If you use ghost you must do a sector by sector copy, it takes a lot longer but you will be able to undelete files.
Frank ----- Original Message ----- From: "Richard Stevens" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 04, 2003 5:17 PM Subject: RE: [Full-Disclosure] Re: Reacting to a server compromise > I'd be interested to know if a ghost image (or even hardware systems > like image-master) carrys over deleted files to the new image?.. as > these can usually be undeleted easily enough. > > anyone know? > > I'd guess the safest way is just to keep the orignal drive.. but if it's > a nice big expensive scsi raid set I'd guess this probably isnt > practical. > > > > -----Original Message----- > From: Alexandre Dulaunoy [mailto:[EMAIL PROTECTED] > Sent: 03 August 2003 20:01 > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Re: Reacting to a server compromise > > > On 03/Aug/03 12:33 +1000, [EMAIL PROTECTED] wrote: > > On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote: > > > > > If this happens again, I would probably make a copy of the hard > drive, > > > or at the very least the log files since they can be entered as > > > evidence of a hacked box. > > > > Under most jurisdictions, an ordinary disk image produced by Norton > Ghost etc > > using standard hardware is completely inadmissible in court, as it is > > impossible to make one without possibly compromising the integrity of > the > > evidence. The police etc use specialised hardware for making such > copies, > > which ensures that the disk can't have been altered. > > Getting evidence by reading (via any software or hardware solution) > may compromise the integrity of the evidence. I would like to know the > difference between for example a (s)dd and the specialised hardware > that you talk about ? Do you have any references ? > > Preserving the scene integrity is really difficult. You have to > minimize the intrusion to the scene. On computer hardware is really > difficult... Using a hardware device that doesn't change too much the > scene is difficult... (think of a compromised disk firmware). > > And the worst, sometimes we see something that doesn't exist at > all. Forensic analysis is the land of illusion... > > just my .02 EUR. > > adulau > > -- > -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ > -- http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD > -- "Knowledge can create problems, it is not through ignorance > -- that we can solve them" Isaac Asimov > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
