Thread: [sleuthkit-users] Imaging Drives (From John Castiglia)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Brian C. <ca...@sl...> - 2005-06-04 16:15:35
|
[Posted on behalf of John. Does anyone know the Ghost flags that can make a raw image?] Everyone, I am tasked with doing a forensic analysis of a drive. My boss thinks that doing a ghost image (in DOS) of the drive would give me a exact copy. I prefer to use dd but he feels that Ghost would do the same. Is he correct? I know Brian has probably answered this question (privately and publicly) a thousand times. I have glanced through the Informer pages, but I did not see this issue specifically addressed anywhere (unless I missed it). If it was in Informer please someone just point me to the issue number. If not a link to a good explanantion would do nicely. I am also looking for templates that people have been using throughout the analysis. Right now I am looking for a good chain of custody document. Any help is always appreciated! Cheers! -- John Castiglia Security Analyst |
|
From: Angus M. <an...@n-...> - 2005-06-04 20:49:53
|
Google is your friend - Symantec have some guidance on it here : http://service1.symantec.com/SUPPORT/ghost.nsf/pfdocs/1999110813413225 Personally, I like to steer clear of Ghost (even if it is capable of bitwise imaging) because of the issue of proving the validity of the copy. There's also the problem that, since it hasn't been designed as a forensic tool, it's likely to be highly challengable if anything gets to court. On Saturday 04 June 2005 17:15, Brian Carrier wrote: > [Posted on behalf of John. Does anyone know the Ghost flags that can > make a raw image?] > > > Everyone, > > I am tasked with doing a forensic analysis of a drive. My boss thinks > that doing a ghost image (in DOS) of the drive would give me a exact > copy. I prefer to use dd but he feels that Ghost would do the same. Is > he correct? I know Brian has probably answered this question (privately > and publicly) a thousand times. I have glanced through the Informer > pages, but I did not see this issue specifically addressed anywhere > (unless I missed it). If it was in Informer please someone just point > me to the issue number. If not a link to a good explanantion would do > nicely. > > I am also looking for templates that people have been using throughout > the analysis. Right now I am looking for a good chain of custody > document. > > Any help is always appreciated! > > Cheers! > -- > John Castiglia > Security Analyst > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: NEC IT Guy Games. How far can you > shotput a projector? How fast can you ride your desk chair down the office > luge track? If you want to score the big prize, get to know the little guy. > Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Dave G. <all...@ya...> - 2005-06-05 01:42:32
|
I would not use Ghost for forensic imaging. As Angus indicated, Ghost was not designed or marketed, as far as I know, as a forensic imaging tool. It's a great tool for admins to have for production (not investigative) drive copies, i.e., mass fielding of a standard OS/applications load. From my own experience, I would suggest using a tool that performs a bitstream copy of the affected media. There are several commercial options available. But, dd is a good choice and there is at least one open source version of an enhanced dd available that provides for MD5 hashing as a drive is being imaged. Check Sourceforge. Thought it important to emphasize Angus' point, especially since there was a question about a chain of custody document... Good Luck Dave Gilbert --- Angus Marshall <an...@n-...> wrote: > Google is your friend - Symantec have some guidance > on it here : > > http://service1.symantec.com/SUPPORT/ghost.nsf/pfdocs/1999110813413225 > > > Personally, I like to steer clear of Ghost (even if > it is capable of bitwise > imaging) because of the issue of proving the > validity of the copy. There's > also the problem that, since it hasn't been designed > as a forensic tool, it's > likely to be highly challengable if anything gets to > court. > > On Saturday 04 June 2005 17:15, Brian Carrier wrote: > > [Posted on behalf of John. Does anyone know the > Ghost flags that can > > make a raw image?] > > > > > > Everyone, > > > > I am tasked with doing a forensic analysis of a > drive. My boss thinks > > that doing a ghost image (in DOS) of the drive > would give me a exact > > copy. I prefer to use dd but he feels that Ghost > would do the same. Is > > he correct? I know Brian has probably answered > this question (privately > > and publicly) a thousand times. I have glanced > through the Informer > > pages, but I did not see this issue specifically > addressed anywhere > > (unless I missed it). If it was in Informer please > someone just point > > me to the issue number. If not a link to a good > explanantion would do > > nicely. > > > > I am also looking for templates that people have > been using throughout > > the analysis. Right now I am looking for a good > chain of custody > > document. > > > > Any help is always appreciated! > > > > Cheers! > > -- > > John Castiglia > > Security Analyst > > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: NEC IT Guy > Games. How far can you > > shotput a projector? How fast can you ride your > desk chair down the office > > luge track? If you want to score the big prize, > get to know the little guy. > > Play to win an NEC 61" plasma display: > http://www.necitguy.com/?r=20 > > _______________________________________________ > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > ------------------------------------------------------- > This SF.Net email is sponsored by: NEC IT Guy Games. > How far can you shotput > a projector? How fast can you ride your desk chair > down the office luge track? > If you want to score the big prize, get to know the > little guy. > Play to win an NEC 61" plasma display: > http://www.necitguy.com/?r=20 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > __________________________________ Discover Yahoo! Find restaurants, movies, travel and more fun for the weekend. Check it out! http://discover.yahoo.com/weekend.html |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X