Notifications
Clear all

Norton Ghost & Partition Magic?

13 Posts
5 Users
0 Likes
1,044 Views
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

I am about to purchase drive patitioning and drive imageing software. I was going to go with the traditional Partition Magic and Norton Ghost which I'm very used to, but was wondering whether any forum users had any recommendations of alternatives that they favour?

Thanks.

 
Posted : 07/04/2005 3:14 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

Norton Ghost is not traditionally recognised as a FC imaging tool. The default settings do not deal with unallocated clusters, or unused disk space; therefore you will not image the entire physical drive. Another examiner using a different tool (some as described below) will image the same drive and get a very different MD5 hash value. 'Imaging' is very different to 'cloning'.

There are certain ‘switches’ that need to be set with Ghost in order for it to perform this function. If you are simply making 'clone drives' as apposed to 'imaging' for Forensic Computing purposes, then I suppose Ghost is as good as you can get.

I presume you are imaging in DOS?

In which case – EnCase is free to use in acquisition mode (both in DOS and Windows). I think you can still download the demo of EnCase from Guidance’s website. This will allow you to create an EnCase DOS boot disk. You are kind of restricted to using EnCase though to restore/investigate the image.

Or in Windows?

Also AccessData’s FTK imager is free to use. This too can be downloaded from their website. I quite like FTK imager, it also allows some basic investigation facilities. It also images in various formats, Linux DD, EnCase, and its own proprietary format.

WinHEX also has an imaging function similar to FTK, with many formats.

Or Linux?

Don’t forget Linux. You can use a very good GUI DD program (GRAB) that comes with (and written by) the makers of HELIX. I have used this boot disk on many occasions and it is free and fairly simple to use.

When it comes to partitioning - Partition Magic is probably the best, but it all depends on what you need it for. A Windows 98/95 DOS boot disk has FDISK on it - and that's the cheaper method…..

Andy

 
Posted : 07/04/2005 6:00 pm
(@lonelywolf)
Posts: 31
Eminent Member
 

Hi,
do you know dd_rescue?

http://www.garloff.de/kurt/linux/ddrescue/

Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd). There are several differences:

* dd_rescue does not provide character conversions.
* The command syntax is different. Call dd_rescue -h.
* dd_rescue does not abort on errors on the input file, unless you specify a maximum error number. Then dd_rescue will abort when this number is reached.
* dd_rescue does not truncate the output file, unless asked to.
* You can tell dd_rescue to start from the end of a file and move bcakwards.
* It uses two block sizes, a large (soft) block size and a small (hard) block size. In case of errors, the size falls back to the small one and is promoted again after a while without errors.
* It does not (yet) support non-seekable in- or output.
..

It seems a good alternative

 
Posted : 07/04/2005 7:09 pm
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

Thanks for the replies; sorry my original post was so vague, I should have fully explained what I wanted these tools for. 😳

Presently I use hardware write blockers and/or EnCase to make forensic images of drives. What I failed to mention was that I was enquiring about patitioning and imaging of my operating system drive; ie. after creating a OS with all the apps I am happy with I like to make a copy of that build and decant it out onto a paritioned drive, using a separatre OS for each case I would be working on. I agree that Partition Magic does a good job, but I (and others I know) have had problems with Norton Ghost; so I was wondering if there are more reliable alternatives out there?

 
Posted : 07/04/2005 10:57 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

Can I ask why you use a separatre OS for each case, I don't understand why?

Andy

 
Posted : 07/04/2005 11:45 pm
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

Can I ask why you use a separatre OS for each case, I don't understand why?

Andy

To prevent any possibility of cross-case contamination occuring. Using a fresh OS each time is relatively easy (once you've sorted out your partitioning and imageing that is!) and is another step to showing the integrity of your procedures if they were to be questioned.

 
Posted : 08/04/2005 8:52 am
 Andy
(@andy)
Posts: 357
Reputable Member
 

We considered this issue some time ago. If you are relaying the image back onto a drive and examining it in the raw, then yes you are best to perform a forensic wipe of the drive.

The reason I asked is because if you are using EnCase to acquire and investigate, the argument relating to cross contamination IMHO is irrelevant. The whole point of using such a tool, is to examine the data in a forensically safe environment, the evidence files created by EnCase during acquisition cannot be altered (or at least accidentally altered).

I used to do the same as you - a clean system for every investigation; however I now store evidence files on a large file server, and examine them on a workstation containing everything I need, tools etc. As long as I am careful not to extract unknown files (potential Trojans and viruses) from a case, there is no real reason not to work in this manner. The original image is never altered and cannot be contaminated. I am aware that EnCase used to recommend the clean system methodology as best practice; however I'm not too sure its in the latest manual. And by insisting upon this practice it contradicts their claim that EnCase performs media acquisitions by producing an exact binary duplicate of data from the original media.

If by acquiring EnCase evidence files to an unclean disk it may risk cross contamination, then the 'container' evidence file it creates is not worth anything…..

You may be wasting your time and effort.

Andy

P.S. I apologise in advance if I have not got the gist of what you mean, and climb down from my high horse 🙂

 
Posted : 08/04/2005 11:59 am
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

It was considered best practice while I was working for the Met Police, and now I am setting up my own company, my philosopy is 'if its good enough for them…'

No, the evidence files can't be altered but the files and reports you extract from them can. Having a fresh OS for each case ensures in my mind that there is no chance of malicious code moving from case to case and it enables me to keep all the extracted evidence from each case completely separate. Each to their own really, and what ever suits the best working practices in your office.

 
Posted : 08/04/2005 1:01 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

Thanks for the frank reply. There are a lot of practices that the Met do differently in all aspects!

That’s just my opinion and not to say it’s right or wrong, as both methods work; however technology changes and so must best practices. Hard disk drive capacities are increasing all the time, and whilst is was justifiable to image a suspect drive to a like for like drive a short time ago, it simply isn’t practical to do that now. Large capacity file storage is one solution, and if you are making a go your own business it might be worth considering.

No offence intended, and my suggestion was based on an attempt to help you with your new business.

Andy

 
Posted : 08/04/2005 1:35 pm
nickfx
(@nickfx)
Posts: 131
Estimable Member
 

This topic is moving into the realms of whether a clean OS build is needed for each case which could do with a topic of its own really. However, if you are concerned about possible infection from a trojan or the like from files 'broken out' of the case, for password cracking etc can I suggest Prevx.

Prevx has a free version at www.prevx.com and it stops any attempt to write to your registry or exploit a buffer overflow vunerability. This stops the trojan from executing and essentially leaves it dead in its tracks. The file remains unaffected, unlike with a virus checker, but your machine remains safe. Several Police Forces use the Enterprise version and swear by it. Its the first thing I load onto a new build.

Take a look.

Nick
www.CSITech.co.uk

 
Posted : 11/04/2005 3:05 pm
Page 1 / 2
Share: