Digital Forensics & Incident Response
  • Welcome
  • General Notes
    • Azure Blob storage with NGINX proxy
    • Install and Configure ZeroTier client
    • S3FS Fuse and MinIO
    • Enable nested VT-X/AMD-V
    • mitm proxy
    • Exploring Volume Shadow Copies Manually
    • Resize VMDK/VDI
    • Resize VMDK on ESXi
    • Convert raw to vmdk
    • Favicon hashing and hunting with Shodan
    • WinRM/RemotePS
    • MinIO/S3/R2 ghost files
    • Mount E01 containing VMDK/XFS from RHEL system
    • Disk images for various filesystems and configurations
      • ext4 with LVM and RAID5 (3 disks)
      • ZFS
      • UFS, FFS, BTRFS, XFS
      • ext4, LVM, and LUKS1/LUKS2
      • NTFS, FAT32, with BitLocker
      • NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt
    • VirtualBox adapters greyed out
    • Exporting SQLite blob data from standalone SQLite database using command line tools
  • Microsoft Defender KQL
    • Introduction to KQL
  • Windows Forensics
    • PsExec
      • PsExec and NTUSER data
    • Security Patch/KB Install Date
  • Linux Forensics
    • Inspecting RPM/DEB packages
    • Common Locations
  • ESXi Forensics
    • Mount external USB device in ESXi hypervisor
    • Understanding ESXi
      • Partitions / Volumes
      • ESXi console / shell
      • Guest Virtual Machines
    • General Notes
    • Triage and Imaging
    • ESXi VMFS Exploration
    • Export OVF from ESXi using OVF Tool
    • Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
  • Memory Forensics
    • Volatility
      • Volatility3 core commands
      • Build Custom Linux Profile for Volatility
      • Generate custom profile using btf2json
      • Banners, isfinfo, and custom profiles
      • Volatility2 core commands
      • 3rd Party Plugins
    • Acquisition
      • ESXi / VMware Workstation snapshots
      • DumpIt
      • WinPMem
      • Linux / AVML
  • Incident Response
    • Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887
    • VirusTotal & hash lists
    • Unix-like Artifacts Collector (UAC)
      • Setup MinIO (object storage)
      • Create S3 pre-signed URL
      • UAC and pre-signed URLs
    • Acquiring Linux VPS via SSH
    • AVML dump to SMB / AWS
    • China Chopper webshell
    • Logging Powershell activities
    • Compromised UniFi Controller
    • AnyDesk Remote Access
    • Mounting UFS VMDK from NetScaler/Citrix ADC
  • iOS Forensics
    • Checkm8 / checkra1n acquisitions/extractions
  • CTF / Challenges
    • 13Cubed Linux memory forensics
    • Compromised Windows Server 2022 (simulation)
      • FTK Imager
      • Autopsy Forensics
      • Plaso
      • Events Ripper
      • EZ tools
    • DEFCON 2019 forensics
    • Tomcat shells
    • Magnet Weekly CTF
      • Magnet CTF Week 0
      • Magnet CTF Week 1
    • DFIR Madness CTF
      • Case 001 - Szechuan Sauce
  • Log Files
    • Windows
      • Generating Log Timelines
  • Malware Analysis
    • Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
    • PDF Analysis
  • Walking the VAD tree
  • OpenCTI
    • What is CTI/OpenCTI?
    • Setting up OpenCTI
    • Container Management
    • Configure Connectors
  • Vulnerability Management
    • Setting Up Nessus (Essentials)
    • Troubleshooting
  • Privacy
Powered by GitBook
On this page
  • 2GB BTRFS
  • 2GB XFS (single volume)

Was this helpful?

  1. General Notes
  2. Disk images for various filesystems and configurations

UFS, FFS, BTRFS, XFS

PreviousZFSNextext4, LVM, and LUKS1/LUKS2

Last updated 1 year ago

Was this helpful?

UFS, FFS - coming shortly.

2GB BTRFS

Single ext4 volume created/formatted on a Linux Mint host, at ~22:36ACST 22nd August 2023.

Download VMDK (zipped)

Download RAW (zipped)

SHA1
217e3188db45e716979013498cdab096d55bc411  2GB-btrfs-raw.001
0f3bb07b5e6b44ecdb99a5f52c9cb9e029e3461c  2GB-btrfs-raw.zip
217e3188db45e716979013498cdab096d55bc411  LINUX-MINT-2.vmdk
1ffee3126faa32743b8bc33363bfe58e5138ad09  LINUX-MINT-2.zip
2GB empty volume
$ md5sum /dev/sdb
a981130cf2b7e09f4686dc273cf7187e  /dev/sdb

$ mkfs.btrfs /dev/sdb
btrfs-progs v5.16.2
See http://btrfs.wiki.kernel.org for more information.

NOTE: several default settings have changed in version 5.15, please make sure
      this does not affect your deployments:
      - DUP for metadata (-m dup)
      - enabled no-holes (-O no-holes)
      - enabled free-space-tree (-R free-space-tree)

Label:              (null)
UUID:               a8201ae2-3eaf-446d-b004-fee6a011dfaa
Node size:          16384
Sector size:        4096
Filesystem size:    2.00GiB
Block group profiles:
  Data:             single            8.00MiB
  Metadata:         DUP             102.38MiB
  System:           DUP               8.00MiB
SSD detected:       no
Zoned device:       no
Incompat features:  extref, skinny-metadata, no-holes
Runtime features:   free-space-tree
Checksum:           crc32c
Number of devices:  1
Devices:
   ID        SIZE  PATH
    1     2.00GiB  /dev/sdb

$ date
Thu 24 Aug 2023 17:47:55 ACST

$ echo "https://iblue.team" > /mnt/btrfs/notes.txt
$ cat /mnt/btrfs/notes.txt
https://iblue.team

root@mint:~# umount /mnt/btrfs

2GB XFS (single volume)

Previously attached /dev/sdb (MD5 a981130cf2b7e09f4686dc273cf7187e)

$ dd if=/dev/zero of=/dev/sdb
$ md5sum /dev/sdb
a981130cf2b7e09f4686dc273cf7187e  /dev/sdb

$ mkfs.xfs /dev/sdb
meta-data=/dev/sdb               isize=512    agcount=4, agsize=131072 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=1, sparse=1, rmapbt=0
         =                       reflink=1    bigtime=0 inobtcount=0
data     =                       bsize=4096   blocks=524288, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0, ftype=1
log      =internal log           bsize=4096   blocks=2560, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
$ mkdir /mnt/xfs
$ mount /dev/sdb /mnt/xfs
$ echo "https://iblue.team" > /mnt/xfs/notes.txt
$ cat /mnt/xfs/notes.txt
https://iblue.team

$ umount /mnt/xfs

Download VMDK (zipped)

Download RAW (zipped)

https://files.iblue.team/279b6e00-851e/2GB-btrfs/LINUX-MINT-2.zip
https://files.iblue.team/279b6e00-851e/2GB-btrfs/2GB-btrfs-raw.zip
https://files.iblue.team/279b6e00-851e/2GB-xfs/LINUX-MINT-2.zip
https://files.iblue.team/279b6e00-851e/2GB-xfs/2GB-xfs-raw.zip