files
sudo apt-get install testdisk
sudo testdisk ntfsdisk.dd
```
#### FAT32 Analysis
```bash
# View FAT information
sudo fsck.vfat -n /dev/loop0p1
# Or using sleuthkit
fsstat -o 2048 ntfsdisk.dd
```
#### ext4 Analysis
```bash
# Dump ext4 superblock
sudo dumpe2fs /dev/loop0p1
# Check filesystem
sudo e2fsck -n /dev/loop0p1
# Show inode information
sudo debugfs -R 'stat <inode>' /dev/loop0p1
```
## Key Forensic Structures to Examine
### Master Boot Record (MBR)
- **Location**: First 512 bytes (0x000-0x1FF)
- **Boot Code**: 0x000-0x1BD (446 bytes)
- **Partition Table**: 0x1BE-0x1FD (64 bytes, 4 entries × 16 bytes)
- **Signature**: 0x1FE-0x1FF (0x55AA)
### GUID Partition Table (GPT)
- **Protective MBR**: Sector 0 (0x000-0x1FF)
- **GPT Header**: Sector 1 (0x200-0x3FF)
- **Partition Entries**: Sectors 2-33 (typically)
- **Backup GPT**: Last sectors of disk
### NTFS Boot Sector
- **Jump Instruction**: 0x000-0x002
- **OEM ID**: 0x003-0x00A ("NTFS ")
- **Bytes Per Sector**: 0x00B-0x00C
- **Sectors Per Cluster**: 0x00D
- **MFT Location**: 0x030-0x037
- **Signature**: 0x1FE-0x1FF (0x55AA)
### FAT32 Boot Sector
- **Jump Instruction**: 0x000-0x002
- **OEM Name**: 0x003-0x00A
- **Bytes Per Sector**: 0x00B-0x00C
- **Sectors Per Cluster**: 0x00D
- **FAT Copies**: 0x010
- **Signature**: 0x1FE-0x1FF (0x55AA)
## Practice Exercises
### Beginner Level
1. **Identify Partition Scheme**
- Create disks with GPT and MBR
- Compare the first 512 bytes
- Identify the signature differences
2. **Find the Filesystem Type**
- Create disks with different filesystems
- Examine boot sector signatures
- Identify OEM strings
3. **Locate Partition Boundaries**
- Use hexdump to find partition start
- Verify with `parted` output
### Intermediate Level
4. **File Recovery Practice**
- Mount filesystem, create files, unmount
- Delete files from another mount
- Practice recovering deleted files
5. **Metadata Analysis**
- Create files with specific timestamps
- Use TSK to extract timeline data
- Correlate timestamps with hex data
6. **Slack Space Investigation**
- Create small files in large clusters
- Examine slack space for data remnants
- Understand cluster allocation
### Advanced Level
7. **Steganography Detection**
- Hide data in slack space
- Practice identifying hidden data
- Compare expected vs actual cluster usage
8. **Partition Hiding**
- Create multiple partitions
- Modify partition table
- Practice recovering hidden partitions
9. **Anti-Forensics Techniques**
- Study timestamp manipulation
- Examine wiping patterns
- Analyze file system corruption
## Troubleshooting
### Loop device not found
```bash
# Ensure loop module is loaded
sudo modprobe loop
# Check available loop devices
ls -la /dev/loop*
```
### Permission denied
```bash
# Always use sudo for these operations
sudo ./create_forensic_disk.sh
```
### Partition not showing up
```bash
# Force kernel to re-read partition table
sudo partprobe /dev/loopX
# Or detach and re-attach
sudo losetup -d /dev/loopX
sudo losetup -f ntfsdisk.dd
```
### Cannot unmount - device busy
```bash
# Find what's using it
sudo lsof | grep /mnt/forensic
# Force unmount (use with caution)
sudo umount -l /mnt/forensic
```
Reference in New Issue View Git Blame Copy Permalink