With Ghost 7.5 the switches to perform full disk copy is -id, this copies everything. ==================== Travis Abrams Network Technician tabramsat_private Holland & Knight LLP ==================== -----Original Message----- From: george.wasgattat_private <george.wasgattat_private> To: SRobinsonat_private <SRobinsonat_private>; george.wasgattat_private <george.wasgattat_private>; greg.reberat_private <greg.reberat_private>; afison@brit-tex.net <afison@brit-tex.net>; incidentsat_private <incidentsat_private> Sent: Fri Oct 04 09:47:34 2002 Subject: RE: maybe a simple problem You are surely right, and if I had actually thought it though before writing I would have remembered. A normal GHOST image doesn't bother backing up unused space just the stuff the file system says is in use. And yes, there is a bit by bit option that I've had to use when there was a damaged file system or corrupt disk sectors were encountered. -----Original Message----- From: Robinson, Sonja [mailto:SRobinsonat_private] Sent: Friday, October 04, 2002 9:22 AM To: 'george.wasgattat_private'; greg.reberat_private; afison@brit-tex.net; incidentsat_private Subject: RE: maybe a simple problem I'm not sure if the newest version does a bit by bit copy. I can't remember the switch off hand either since we never used it in my work for a forensics tool. However, I can try to find it as I believe it DOES have the physical capability. Historically, Ghost produced a logical "image or mirror" of the drive, it was not a forensic "bit by bit" copy. It only did a logical image unless specfically told otherwise, i.e. a physical bit copy. For example, a core build using GHOST was used to roll out 100 workstattions. The physical drive size in each machine could vary say from 12GB to 20GB, howver, the GHOST image was 6GB so this would be your logical drive. Howver, forensically speaking, this is not your TRUE drive that must be copied. There could be 6-14GB difference and could present issues in court since you now don't have the "original" drive. You must be careful when doing a copy that may have potential litligation issues, civil or criminal. A logical copy of the drive (normally what you get using ghost) while this is good for productin is NOT good for forensics. You must make sure that you can recreate deleted files and obtain the miriad of pieces located in swap, unallocated and free space onthe ENTIRE physical drive not just the logical pieces. Safeback, snapback, encase etc have stood up in court. I am not sure about GHOST. It could if you have that switch (which I can't remember w/o some research) and you can prove that the physical copy from GHOST is identical to that of the original drive, i.e # of sectors, bits, etc. Suggested you hash the drives using MD5 hash or similar. Even using safeback, etc. you should still verify that you have made the forensic copy not the logical copy as they give you options to do so. -----Original Message----- From: george.wasgattat_private [mailto:george.wasgattat_private] Sent: Friday, October 04, 2002 7:36 AM To: Robinson, Sonja; greg.reberat_private; afison@brit-tex.net; incidentsat_private Subject: RE: maybe a simple problem What is the certain switch in GHOST and why is it necessary. I thought that GHOST defaults produced a saved copy of the disk drive bit by bit the same as the original. -----Original Message----- From: Robinson, Sonja [mailto:SRobinsonat_private] Sent: Thursday, October 03, 2002 1:04 PM To: 'Greg Reber'; Andrew Fison; incidentsat_private Subject: RE: maybe a simple problem IF you alter the files onthe machine they will not hold up in court. You must do a bit level back up which is normally done using a tool such as safeback, snapback, encase ,etc. You canuse Ghost if you have a certain switch set but I would not suggest it. Normally you must be physically present to do so. 1) DO not boot the machine or do a back up. You may destroy the files and evidence you need by doing so 2) Using an approved FORENSIC method/tool (safeback, snapback, encase, SOloMasster, etc. Make TWO forensic copies. 1 for them to put back in their machine and 1 for you to use as a back up to restore as many times as necessary if you are going drive to drive. If oyu are using a non-intrusive means of analysis such as encase then you can do analysis on this drive as long AS YOU KEEP THE ORIGINAL COPY IN CUSTODY. I always suggest and original and a forensic copy (unused) just in case a drive fails. Depending upon the cost (and potential loss), Ontrack can grabthe stuff remotely for you. Depends onwhat it's worth to your client. E-mail me off line for more info. I specialize in forensics. -----Original Message----- From: Greg Reber [mailto:greg.reberat_private] Sent: Wednesday, October 02, 2002 9:16 PM To: Andrew Fison; incidentsat_private Subject: RE: maybe a simple problem Andrew - if there is a suspicion that the client's machine has been compromised, they should stop using it and have you do some quick forensics. Back up files that they need, but not the whole HD. http://biatchux.dmzs.com/ is a great site for free forensics tools. -greg The information in this email is likely confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. -----Original Message----- From: Andrew Fison [mailto:afison@brit-tex.net] Sent: Wednesday, October 02, 2002 2:37 AM To: incidentsat_private Subject: maybe a simple problem I have a client who believes that thier win98 pc has been hacked with some remote control software. They are pretty vague and not close buy so i cannot look at the machine all the time. I asked them to do netstat when they think they are being spied on but as yet they have not given me anything useful. I think there is reason to believe them as the owner is involed in a hostile boardroom take over of his company by some other entities, whilst this is legal, they have used other underhand methods against my customer before and they are trying to force him to sign over the business to them a little too swiftly. this all started when his wife was suing the pc, and a telescop came on the screen and then disapeared, since then the machine crashes, documents pertaing to the business have gone missing etc, any clues to what this telescope could be? yours andrew ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. ********************************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Oct 05 2002 - 15:36:43 PDT