James Wicks top-posting to someone: > Symantec Ghost was not presented as a means of getting a forensic duplicate. > As stated in my first response, the Ghost image is to be added to the new > drive and that drive is placed in the suspect desktop so that it can be > placed back into production. That would leave the suspect drive available > for any type of forensic investigation, whether it is done internally or > sent out to another company. I normally do not want to leave a user without > a desktop just because I need to investigate something. Since this is a case > of data deletion/recovery and not an investigation of suspected > torjan/rootkit, getting the system back into production using a Ghosted > drive is (in my opinion) a business-practical course of action. > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Ghost will not give you a forensically sound image. Unless something > changes recently, Ghost won't image unallocated space, so you won't be able > to recover any deleted files. I'd recommend using the Helix Live CD at > http://www.e-fense.com/helix/, which based on Knoppix, but will never > automatically mount any disks found, as Knoppix will. <<snip>>
I understand forensic analysis was not part of James' intention in the suggested use of Ghost, and I believe the OP used the term "forensic" incorrectly in the Subject: line, so there is not necessarily a mismatch there, though James' suggested approach allows for the preservation of the original drive... Anyway, much as I am an _only very occasional_ user of Ghost, I don't think I've ever used it NOT to make a sector-level, or raw disk image, style drive copy. However, as I last used it so long ago, I decided to check I was not mis-remembering -- two seconds at Google turned up this URL discussing "...the Ghost switches to use for forensic imaging or for creating raw images (sector copies)..." (URL may wrap): http://service1.symantec.com/SUPPORT/ghost.nsf/docid/2001111413481325?Op en&src=&docid=19 Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
