[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon Sep 12 13:05:24 2005
From: brian.sims at siemens.com (Sims Brian)
Subject: Forensic help?
Ghost will not give you a forensically sound image. Unless something
changes recently, Ghost won't image unallocated space, so you won't be able
to recover any deleted files. I'd recommend using the Helix Live CD at
http://www.e-fense.com/helix/, which based on Knoppix, but will never
automatically mount any disks found, as Knoppix will.
It contains all the tools previously mentioned - dcfldd for imaging, which
you can pipe to netcat to create an image over the network. The Sleuthkit
for analysis, which is basically just a front-end to other tools also
included. However, the learning curve can bit a bit steep.
-----Original Message-----
From: Red Leg [mailto:redleg18@...il.com]
Sent: Sunday, September 11, 2005 8:37 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Forensic help?
On 9/11/05 6:33 PM, "Red Leg" <redleg18@...il.com> wrote:
> Hi all.
>
> I was wondering if anyone knows of a program/system that I can purchase,
as
> a private individual, that will allow me to
>
> 1) mirror a hard drive on location and
>
> 2) take that mirror and restore it to another drive. And
>
> 3) Find any CONVENTIONALLY erased files?
>
> -- This would be either a Windows NTFS or FAT32 drive.
Wow!
Thanks all. I really appreciate the education!
I wish that I could keep the target drive, and change it out. However, this
is a Freedom of Information Act issue. I don't think they'll let me keep the
original/target.
I knew about Drive Image, but I didn't know it or Symantec Ghost would be
able to get the erased data (as in using the "Delete Key" or right click
delete).
Thanks!
Redleg18
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-------------------------------------------------------------------------------
This message and any included attachments are from Siemens Medical Solutions
USA, Inc. and are intended only for the addressee(s).
The information contained herein may include trade secrets or privileged or
otherwise confidential information. Unauthorized review, forwarding, printing,
copying, distributing, or using such information is strictly prohibited and may
be unlawful. If you received this message in error, or have reason to believe
you are not authorized to receive it, please promptly delete this message and
notify the sender by e-mail with a copy to Central.SecurityOffice@....siemens.com
Thank you
Powered by blists - more mailing lists