Last active
June 2, 2022 20:36
-
-
Save diyinfosec/29b5d0d42e0d99485666c5e6bf4c483f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #- This script is just a collection of functions that I created for learning ext4. | |
| #- Just run ". ./manage_ext4.sh" from the command prompt and it will load the functions into your current session. | |
| #- To list the functions defined in your Bash shell use: "declare -F" | |
| #- For our purposes you can ignore functions starting with _. So "declare -F | grep -v ' _'" gives you a shorter list. | |
| #================================== | |
| #- Comments about multipass | |
| #================================== | |
| : ' | |
| I use multipass for testing. The backup directory is a directory in my Mac that gets mounted into the Ubuntu host. | |
| The backup directory stores backups from ext4 image after performing any change of interest i.e. creating a file, encrypting it etc. | |
| The file from the backup directory can be analyzed using 010 editor either in comparison or separately. | |
| #- Env variables for multipass | |
| MAC_EXT_BACKUP_DIR="/Users/ramprasad.r/Downloads/tmp/ext4" | |
| MPASS_MOUNT_DIR="/home/ubuntu/backups" | |
| INSTANCE_NAME="ktest" | |
| #- Unmount (for handling frozen mounts) | |
| multipass unmount ktest:$MPASS_MOUNT_DIR | |
| #- Mount | |
| multipass mount $MAC_EXT_BACKUP_DIR ktest:$MPASS_MOUNT_DIR | |
| #- Get a shell | |
| multipass shell $INSTANCE_NAME | |
| ' | |
| #=================================================================== | |
| #- Check if the current user can sudo, else exit | |
| #=================================================================== | |
| function ensure_sudo() | |
| { | |
| sudo touch /dev/null | |
| } | |
| #=================================================================== | |
| #- Runs a command and returns true/false based on exec status. | |
| #=================================================================== | |
| function check_install() | |
| { | |
| $1 > /dev/null 2>&1 | |
| status=$? | |
| #echo "status is "$status | |
| if test $status -eq 0 | |
| then | |
| true | |
| else | |
| false | |
| fi | |
| } | |
| #=================================================================== | |
| #- Install utilities required for analysis | |
| #=================================================================== | |
| function install_ext4utils() | |
| { | |
| ensure_sudo; | |
| #- Installing bcc ebpf tools. | |
| if ! check_install 'opensnoop-bpfcc -h' | |
| then | |
| echo "Installing bcc tools" | |
| #- bcc tools, ebpf | |
| #- Install bcc tools | |
| sudo snap install bcc | |
| else | |
| echo "bcc tools already installed" | |
| fi | |
| #- Install fscrypt and sleuthkit | |
| if ! check_install 'fscrypt --version' | |
| then | |
| echo 'Installing fscrypt' | |
| sudo -E sh -c 'DEBIAN_FRONTEND=noninteractive apt install -y -qq fscrypt > /dev/null' | |
| else | |
| echo "fscrypt is already installed" | |
| fi | |
| if ! check_install 'fls -V' | |
| then | |
| echo 'Installing sleuthkit' | |
| sudo -E sh -c 'DEBIAN_FRONTEND=noninteractive apt install -y -qq fscrypt > /dev/null' | |
| else | |
| echo "fls is already installed" | |
| fi | |
| } | |
| #=================================================================== | |
| #- Sets the required Environment variables | |
| #=================================================================== | |
| function ext4env() | |
| { | |
| export BASE_DIR='/home/ubuntu' | |
| export IMAGE_FILE='disk.img' | |
| export MOUNT_DIR=$BASE_DIR/test | |
| export EXT4_IMG=$BASE_DIR/$IMAGE_FILE | |
| export BACKUP_DIR=$BASE_DIR/backups | |
| } | |
| #=================================================================== | |
| #- Create a test disk image and convert it to an EXT4 file system | |
| #=================================================================== | |
| function create_image() | |
| { | |
| #- Setting environment variables | |
| ext4env; | |
| #- Create an image file | |
| dd if=/dev/zero of=$EXT4_IMG bs=1M count=10 | |
| #- Create the ext4 file system. Note: This doesn't have any MBR/GPT, just the ext4 file system. | |
| #- Encryption needs to be enabled with -O option. If you don't do this, then you can't encrypt files using fscrypt. | |
| #- It will give the error: "Encryption is either disabled in the kernel config, or needs to be enabled for this filesystem." | |
| #- Ref: https://github.com/google/fscrypt/issues/126#issuecomment-460484931 | |
| mkfs.ext4 -O encrypt -F $EXT4_IMG | |
| } | |
| #=================================================================== | |
| #- Mount the test disk image | |
| #=================================================================== | |
| function mount_image() | |
| { | |
| ensure_sudo; | |
| ext4env; | |
| #- Create a directory to mount the file system | |
| #- This directory should exist as it is a shared folder from multipass | |
| #mkdir -p $MOUNT_DIR | |
| #- Mount the image file as a loop device | |
| sudo mount -t ext4 -o loop $EXT4_IMG $MOUNT_DIR | |
| #- Change ownership to ubuntu | |
| sudo chown ubuntu -R $MOUNT_DIR | |
| } | |
| #=================================================================== | |
| #- Unmount the Image | |
| #=================================================================== | |
| function unmount_image() | |
| { | |
| ensure_sudo; | |
| ext4env; | |
| #- Unmount (once you are done) | |
| sudo umount $EXT4_IMG | |
| } | |
| #=================================================================== | |
| #- Take a backup | |
| #=================================================================== | |
| function backup_image() | |
| { | |
| ensure_sudo; | |
| ext4env; | |
| mkdir -p $BACKUP_DIR | |
| echo "Enter comment"; read comment; | |
| echo "Comment is " $comment | |
| fmtd_comment=$(echo $comment | sed 's/ /_/g') | |
| echo "Formatted Comment is " $fmtd_comment | |
| FILENAME=$(date +"%d-%m-%Y-%H-%m-%S-$fmtd_comment.dmp"); | |
| sudo cp $EXT4_IMG $BACKUP_DIR/$FILENAME | |
| echo "Created backup file "$BACKUP_DIR/$FILENAME | |
| } | |
| #=================================================================== | |
| #- Selection Menu | |
| #- Ref: https://askubuntu.com/questions/1705/how-can-i-create-a-select-menu-in-a-shell-script | |
| #=================================================================== | |
| function show_menu() | |
| { | |
| ensure_sudo | |
| while true | |
| do | |
| clear | |
| echo "select the Operation:" | |
| echo " 0) Setup Environment Variables" | |
| echo " 1) Create Image" | |
| echo " 2) Mount Image" | |
| echo " 3) Unmount Image" | |
| echo " 4) Backup Image" | |
| echo " 5) Install ext4 Utils" | |
| read n | |
| case $n in | |
| 0) ext4env; echo "Press enter to continue..."; read;; | |
| 1) create_image; echo "Press enter to continue..."; read;; | |
| 2) mount_image; echo "Press enter to continue..."; read;; | |
| 3) unmount_image; echo "Press enter to continue..."; read;; | |
| 4) backup_image; echo "Press enter to continue..."; read;; | |
| 5) install_ext4utils; echo "Press enter to continue..."; read;; | |
| *) echo "invalid option"; echo "Press enter to continue..."; read;; | |
| esac | |
| done | |
| } | |
| #======================================================================== | |
| #- Function get inode information based on filename on the test volume | |
| #- Needs sleuthkit to be installed | |
| #======================================================================== | |
| function i() | |
| { | |
| ext4env; | |
| #- Check if the directory is mounted | |
| mountpoint $MOUNT_DIR 2>&1 > /dev/null | |
| local status=$? | |
| if test $status -ne 0 | |
| then | |
| echo "Directory $MOUNT_DIR is not a mount point. Exiting..." | |
| return | |
| fi | |
| #- Check if the inode number is provided | |
| if [ -z "$1" ] | |
| then | |
| echo "You need to give the name of the file relative to the mount directory ("$MOUNT_DIR")" | |
| return; | |
| fi | |
| inode_num=$(ls -i $MOUNT_DIR/$1|awk '{print $1}') | |
| echo $inode_num | |
| istat $EXT4_IMG $inode_num | |
| #DIRECT_BLOCKS=$($cmd|grep -A1 "Direct Blocks:") | |
| } | |
| #============================================================================= | |
| #- Function to get block info + content based on block number on test volume | |
| #- Needs sleuthkit to be installed | |
| #============================================================================= | |
| function b() | |
| { | |
| ext4env; | |
| #- Check if the directory is mounted | |
| mountpoint $MOUNT_DIR 2>&1 > /dev/null | |
| local status=$? | |
| if test $status -ne 0 | |
| then | |
| echo "Directory $MOUNT_DIR is not a mount point. Exiting..." | |
| return | |
| fi | |
| #- Check if the block number is provided as input | |
| if [ -z "$1" ] | |
| then | |
| echo "Give the block number you need to be printed for files in ("$MOUNT_DIR")" | |
| return; | |
| fi | |
| block_num=$1 | |
| blkstat $EXT4_IMG $block_num | |
| blkcat $EXT4_IMG $block_num | |
| } | |
| #============================================================================= | |
| #- Function to run fls on test volume | |
| #- Needs sleuthkit to be installed | |
| #============================================================================= | |
| function f() | |
| { | |
| ext4env; | |
| fls -r $EXT4_IMG | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment