Re: [sleuthkit-users] Imaging Drives (From John Castiglia)
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Imaging Drives (From John Castiglia)
|
From: Dave G. <all...@ya...> - 2005-06-05 01:42:32
|
I would not use Ghost for forensic imaging. As Angus indicated, Ghost was not designed or marketed, as far as I know, as a forensic imaging tool. It's a great tool for admins to have for production (not investigative) drive copies, i.e., mass fielding of a standard OS/applications load. From my own experience, I would suggest using a tool that performs a bitstream copy of the affected media. There are several commercial options available. But, dd is a good choice and there is at least one open source version of an enhanced dd available that provides for MD5 hashing as a drive is being imaged. Check Sourceforge. Thought it important to emphasize Angus' point, especially since there was a question about a chain of custody document... Good Luck Dave Gilbert --- Angus Marshall <an...@n-...> wrote: > Google is your friend - Symantec have some guidance > on it here : > > http://service1.symantec.com/SUPPORT/ghost.nsf/pfdocs/1999110813413225 > > > Personally, I like to steer clear of Ghost (even if > it is capable of bitwise > imaging) because of the issue of proving the > validity of the copy. There's > also the problem that, since it hasn't been designed > as a forensic tool, it's > likely to be highly challengable if anything gets to > court. > > On Saturday 04 June 2005 17:15, Brian Carrier wrote: > > [Posted on behalf of John. Does anyone know the > Ghost flags that can > > make a raw image?] > > > > > > Everyone, > > > > I am tasked with doing a forensic analysis of a > drive. My boss thinks > > that doing a ghost image (in DOS) of the drive > would give me a exact > > copy. I prefer to use dd but he feels that Ghost > would do the same. Is > > he correct? I know Brian has probably answered > this question (privately > > and publicly) a thousand times. I have glanced > through the Informer > > pages, but I did not see this issue specifically > addressed anywhere > > (unless I missed it). If it was in Informer please > someone just point > > me to the issue number. If not a link to a good > explanantion would do > > nicely. > > > > I am also looking for templates that people have > been using throughout > > the analysis. Right now I am looking for a good > chain of custody > > document. > > > > Any help is always appreciated! > > > > Cheers! > > -- > > John Castiglia > > Security Analyst > > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: NEC IT Guy > Games. How far can you > > shotput a projector? How fast can you ride your > desk chair down the office > > luge track? If you want to score the big prize, > get to know the little guy. > > Play to win an NEC 61" plasma display: > http://www.necitguy.com/?r=20 > > _______________________________________________ > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > ------------------------------------------------------- > This SF.Net email is sponsored by: NEC IT Guy Games. > How far can you shotput > a projector? How fast can you ride your desk chair > down the office luge track? > If you want to score the big prize, get to know the > little guy. > Play to win an NEC 61" plasma display: > http://www.necitguy.com/?r=20 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > __________________________________ Discover Yahoo! Find restaurants, movies, travel and more fun for the weekend. Check it out! http://discover.yahoo.com/weekend.html |
