Maybe this will work.. I have used Ghost for many of my cases and i have not had checksum problems as everyone is stating. I use the -ir switch but I also use the -fnf switch! I know the Ghost documentation does not mention the -fnf switch but it is to be used. This switch stops Ghost from placing a fingerprint on the destination disk which is not on the original which would cause a bad checksum. I have not have problems with opposing council on this issue as the checksums have matched every time. I hope this makes some sence. t_stoddartat_private ----- Original Message ----- From: "Matt Pepe" <mtpepe@code-monks.com> To: "Jeff Truedson" <jtruedsonat_private> Cc: <FORENSICSat_private> Sent: Wednesday, May 15, 2002 1:32 PM Subject: RE: Preserving evidence > > I think that may be the wrong question to ask. A better one would be "Is > this tool appropriate for use during an investigation, and does it complete > it's task in a forensically sound manner?" > > To that, the answer is in the first paragraph of the very page that you > quoted of the Knowledge Base for Ghost. This explains the "why" behind > the mismatched checksums. > > "Normally, Ghost does not create an exact duplicate of a disk. Instead, > Ghost recreates the partition information as needed and copies the > contents of the files. " - Symantec Web Site > (http://service2.symantec.com/SUPPORT/ghost.nsf/ > c92aa8e61de62ad08825694a0011cf3b/ > 42197b3bb06643dac1256b040044ef7f?OpenDocument) > > An investigator would not want to use Norton Ghost as a solution for > forensic duplication, as it does not provide a true bit for bit copy of the > original. That evidence, when presented in front on educated counsel, > would likely get thrown out, as it does not adhere to the FRE 1003 > exception for the requirement of originals. There, of course, is a chance > that it will slip by, but hedging your bet on that chance would likely be > disappointing in the end. > > To answer your question more directly, yes, there will likely be problems. > Of course, your question could have been written after the fact, with you > heading in to a courtroom 2 days from now. If so, good luck. I suggest > getting a friend to pull the fire alarm when the topic is brought up. > :) > > -- Matt > > > > > > > ********************* > > "When copying a disk to another disk, a checksum of the destination > > disk > > will nearly always result in a different value than a checksum of the > > original disk, even when using the -IR switch. This difference is due > > to > > differences in disk geometry between the source and destination > > disks." > > ******************** > > > > The information above came from Symantec's knowledge base. Has > anyone > > found this to be a problem in Court? > > > > TIA > > Jeff > > > > > > > > > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 17 2002 - 03:21:42 PDT