| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <432667B2.28091.1C49B4BF@gmail.com> Date: Mon Sep 12 18:47:12 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Forensic help? James Wicks top-posting to someone: > Symantec Ghost was not presented as a means of getting a forensic duplicate. > As stated in my first response, the Ghost image is to be added to the new > drive and that drive is placed in the suspect desktop so that it can be > placed back into production. That would leave the suspect drive available > for any type of forensic investigation, whether it is done internally or > sent out to another company. I normally do not want to leave a user without > a desktop just because I need to investigate something. Since this is a case > of data deletion/recovery and not an investigation of suspected > torjan/rootkit, getting the system back into production using a Ghosted > drive is (in my opinion) a business-practical course of action. > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Ghost will not give you a forensically sound image. Unless something > changes recently, Ghost won't image unallocated space, so you won't be able > to recover any deleted files. I'd recommend using the Helix Live CD at > http://www.e-fense.com/helix/, which based on Knoppix, but will never > automatically mount any disks found, as Knoppix will. <<snip>> I understand forensic analysis was not part of James' intention in the suggested use of Ghost, and I believe the OP used the term "forensic" incorrectly in the Subject: line, so there is not necessarily a mismatch there, though James' suggested approach allows for the preservation of the original drive... Anyway, much as I am an _only very occasional_ user of Ghost, I don't think I've ever used it NOT to make a sector-level, or raw disk image, style drive copy. However, as I last used it so long ago, I decided to check I was not mis-remembering -- two seconds at Google turned up this URL discussing "...the Ghost switches to use for forensic imaging or for creating raw images (sector copies)..." (URL may wrap): http://service1.symantec.com/SUPPORT/ghost.nsf/docid/2001111413481325?Op en&src=&docid=19 Regards, Nick FitzGerald
Powered by blists - more mailing lists