±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35657
New Yesterday: 3 Visitors: 126

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Norton Ghost & Partition Magic?

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

Jonathan
Senior Member
 

Re: Norton Ghost & Partition Magic?

Post Posted: Apr 08, 05 13:01

It was considered best practice while I was working for the Met Police, and now I am setting up my own company, my philosopy is 'if its good enough for them...'

No, the evidence files can't be altered but the files and reports you extract from them can. Having a fresh OS for each case ensures in my mind that there is no chance of malicious code moving from case to case and it enables me to keep all the extracted evidence from each case completely separate. Each to their own really, and what ever suits the best working practices in your office.
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 
 
  

Andy
Senior Member
 

Re: Norton Ghost & Partition Magic?

Post Posted: Apr 08, 05 13:35

Thanks for the frank reply. There are a lot of practices that the Met do differently in all aspects!

That’s just my opinion and not to say it’s right or wrong, as both methods work; however technology changes and so must best practices. Hard disk drive capacities are increasing all the time, and whilst is was justifiable to image a suspect drive to a like for like drive a short time ago, it simply isn’t practical to do that now. Large capacity file storage is one solution, and if you are making a go your own business it might be worth considering.

No offence intended, and my suggestion was based on an attempt to help you with your new business.

Andy  

Last edited by Andy on Aug 01, 05 13:40; edited 1 time in total
 
  

nickfx
Senior Member
 

Re: Norton Ghost & Partition Magic?

Post Posted: Apr 11, 05 15:05

This topic is moving into the realms of whether a clean OS build is needed for each case which could do with a topic of its own really. However, if you are concerned about possible infection from a trojan or the like from files 'broken out' of the case, for password cracking etc can I suggest Prevx.

Prevx has a free version at www.prevx.com and it stops any attempt to write to your registry or exploit a buffer overflow vunerability. This stops the trojan from executing and essentially leaves it dead in its tracks. The file remains unaffected, unlike with a virus checker, but your machine remains safe. Several Police Forces use the Enterprise version and swear by it. Its the first thing I load onto a new build.

Take a look.

Nick
www.CSITech.co.uk  
 
  

Andy
Senior Member
 

Re: Norton Ghost & Partition Magic?

Post Posted: Apr 11, 05 19:46

I’ve tried using prevx but found it a little annoying. My colleagues use it, and say they like it; however I am not overly concerned about infections, as I am careful with just what I extract out of EnCase (there is little that actually requires extracting for most cases), that combined with a good antivirus (AVG pro), which has never failed to catch the few malicious code I’ve encountered. Also I do not have my forensic workstation connected to the Internet (I have another machine for that purpose). Again that’s another topic in its own right.

Andy  
 
  

nickfx
Senior Member
 

Re: Norton Ghost & Partition Magic?

Post Posted: Apr 12, 05 14:21

Yeah I agree with most of that Andy; although prevx now has a 'suspend' option for when you are installing software.

I too keep my forensic workstation disconnected from the internet but I have a VNC connection to another PC which is connected so I can browse the web remotely to look up all the stuff you need to look up during an investigation without fear of contamination. Best of both worlds.

Cheers  
 
  

dhibbeln
Newbie
 

Re: Norton Ghost & Partition Magic?

Post Posted: Apr 30, 05 14:44

For imageing tool..

take a look at NT Image from dan mares..

see www.maresware.com

NT IMAGE >>> www.maresware.com/mare...tm#NTIMAGE

make sure you read the help file....
www.maresware.com/mare...timage.htm

cost is also very, very reasonable....

************


The Ntimage program is designed to be able to create forensic images (within the capabilities of the OS) while running directly under the NT, W2K, XP operating systems. One use of this program is to image a drive when the system cannot be shut down.

Other capabilities are:

* creating a disk to disk clone.
* create an output image file. single file, or sections to write to CD.
* create a compressed output file for easier storage.
* creating of a drive clone while simultaneoulsy creating an image file.
*
* Performing CRC32, MD5, SHA1, SHA2 (256, 384, 512bit), hashes on the drive while imaging.
* Performing CRC32, MD5, SHA1, SHA2 (256, 384, 512bit), hashes on the drive independent of the imaging.
* Performing CRC32, MD5, SHA1, SHA2 hashes on specific sectors of the drive.
*
* Wiping the drive.

Drives can be restored from any of the image file formats created.

**********************

Regards,

David R. Hibbeln  
 

Page 2 of 2
Page Previous  1, 2