File headers and fo...
 
Notifications
Clear all

File headers and footers -Ghost

5 Posts
2 Users
0 Likes
832 Views
hogfly
(@hogfly)
Posts: 287
Reputable Member
Topic starter
 

I'm attempting to do some recovery on a formatted filesystem to recover symantec ghost files, but I can't find the header/footer information anywhere out in the wide interweb. Does anyone happen to have a listing of what they are or could be for .GHS and .GHO files? wotsit doesn't have any info either.

 
Posted : 07/09/2005 6:28 am
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

Hogfly,

This may in the very least give you a place to start…

I found two ghost images (.gho) from awhile back that had failed to run properly. The header that they both share are from offset 0-3 which contain hex values of EF FE. The matching text entry is ïþ.

Hope this helps.

Andrew.

 
Posted : 07/09/2005 7:00 pm
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

I haven’t look at a ghost image before in a hex editor but I just imaged a USB drive and it seems that the information contained in the first 512 bytes of the .gho image is mirrored in sector 5 (offset 00002560). Both sectors contains the header information from the previous post as well as a text description of what was imaged, the time and drive letter assigned.

The very next 512 bytes looks to contain the USB’s boot sector…

Andrew-

 
Posted : 07/09/2005 7:34 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
Topic starter
 

Andy thanks for the response.

So far here's what I've found.

It appears that bytes 1 & 2 are the "header". byte 3 is either 01 or 09 depending on .GHO or .GHS.
Byte 4 appears to be a version indicator or some sort although I don't have any older versions of ghost so I can't verify. If you have versions of ghost other than solution suite and 8 please pop the file in a hex editor, or run
dd if=/path/to/file bs=64 count=1 | xxd
to get the first 64 bytes of the file.

Byte 5 is the Ghost file index indicator. Basically it's randomly generated but the .GHO will be the lowest number, and each .GHS will increment by 1. Bytes 5-8 are a unique identifier for the ghost image and they are consistent across each file in the entire image.

To illustrate these findings
file1.GHO
FE EF 01 03 D3 CC 12 43
file1-1.GHS
FE EF 09 03 D4 CC 12 43
file 1-2.GHS
FE EF 09 03 D5 CC 12 43
file 1-3 .GHS
FE EF 09 03 D6 CC 12 43

 
Posted : 08/09/2005 4:16 am
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

I imaged the thumb drive with ghost ver 2003.775.There are no associated .ghs files only the single .gho file.

Here are the first 64 bytes

FE EF 01 02 53 03 1F 43 01 01 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 01 00 00 00 00 01 00 00 01 01 01
01 00 00 01 0A 01 00 00 01 00 00 00 00 00 00 00

everything else in the first (512 byte) sector of the image is zeroed except for
bytes 255-335 which contain the description of what was imaged (time backup taken,drive letter and media type)..

Andrew-

 
Posted : 08/09/2005 4:55 am
Share: