Ghost will do a forensic image depending on the version you are using the switches are different. In 2002 the switches are -ir and -fnf, in 2003 the switch is -ia there is a text file that explains the switches and their use with Norton I would read that to determine which ones to use depending on the version you are using. Of course do some testing to make sure you are creating a true forensic image. Clayton > -----Original Message----- > From: george.wasgattat_private [mailto:george.wasgattat_private] > Sent: Friday, October 04, 2002 8:48 AM > To: SRobinsonat_private; george.wasgattat_private; > greg.reberat_private; afison@brit-tex.net; > incidentsat_private > Subject: RE: maybe a simple problem > > > You are surely right, and if I had actually thought it though before > writing > I would have remembered. A normal GHOST image doesn't bother backing up > unused space just the stuff the file system says is in use. And yes, > there > is a bit by bit option that I've had to use when there was a damaged file > system or corrupt disk sectors were encountered. > > -----Original Message----- > From: Robinson, Sonja [mailto:SRobinsonat_private] > Sent: Friday, October 04, 2002 9:22 AM > To: 'george.wasgattat_private'; greg.reberat_private; > afison@brit-tex.net; incidentsat_private > Subject: RE: maybe a simple problem > > > I'm not sure if the newest version does a bit by bit copy. I can't > remember > the switch off hand either since we never used it in my work for a > forensics > tool. However, I can try to find it as I believe it DOES have the > physical > capability. Historically, Ghost produced a logical "image or mirror" of > the > drive, it was not a forensic "bit by bit" copy. It only did a logical > image > unless specfically told otherwise, i.e. a physical bit copy. For example, > a > core build using GHOST was used to roll out 100 workstattions. The > physical > drive size in each machine could vary say from 12GB to 20GB, howver, the > GHOST image was 6GB so this would be your logical drive. Howver, > forensically speaking, this is not your TRUE drive that must be copied. > There could be 6-14GB difference and could present issues in court since > you > now don't have the "original" drive. > > You must be careful when doing a copy that may have potential litligation > issues, civil or criminal. A logical copy of the drive (normally what you > get using ghost) while this is good for productin is NOT good for > forensics. > You must make sure that you can recreate deleted files and obtain the > miriad > of pieces located in swap, unallocated and free space onthe ENTIRE > physical > drive not just the logical pieces. > > Safeback, snapback, encase etc have stood up in court. I am not sure > about > GHOST. It could if you have that switch (which I can't remember w/o some > research) and you can prove that the physical copy from GHOST is identical > to that of the original drive, i.e # of sectors, bits, etc. Suggested you > hash the drives using MD5 hash or similar. Even using safeback, etc. you > should still verify that you have made the forensic copy not the logical > copy as they give you options to do so. > > > -----Original Message----- > From: george.wasgattat_private [mailto:george.wasgattat_private] > Sent: Friday, October 04, 2002 7:36 AM > To: Robinson, Sonja; greg.reberat_private; > afison@brit-tex.net; incidentsat_private > Subject: RE: maybe a simple problem > > > > What is the certain switch in GHOST and why is it necessary. I thought > that > GHOST defaults produced a saved copy of the disk drive bit by bit the same > as the original. > > -----Original Message----- > From: Robinson, Sonja [mailto:SRobinsonat_private] > Sent: Thursday, October 03, 2002 1:04 PM > To: 'Greg Reber'; Andrew Fison; incidentsat_private > Subject: RE: maybe a simple problem > > > IF you alter the files onthe machine they will not hold up in court. You > must do a bit level back up which is normally done using a tool such as > safeback, snapback, encase ,etc. You canuse Ghost if you have a certain > switch set but I would not suggest it. Normally you must be physically > present to do so. > > 1) DO not boot the machine or do a back up. You may destroy the files > and > evidence you need by doing so > 2) Using an approved FORENSIC method/tool (safeback, snapback, encase, > SOloMasster, etc. Make TWO forensic copies. 1 for them to put back in > their machine and 1 for you to use as a back up to restore as many times > as > necessary if you are going drive to drive. If oyu are using a non- > intrusive > means of analysis such as encase then you can do analysis on this drive as > long AS YOU KEEP THE ORIGINAL COPY IN CUSTODY. I always suggest and > original and a forensic copy (unused) just in case a drive fails. > > Depending upon the cost (and potential loss), Ontrack can grabthe stuff > remotely for you. Depends onwhat it's worth to your client. > > E-mail me off line for more info. I specialize in forensics. > > -----Original Message----- > From: Greg Reber [mailto:greg.reberat_private] > Sent: Wednesday, October 02, 2002 9:16 PM > To: Andrew Fison; incidentsat_private > Subject: RE: maybe a simple problem > > > Andrew - if there is a suspicion that the client's machine has been > compromised, they should stop using it and have you do some quick > forensics. > Back up files that they need, but not the whole HD. > http://biatchux.dmzs.com/ is a great site for free forensics tools. > > -greg > > The information in this email is likely confidential and may be legally > privileged. It is intended solely for the addressee. Access to this email > by > anyone else is unauthorized. If you are not the intended recipient, any > disclosure, copying, distribution or any action taken or omitted to be > taken > in reliance on it, is prohibited and may be unlawful. > > -----Original Message----- > From: Andrew Fison [mailto:afison@brit-tex.net] > Sent: Wednesday, October 02, 2002 2:37 AM > To: incidentsat_private > Subject: maybe a simple problem > > I have a client who believes that thier win98 pc has been hacked with some > remote control software. They are pretty vague and not close buy so i > cannot > look at the machine all the time. I asked them to do netstat when they > think > they are being spied on but as yet they have not given me anything useful. > > I think there is reason to believe them as the owner is involed in a > hostile > boardroom take over of his company by some other entities, whilst this is > legal, they have used other underhand methods against my customer before > and > they are trying to force him to sign over the business to them a little > too > swiftly. > > this all started when his wife was suing the pc, and a telescop came on > the > screen and then disapeared, since then the machine crashes, documents > pertaing to the business have gone missing etc, any clues to what this > telescope could be? > > yours > > andrew > > > > ------------------------------------------------------------------------ -- > -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > ------------------------------------------------------------------------ -- > -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > ********************************************************************** > This message is a PRIVILEGED AND CONFIDENTIAL communication, and is > intended > only for the individual(s) named herein or others specifically authorized > to > receive the communication. If you are not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is strictly prohibited. If you have received this > communication in error, please notify the sender of the error immediately, > do not read or use the communication in any manner, destroy all copies, > and > delete it from your system if the communication was sent via email. > > > > > ********************************************************************** > > > ------------------------------------------------------------------------ -- > -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ------------------------------------------------------------------------ -- > -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Oct 05 2002 - 15:32:52 PDT