extract unallocated and slack space

unallocated.sh

#!/bin/bash
# Extract unallocated with TSK

# Version: 0.1
# Date: 2020-05-14
# Author: @mgreen27

# Instructions
#   1. run against image: $ deletedEvtx.sh $IMAGE $OUTPATH
# or remove comment for hardcoded image name and path


IMAGE=$1
# IMAGE="imagepath.vmdk"

OUTPATH=$2
# OUTPATH="/some/path"



[[ $OUTPATH == "." ]] && OUTPATH=$(pwd)
OUTPATH=${OUTPATH%%+(/)}

FILE=$(basename $IMAGE)
FILE=${FILE%%.*}

echo -e "\nUnallocated hunter"
echo -e "\tIMAGE:\t $IMAGE"
echo -e "\tOUTPATH: $OUTPATH\n"

[ ! -f $IMAGE ] && echo "IMAGE does not exist. Please try again." && exit
[ ! -d $OUTPATH ] && echo "OUTPATH DOES NOT exist. Please try again" && exit

# get logical offsets: mmls $IMAGE
OFFSETS=$( mmls $IMAGE | awk -e '/[0-9]{10}/ && !/0{10}/ {print $3}' )

ocount=$(echo $OFFSETS | wc -w )
[[ $ocount -eq 0 ]] && echo "\t$FILE no logical offsets found." && exit

echo -e "\t$FILE logical offsets found at:"
for OFFSET in $OFFSETS
  do
    echo -e "\t\t$OFFSET"
done

# process each offset
for OFFSET in $OFFSETS
  do
    EVTX=""
    ecount=""

    echo -e "\t\tExtracting unallocated space."
    blkls -o $OFFSET $IMAGE >> $OUTPATH/$FILE.unalloc

    # slack space stub
    #echo -e "\t\tExtracting unallocated space."
    #blkls -o $OFFSET -s $IMAGE > $OUTPATH/$FILE.$OFFSET.slack
done

echo -e "\tProcessing complete"