Session 10 - How to create your own digital forensics image file using Linux

Requirements: Any Linux distribution will do.

Introduction

Sometimes it is helpful to create your own forensic image for exercise purposes. The benefits are that you will gain the technical knowledge on how to create an image and, because you know what has happened to the data on that image, you can verify your findings and figure out why something has or has not happened as you would have expected.

Setting Things Up

Any Linux distribution will give you the means to create an image easily, so make sure that you have Linux running on your computer or as a virtual machine. Open a terminal. The tilde (~) symbol in your command prompt will inform you that you are in your current home directory. You can also issue the command pwd to check that this is the case. The command prompt in this exercise might look different from the one you are seeing, but the commands are the same.

Create Necessary Directories

Create a directory you can work in without being distracted by other files or directories, and then change into that directory.

$ mkdir forensic_image && cd forensic_image

Create another directory to store downloaded or created random files which you will copy over to the image file later.

$ mkdir image_files

You will also want a directory you can later mount the image file on.

$ mkdir image_mount

Use the ls -l command to ensure that everything is set up properly. You should see something similar to this.

$ ls -l
total 8
drwxr-xr-x 2 user users 4096 Dec 13 16:48 image_files
drwxr-xr-x 2 user users 4096 Dec 13 16:48 image_mount

Create the Image File

In this section you will create the actual image file using standard Linux tools which you can find on any Linux distribution. You will do this by ...

  1. Pre-allocating a fixed-size file using dd; then one of the following:
    1. Creating a partition on it as you would normally and any other block/storage device and creating a filesystem in the partition so you have something representing an actual disk image; or alternatively
    2. Creating a filesystem directly in the image file without a partition;
  2. Downloading to, and creating files in, the image_file directory;
  3. Mounting the image to the image_mount directory;
  4. Copying over all the files from the image_files directory to your mounted image file;
  5. Modifying the image file by manipulating files and directories on the mounted image;

First you will want to create a file with a pre-allocated size, for example 20MB. The three most common tools used for this purpose are dd, fallocate, and truncate. For smaller files, dd is good enough, but comparatively slow when it comes to creating very big files. For very big files (many tens of gigabytes) you are advised to use fallocate or truncate instead. Here you will find the example given with dd.

Note: Ensure you're in the forensic_image subdirectory!

$ dd if=/dev/zero of=image.img bs=1M count=20

To Partition or Not to Partition

Next you can, but do not have to, create a partition in the file. If you choose to create one or not depends on the analysis you want to do. You could also create two image files, one with and one without a partition, and perform an analysis on both and contrast and compare them.

With Partitions

Use fdisk to create a partition in the image file.

$ fdisk image.img

You will be presented with a rather sparse menu. If you press the m key on your keyboard, you will be presented with some help. You will be instructing fdisk to create a new partition by pressing the following keys in sequence (pay attention to the screen):

Key to pressAction
oCreate a new partition table
nCreate a new partition
pCreate a primary partition
lPartition number is 1
EnterPress enter to confirm the first sector
EnterPress enter to confirm the last sector
tChange the partition type identifier
e"b" is the identifier for FAT16 partitions
wExit fdisk and write changes to disk

After all that, check that the partition was created successfully with fdisk -l. You should have a similar output to the one below.

$ fdisk -l image.img
Disk image.img: 50 MiB, 52428800 bytes, 102400 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe4cd7e34

Device     Boot Start  End    Sectors Size Id Type
image.img1       2048  102399 100352  49M  e  W95 FAT16 (LBA)

The next step involves allocating the image file and its empty partition to a loop device, so a filesystem can be created in the partition.

$ sudo losetup --find --partscan --show image.img

The losetup tool will have created a device also for any partitions in the image file (this is what the --partscan option flag did). You can check this with fdisk -l /dev/loopX (where "X" is a number you were shown from the output of the previous command). For example, on this machine the first free loop device was /dev/loop0, so the output of fdisk -l /dev/loop0 could look like this.

$ sudo fdisk -l /dev/loop
Disk /dev/loop0: 50 MiB, 52428800 bytes, 102400 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe4cd7e34

Device       Boot Start End    Sectors Size Id Type
/dev/loop0p1      2048  102399 100352  49M  e  W95 FAT16 (LBA)

Pay attention to the fact that the partition has its own loop device now (/dev/loop0p1). This will be used to create a FAT16 filesystem in the partition.

$ sudo mkfs.vfat /dev/loop0p1

Without Partitions

If you do not want to create a partition inside the image file then just execute mkfs.vfat on the image file to create a FAT16 partition directly.

$ mkfs.vfat image.img

Create "Evidence"

This step is rather simple but a bit time-consuming. Use your image_files directory to store and structure all your files and directories you will later copy onto the image file. A few things you could do are as follows.

  • Download various images off the Internet
  • Download free audio files off the Internet
  • Download free video files off the Internet (keep in mind the file size as your image is rather small)
  • Download PowerPoint presentations off the Internet (or make your own)
  • Create Text/Word/Excel and whatever other files you can think of
  • Create directories and subdirectories
  • Copy/Move files into various directories
  • Rename file extensions (e.g., from .txt to .mp3, etc.)

Once you are happy with how everything in your image_files folder looks, it is time to mount the image file onto the image_mount directory. The mount option uid= and gid= are necessary to ensure that the mounted image can be written to by your user without having to become root every time you want to change something on the mounted image. Because we do not necessarily know which user ID or group ID your user belongs to, we can have the system figure this out on its own by calling a tool called id to read out the correct user and group IDs and replace them in the executed command. So, for example, if your user ID is 1000 and your group ID is 100 then uid=$(id -u) would become uid=1000 and gid=$(id -g) would become gid=100. Note that this procedure is only necessary if your user is NOT the root user. You can also choose to permanently become root, either by logging in as root or by executing something like sudo su, in which case you do not have to use the uid= or gid= option flags, just the loop flag of course. As a user without root privileges you will want to execute the following command and the box after that shows you the command you would execute if you are the root user.

$ sudo mount -o uid=$(id -u),gid=$(id -g),loop image.img image_mount

(root)$ mount -o loop image.img image_mount

Note: It is generally considered bad practice to try and do everything as root. Sure, it's more comfortable/convenient in some cases, but it can also lead to you wrecking your system. Experienced practitioners also don't use the root account if they can avoid it.

Do not forget to check that the image has been mounted correctly. You can do this by simply calling mount and looking at the last line of the output printed on your screen.

It is time to copy the files from the image_files directory to the mounted image in the image_mount.

Change directory into image_mount and check that everything has been copied over with ls -l.

$ cd image_mount && ls -l

You will want to create some activity on your image files now. So, proceed to do some of the following inside the image_mount directory.

  1. Copy files around
  2. Move files around
  3. Delete files
  4. Rename files
  5. Edit files

Ensure you have written down what you have done to each file and/or directory/subdirectory so you can understand your findings better later in the analysis stage.

Once done, simply ensure you are not in the image_mounted directory any more before unmounting the image.

$ cd .. (which should take you up one level into the forensic_image directory)

Now unmount the image. Do not forget to prepend the sudo command if you are not root.

$ umount image_mount

Congratulations, you should have successfully created your very own image file. You can now proceed to analyse the data on the image file as you would with any other image file. On a side note, would it not be very awesome if all of the above were somehow automated? 😊