Norton Ghost & Partition Magic?
I am about to purchase drive patitioning and drive imageing software. I was going to go with the traditional Partition Magic and Norton Ghost which I'm very used to, but was wondering whether any forum users had any recommendations of alternatives that they favour?
Norton Ghost is not traditionally recognised as a FC imaging tool. The default settings do not deal with unallocated clusters, or unused disk space; therefore you will not image the entire physical drive. Another examiner using a different tool (some as described below) will image the same drive and get a very different MD5 hash value. 'Imaging' is very different to 'cloning'.
There are certain â€˜switchesâ€™ that need to be set with Ghost in order for it to perform this function. If you are simply making 'clone drives' as apposed to 'imaging' for Forensic Computing purposes, then I suppose Ghost is as good as you can get.
I presume you are imaging in DOS?
In which case â€“ EnCase is free to use in acquisition mode (both in DOS and Windows). I think you can still download the demo of EnCase from Guidanceâ€™s website. This will allow you to create an EnCase DOS boot disk. You are kind of restricted to using EnCase though to restore/investigate the image.
Or in Windows?
Also AccessDataâ€™s FTK imager is free to use. This too can be downloaded from their website. I quite like FTK imager, it also allows some basic investigation facilities. It also images in various formats, Linux DD, EnCase, and its own proprietary format.
WinHEX also has an imaging function similar to FTK, with many formats.
Donâ€™t forget Linux. You can use a very good GUI DD program (GRAB) that comes with (and written by) the makers of HELIX. I have used this boot disk on many occasions and it is free and fairly simple to use.
When it comes to partitioning - Partition Magic is probably the best, but it all depends on what you need it for. A Windows 98/95 DOS boot disk has FDISK on it - and that's the cheaper method…..
do you know dd_rescue?
Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd). There are several differences:
* dd_rescue does not provide character conversions.
* The command syntax is different. Call dd_rescue -h.
* dd_rescue does not abort on errors on the input file, unless you specify a maximum error number. Then dd_rescue will abort when this number is reached.
* dd_rescue does not truncate the output file, unless asked to.
* You can tell dd_rescue to start from the end of a file and move bcakwards.
* It uses two block sizes, a large (soft) block size and a small (hard) block size. In case of errors, the size falls back to the small one and is promoted again after a while without errors.
* It does not (yet) support non-seekable in- or output.
It seems a good alternative
Thanks for the replies; sorry my original post was so vague, I should have fully explained what I wanted these tools for. 😳
Presently I use hardware write blockers and/or EnCase to make forensic images of drives. What I failed to mention was that I was enquiring about patitioning and imaging of my operating system drive; ie. after creating a OS with all the apps I am happy with I like to make a copy of that build and decant it out onto a paritioned drive, using a separatre OS for each case I would be working on. I agree that Partition Magic does a good job, but I (and others I know) have had problems with Norton Ghost; so I was wondering if there are more reliable alternatives out there?
Can I ask why you use a separatre OS for each case, I don't understand why?
Can I ask why you use a separatre OS for each case, I don't understand why?
To prevent any possibility of cross-case contamination occuring. Using a fresh OS each time is relatively easy (once you've sorted out your partitioning and imageing that is!) and is another step to showing the integrity of your procedures if they were to be questioned.
We considered this issue some time ago. If you are relaying the image back onto a drive and examining it in the raw, then yes you are best to perform a forensic wipe of the drive.
The reason I asked is because if you are using EnCase to acquire and investigate, the argument relating to cross contamination IMHO is irrelevant. The whole point of using such a tool, is to examine the data in a forensically safe environment, the evidence files created by EnCase during acquisition cannot be altered (or at least accidentally altered).
I used to do the same as you - a clean system for every investigation; however I now store evidence files on a large file server, and examine them on a workstation containing everything I need, tools etc. As long as I am careful not to extract unknown files (potential Trojans and viruses) from a case, there is no real reason not to work in this manner. The original image is never altered and cannot be contaminated. I am aware that EnCase used to recommend the clean system methodology as best practice; however I'm not too sure its in the latest manual. And by insisting upon this practice it contradicts their claim that EnCase performs media acquisitions by producing an exact binary duplicate of data from the original media.
If by acquiring EnCase evidence files to an unclean disk it may risk cross contamination, then the 'container' evidence file it creates is not worth anything…..
You may be wasting your time and effort.
P.S. I apologise in advance if I have not got the gist of what you mean, and climb down from my high horse 🙂
It was considered best practice while I was working for the Met Police, and now I am setting up my own company, my philosopy is 'if its good enough for them…'
No, the evidence files can't be altered but the files and reports you extract from them can. Having a fresh OS for each case ensures in my mind that there is no chance of malicious code moving from case to case and it enables me to keep all the extracted evidence from each case completely separate. Each to their own really, and what ever suits the best working practices in your office.
Thanks for the frank reply. There are a lot of practices that the Met do differently in all aspects!
Thatâ€™s just my opinion and not to say itâ€™s right or wrong, as both methods work; however technology changes and so must best practices. Hard disk drive capacities are increasing all the time, and whilst is was justifiable to image a suspect drive to a like for like drive a short time ago, it simply isnâ€™t practical to do that now. Large capacity file storage is one solution, and if you are making a go your own business it might be worth considering.
No offence intended, and my suggestion was based on an attempt to help you with your new business.
This topic is moving into the realms of whether a clean OS build is needed for each case which could do with a topic of its own really. However, if you are concerned about possible infection from a trojan or the like from files 'broken out' of the case, for password cracking etc can I suggest Prevx.
Prevx has a free version at www.prevx.com and it stops any attempt to write to your registry or exploit a buffer overflow vunerability. This stops the trojan from executing and essentially leaves it dead in its tracks. The file remains unaffected, unlike with a virus checker, but your machine remains safe. Several Police Forces use the Enterprise version and swear by it. Its the first thing I load onto a new build.
Take a look.
Iâ€™ve tried using prevx but found it a little annoying. My colleagues use it, and say they like it; however I am not overly concerned about infections, as I am careful with just what I extract out of EnCase (there is little that actually requires extracting for most cases), that combined with a good antivirus (AVG pro), which has never failed to catch the few malicious code Iâ€™ve encountered. Also I do not have my forensic workstation connected to the Internet (I have another machine for that purpose). Again thatâ€™s another topic in its own right.
Yeah I agree with most of that Andy; although prevx now has a 'suspend' option for when you are installing software.
I too keep my forensic workstation disconnected from the internet but I have a VNC connection to another PC which is connected so I can browse the web remotely to look up all the stuff you need to look up during an investigation without fear of contamination. Best of both worlds.
For imageing tool..
take a look at NT Image from dan mares..
NT IMAGE >>> http://www.maresware.com/maresware/lo.htm#NTIMAGE
make sure you read the help file….
cost is also very, very reasonable….
The Ntimage program is designed to be able to create forensic images (within the capabilities of the OS) while running directly under the NT, W2K, XP operating systems. One use of this program is to image a drive when the system cannot be shut down.
Other capabilities are:
* creating a disk to disk clone.
* create an output image file. single file, or sections to write to CD.
* create a compressed output file for easier storage.
* creating of a drive clone while simultaneoulsy creating an image file.
* Performing CRC32, MD5, SHA1, SHA2 (256, 384, 512bit), hashes on the drive while imaging.
* Performing CRC32, MD5, SHA1, SHA2 (256, 384, 512bit), hashes on the drive independent of the imaging.
* Performing CRC32, MD5, SHA1, SHA2 hashes on specific sectors of the drive.
* Wiping the drive.
Drives can be restored from any of the image file formats created.
David R. Hibbeln