Re: [sleuthkit-users] Imaging Drives (From John Castiglia)

[Angus M. <an...@n-...>]

Google is your friend - Symantec have some guidance on it here :

http://service1.symantec.com/SUPPORT/ghost.nsf/pfdocs/1999110813413225


Personally, I like to steer clear of Ghost (even if it is capable of bitwise 
imaging) because of the issue of proving the validity of the copy. There's 
also the problem that, since it hasn't been designed as a forensic tool, it's 
likely to be highly challengable if anything gets to court.

On Saturday 04 June 2005 17:15, Brian Carrier wrote:
> [Posted on behalf of John.  Does anyone know the Ghost flags that can
> make a raw image?]
>
>
> Everyone,
>
> I am tasked with doing a forensic analysis of a drive. My boss thinks
> that doing a ghost image (in DOS) of the drive would give me a exact
> copy. I prefer to use dd but he feels that Ghost would do the same. Is
> he correct? I know Brian has probably answered this question (privately
> and publicly) a thousand times. I have glanced through the Informer
> pages, but I did not see this issue specifically addressed anywhere
> (unless I missed it). If it was in Informer please someone just point
> me to the issue number. If not a link to a good explanantion would do
> nicely.
>
> I am also looking for templates that people have been using throughout
> the analysis. Right now I am looking for a good chain of custody
> document.
>
> Any help is always appreciated!
>
> Cheers!
> --
> John Castiglia
> Security Analyst
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you
> shotput a projector? How fast can you ride your desk chair down the office
> luge track? If you want to score the big prize, get to know the little guy.
> Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org