#Sleuthkit - tools for forensics analysis on volume and filesystem

#FLS Notes on More than one partition
sudo apt install sleuthkit
 

#create empty img file

dd bs=512 count=500 if=/dev/zero of=test.img

#create partitions

#becareful running fdisk like this

echo -e "n\np\n1\n\n+50K\nt\nb\nn\np\n\n\n\nt\n2\nb\nw\n" |fdisk test.img

#list partition info

fdisk -l test.img

#you can see that there are 2 partitions in the image now 

#and the sector size is 512
#so we find the "Start" and multiple that by 512
#and now we can mount those as loops with losetup

mkdir mnt{0..1}
sudo losetup -o 512 /dev/loop0 test.img
sudo losetup -o 52224 /dev/loop1 test.img

sudo mkfs.vfat /dev/loop0
sudo mkfs.vfat /dev/loop1

sudo mount /dev/loop0 mnt0
sudo mount /dev/loop1 mnt1

#make files and folder

sudo mkdir mnt0/folder_{1..5}/
sudo touch mnt0/folder_{1..5}/file_{A..G}.txt
sudo mkdir mnt1/folder_{A..M}/
sudo touch mnt1/folder_{A..M}/MyFiles{1..9}.txt

#Unmount the partitions
sudo umount mnt{0..1}


#removed loop devices
sudo losetup -d /dev/loop{0..1}


#view partition files and folders with fls

#use fdisk so get offsets for each partition "Start"

fls -rp -o 1 test.img
fls -rp -o 102 test.img