| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Sep 12 14:16:41 2005 From: jjjwicks at gmail.com (James Wicks) Subject: Forensic help? Symantec Ghost was not presented as a means of getting a forensic duplicate. As stated in my first response, the Ghost image is to be added to the new drive and that drive is placed in the suspect desktop so that it can be placed back into production. That would leave the suspect drive available for any type of forensic investigation, whether it is done internally or sent out to another company. I normally do not want to leave a user without a desktop just because I need to investigate something. Since this is a case of data deletion/recovery and not an investigation of suspected torjan/rootkit, getting the system back into production using a Ghosted drive is (in my opinion) a business-practical course of action. --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ghost will not give you a forensically sound image. Unless something changes recently, Ghost won't image unallocated space, so you won't be able to recover any deleted files. I'd recommend using the Helix Live CD at http://www.e-fense.com/helix/, which based on Knoppix, but will never automatically mount any disks found, as Knoppix will. It contains all the tools previously mentioned - dcfldd for imaging, which you can pipe to netcat to create an image over the network. The Sleuthkit for analysis, which is basically just a front-end to other tools also included. However, the learning curve can bit a bit steep. -----Original Message----- From: Red Leg [mailto:redleg18@...il.com] Sent: Sunday, September 11, 2005 8:37 PM To: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Forensic help? On 9/11/05 6:33 PM, "Red Leg" <redleg18@...il.com> wrote: > Hi all. > > I was wondering if anyone knows of a program/system that I can > purchase, as > a private individual, that will allow me to > > 1) mirror a hard drive on location and > > 2) take that mirror and restore it to another drive. And > > 3) Find any CONVENTIONALLY erased files? > > -- This would be either a Windows NTFS or FAT32 drive. Wow! Thanks all. I really appreciate the education! I wish that I could keep the target drive, and change it out. However, this is a Freedom of Information Act issue. I don't think they'll let me keep the original/target. I knew about Drive Image, but I didn't know it or Symantec Ghost would be able to get the erased data (as in using the "Delete Key" or right click delete). Thanks! Redleg18 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------------------------------------------------------- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to Central.SecurityOffice@....siemens.com Thank you _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050912/e4c5894d/attachment.html
Powered by blists - more mailing lists