±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35997
New Yesterday: 9 Visitors: 128

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Norton Ghost & Partition Magic?

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Jonathan
Senior Member
 

Norton Ghost & Partition Magic?

Post Posted: Apr 07, 05 15:14

I am about to purchase drive patitioning and drive imageing software. I was going to go with the traditional Partition Magic and Norton Ghost which I'm very used to, but was wondering whether any forum users had any recommendations of alternatives that they favour?

Thanks.  
 
  

Andy
Senior Member
 

Re: Norton Ghost & Partition Magic?

Post Posted: Apr 07, 05 18:00

Norton Ghost is not traditionally recognised as a FC imaging tool. The default settings do not deal with unallocated clusters, or unused disk space; therefore you will not image the entire physical drive. Another examiner using a different tool (some as described below) will image the same drive and get a very different MD5 hash value. 'Imaging' is very different to 'cloning'.

There are certain ‘switches’ that need to be set with Ghost in order for it to perform this function. If you are simply making 'clone drives' as apposed to 'imaging' for Forensic Computing purposes, then I suppose Ghost is as good as you can get.

I presume you are imaging in DOS?

In which case – EnCase is free to use in acquisition mode (both in DOS and Windows). I think you can still download the demo of EnCase from Guidance’s website. This will allow you to create an EnCase DOS boot disk. You are kind of restricted to using EnCase though to restore/investigate the image.

Or in Windows?

Also AccessData’s FTK imager is free to use. This too can be downloaded from their website. I quite like FTK imager, it also allows some basic investigation facilities. It also images in various formats, Linux DD, EnCase, and its own proprietary format.

WinHEX also has an imaging function similar to FTK, with many formats.

Or Linux?

Don’t forget Linux. You can use a very good GUI DD program (GRAB) that comes with (and written by) the makers of HELIX. I have used this boot disk on many occasions and it is free and fairly simple to use.

When it comes to partitioning - Partition Magic is probably the best, but it all depends on what you need it for. A Windows 98/95 DOS boot disk has FDISK on it - and that's the cheaper method.....

Andy  

Last edited by Andy on May 11, 05 19:51; edited 1 time in total
 
  

LonelyWolf
Member
 

Re: Norton Ghost & Partition Magic?

Post Posted: Apr 07, 05 19:09

Hi,
do you know dd_rescue?

www.garloff.de/kurt/linux/ddrescue/

Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd). There are several differences:

* dd_rescue does not provide character conversions.
* The command syntax is different. Call dd_rescue -h.
* dd_rescue does not abort on errors on the input file, unless you specify a maximum error number. Then dd_rescue will abort when this number is reached.
* dd_rescue does not truncate the output file, unless asked to.
* You can tell dd_rescue to start from the end of a file and move bcakwards.
* It uses two block sizes, a large (soft) block size and a small (hard) block size. In case of errors, the size falls back to the small one and is promoted again after a while without errors.
* It does not (yet) support non-seekable in- or output.
..


It seems a good alternative[/i]  
 
  

Jonathan
Senior Member
 

Re: Norton Ghost & Partition Magic?

Post Posted: Apr 07, 05 22:57

Thanks for the replies; sorry my original post was so vague, I should have fully explained what I wanted these tools for. Embarassed

Presently I use hardware write blockers and/or EnCase to make forensic images of drives. What I failed to mention was that I was enquiring about patitioning and imaging of my operating system drive; ie. after creating a OS with all the apps I am happy with I like to make a copy of that build and decant it out onto a paritioned drive, using a separatre OS for each case I would be working on. I agree that Partition Magic does a good job, but I (and others I know) have had problems with Norton Ghost; so I was wondering if there are more reliable alternatives out there?  
 
  

Andy
Senior Member
 

Re: Norton Ghost & Partition Magic?

Post Posted: Apr 07, 05 23:45

Can I ask why you use a separatre OS for each case, I don't understand why?

Andy  
 
  

Jonathan
Senior Member
 

Re: Norton Ghost & Partition Magic?

Post Posted: Apr 08, 05 08:52

- Andy
Can I ask why you use a separatre OS for each case, I don't understand why?

Andy


To prevent any possibility of cross-case contamination occuring. Using a fresh OS each time is relatively easy (once you've sorted out your partitioning and imageing that is!) and is another step to showing the integrity of your procedures if they were to be questioned.  
 
  

Andy
Senior Member
 

Re: Norton Ghost & Partition Magic?

Post Posted: Apr 08, 05 11:59

We considered this issue some time ago. If you are relaying the image back onto a drive and examining it in the raw, then yes you are best to perform a forensic wipe of the drive.

The reason I asked is because if you are using EnCase to acquire and investigate, the argument relating to cross contamination IMHO is irrelevant. The whole point of using such a tool, is to examine the data in a forensically safe environment, the evidence files created by EnCase during acquisition cannot be altered (or at least accidentally altered).

I used to do the same as you - a clean system for every investigation; however I now store evidence files on a large file server, and examine them on a workstation containing everything I need, tools etc. As long as I am careful not to extract unknown files (potential Trojans and viruses) from a case, there is no real reason not to work in this manner. The original image is never altered and cannot be contaminated. I am aware that EnCase used to recommend the clean system methodology as best practice; however I'm not too sure its in the latest manual. And by insisting upon this practice it contradicts their claim that EnCase performs media acquisitions by producing an exact binary duplicate of data from the original media.

If by acquiring EnCase evidence files to an unclean disk it may risk cross contamination, then the 'container' evidence file it creates is not worth anything.....

You may be wasting your time and effort.

Andy

P.S. I apologise in advance if I have not got the gist of what you mean, and climb down from my high horse Smile  
 

Page 1 of 2
Page 1, 2  Next