Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: monne642
New Today: 1
New Yesterday: 2
Overall: 29618

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 How much can be found?
 Computer Forensic in responding to Data Breach issues
 A bunch of numbers about digital evidences collection
 Computer forensic issue
 A Survey on the Internet of Things Digital Forensic Research

Computer Forensics World Forums


Pages Served
We received
58156233
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Using Ghost
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Using Ghost

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues
View previous topic :: View next topic  
Author Message
sagiw1
Newbie
Newbie


Joined: May 28, 2008
Posts: 6

PostPosted: Wed May 28, 2008 9:20 pm    Post subject: Using Ghost Reply with quote

Hello, how are you?
I wanted to knoe if in a legal view I can use Ghost to create an image file of a computer I invastigate.

Thank you
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed May 28, 2008 10:48 pm    Post subject: Reply with quote

There is no "legal" reason not to use Ghost. Technically speaking however, Ghost is not the best tool you could use for imaging a computer. The default settings in Ghost do not deal with unallocated clusters, or unused disk space; therefore you will not image the entire physical drive. You can set switches in Ghost, but there are better tools to use.

Some of the more popular choices for imaging/cloning a drive (as opposed to copying a drive with Ghost) include EnCase Linen, AccessData FTK Imager, DD (or any of the variants) either in the command line or via the GRAB GUI or even WinHex.
Back to top
View user's profile
geek911
Newbie
Newbie


Joined: Feb 27, 2007
Posts: 14

PostPosted: Thu May 29, 2008 6:19 am    Post subject: Reply with quote

There can also be licensing issues when using Ghost. It's my understanding you're expected to purchase a license for the machine being imaged and another for the machine doing the imaging. I'd check with Norton on that to be sure .....
Back to top
View user's profile
Sha_d0h
Newbie
Newbie


Joined: Sep 01, 2008
Posts: 37

PostPosted: Tue Sep 02, 2008 2:46 pm    Post subject: Reply with quote

yes see my post on technical issues there is a forensic switch need to do so. Ghost is a great tool and has many uses and CAN do a bit-level copy of a HDD if thats all you Have.. use helix though...
_________________

"He who sacrifices freedom for security deserves neither."
Ben Franklin
“Mediocrity knows nothing higher than itself, but talent instantly recognizes genius.”
–Sir Arthur Conan Doyle
Back to top
View user's profile
farmerdude
Newbie
Newbie


Joined: Jan 12, 2006
Posts: 263

PostPosted: Tue Sep 02, 2008 9:46 pm    Post subject: Reply with quote

Sha_d0h,

In another post you wrote that you have had issues with Helix and IBM Machines.

Would you recommend GHOST in those circumstances?

Also, for storage media with I/O errors, what tool on Helix do you use to acquire?


Regards,

farmerdude


www . forensicbootcd . com

www . onlineforensictraining . com
Back to top
View user's profile
Sha_d0h
Newbie
Newbie


Joined: Sep 01, 2008
Posts: 37

PostPosted: Wed Sep 03, 2008 2:58 am    Post subject: Reply with quote

farmerdude,

If the device has i/o errors it will always be better to determine if you have a better chance of recovering the data through emag or Kroll. but if you have intermittent issues you could use something like the voom hardcopyII or talon to make a copy of the drive and image the copy.. you may have issues with anything returning a valid hash due to bad sectors..
I have used a talon on a drive with bad sectors .. it estimated 50+hours to image so instead of further damage possibility we sent it to kroll for a platter recovery and got all of the data.
however i had a drive that was "dead" turned out the controller board was fried.. changed the controller board from one on ebay 45$ and bang zoom imaged and created an extra copy just in case of total drive failure.
We even have a clean room here which we have a gentleman that handles nothing but damaged drives with great success this addition is recent so we no longer use kroll unless the damage is too extensive.

I would never use helix on a drive with errors i would go straight to some hardware device that can skip bad sectors. Like a talon. helix did not like the security feature on the new thinkpads and could not image the drive because of this.
Using helix is a last ditch resort for servers or machines that i cannot image with a talon or remove and image with encase. Helix very much relies on hardware the drive is already in.. which our procedure dictates unless it HAS to stay in the machine take it out photograph etc and image on a writeblocker with encase or a talon...i use encase because of the compression, i would rather it take a little longer to image a drive but only have to transfer 30GB of data than 500GB of data and unallocated space off of a drive.

Ghost 5 is one of those tools you use only if you HAVE NO OTHER CHOICE.

http: //www[dot]voomtech[dot]com/hc2.html
the hardcopy does have an HPA copy as well and usually copies anything i throw at it. however for the drives from alot of thinkpads and the new dell vostro lappys the drives will not spin up at all....but we have had success by replacing the platters to another drive all together $$$$

I think even going forward we will be hindered by SSD where if the data is encrypted or we are locked out one would have to force the "custodian" to furnish the keys passwords etc..as i myself use an encrypted hard dive with an encrypted hard drive with true crypt. and we send data on hard drives that require dongles.

Farmerdude, you know your stuff and that great im a freeeware lover too however with a few extra $$$ you can make your forensic job alot easier and more reliable. and unless your willing to testify to the code of the tool (i am not) i simply steer away from using those tools unless i HAVE NO OTHER CHOICE..
_________________

"He who sacrifices freedom for security deserves neither."
Ben Franklin
“Mediocrity knows nothing higher than itself, but talent instantly recognizes genius.”
–Sir Arthur Conan Doyle
Back to top
View user's profile
farmerdude
Newbie
Newbie


Joined: Jan 12, 2006
Posts: 263

PostPosted: Wed Sep 03, 2008 5:45 am    Post subject: Reply with quote

Sha_d0h,

I suggest to everyone who reads this post to look into both ddrescue and aimage. These are two very intelligent acquisition engines. Their error handling threshold is very smart. I favor ddrescue on all hard drives with I/O errors thus far.

I do use THE FARMER'S BOOT CD on drives with I/O errors. I noticed you said you don't use Helix on drives with I/O errors. Why is that?


Cheers!

farmerdude

www . forensicbootcd . com

www . onlineforensictraining . com
Back to top
View user's profile
sanil
Newbie
Newbie


Joined: Jan 07, 2009
Posts: 2

PostPosted: Thu Jan 08, 2009 7:36 am    Post subject: Reply with quote

Very Happy thanks for the post an information. I suggest to everyone who reads this post to look into both ddrescue and aimage. These are two very intelligent acquisition engines. Their error handling threshold is very smart. I favor ddrescue on all hard drives with I/O errors thus far.
Back to top
View user's profile
redneckcop
Newbie
Newbie


Joined: Jul 24, 2009
Posts: 4

PostPosted: Sat Jul 25, 2009 2:42 pm    Post subject: thanks! Reply with quote

Great post guys, I have been wondering about Ghost myself... I have used it in my IT part of my job, but never in my cop part (I do both).
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops © 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. © 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.