[sleuthkit-users] Imaging Drives (From John Castiglia)
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Imaging Drives (From John Castiglia)
|
From: Brian C. <ca...@sl...> - 2005-06-04 16:15:35
|
[Posted on behalf of John. Does anyone know the Ghost flags that can make a raw image?] Everyone, I am tasked with doing a forensic analysis of a drive. My boss thinks that doing a ghost image (in DOS) of the drive would give me a exact copy. I prefer to use dd but he feels that Ghost would do the same. Is he correct? I know Brian has probably answered this question (privately and publicly) a thousand times. I have glanced through the Informer pages, but I did not see this issue specifically addressed anywhere (unless I missed it). If it was in Informer please someone just point me to the issue number. If not a link to a good explanantion would do nicely. I am also looking for templates that people have been using throughout the analysis. Right now I am looking for a good chain of custody document. Any help is always appreciated! Cheers! -- John Castiglia Security Analyst |
