I've got a dozen GHOST disk images that where given to to me to analyze by a client. The current tools we have do not support GHOST images, so I would like to find a tool to convert these into something more friendly to typical forensics tools such as a DD image.
Does anyone have a trick to handle these type of images aside from buying a copy of EnCase?
Thanks
Eric
Use FTK Imager (free download from Accessdata web page) to convert them for you, or even to view the contents. The only problem is that ghost is a kind of sparse file format unless used in "forensic mode" so if they used the compressed unallocated mode, I'm not sure how happy I'd be with my results.
Ghost images are not always forensically sound, even they are already disclaimed (Norton). What Patrick4n6 said is absolutely right. Still if you want analyze those Images you need to have same tools from Symantec. just visit their site (
babu
Ghost images are not forensically sound and generally not accepted as evidence since they are not bitstream images, ghost by default compresses unallocated space, so you lose every information of the low level filesystem state.
if you want to analyze these images tho, you can use ftk imager, it should be able to open them up.
I had attempted FTK Imager, but it reports an error for all the GHO files that I have. I restored some of these images directly to DISK and they do indeed work.
The Ghost version used was version 11.5.1, with the settings to image the full disk (all data)
The error received when opening in FTK Imager is FILE does not contain valid evidence, details Image Detection failed.
I know that ghost files are like a terrible way to go, but I was called in AFTER the client used Ghost to make images and was handed a 2TB disk with a bunch of images.
I have googled till my eyes fall out of their sockets…. Perhaps this is the only version of Ghost, that no one can use!!!! x
Maybe you can "pass through" a VM
http//
Of course it very much depends on what you are looking for/need.
jaclaz
I'm coming to the sad realization that most of these tools have very poor documentation. I downloaded the VMWare Converter, but the file types supported in the drop down menus does not include GHOST files. However…. the PDF manual indicates that it does support it.
Realizing that my fresh download has no license key installed… I am taking a guess that perhaps having the FULL version could reveal the ability to handle Ghost files.
I've left a message to a friend who manages VM's do get him to check if his drop down has more options then mine….
Restore the image to a (larger) drive, then use DD with a specified sector count based on the source size to create a new image. This is one possible solution that would produce something workable.
As I understand it, FTK Imager will read Ghost images that have been created with the "forensic" switch, but won't read the normal ghost images.
I've used Norton Ghost Explorer to read ghost image files, but you would need to extract them to a sanitised disk, then image that disk, or preview the disk in FTK etc.
You should check if the forensic switch was used when the images were created, and what version of Ghost was used.
It is well possible that also the Vm tool only "likes" forensic kind of images, but from what you say there isn't any option to load a .gho image, which is very different from what the docs say according to this
http//
The "new" user guide says that only the "stoopid" .s2vi files are compatible.
Most probably there was an error in an early version of the docs (cited in the above post) that was later corrected.
http//
http//
Sorry for the misleading.
If you just want to access some files you can use Ghost Explorer, which is freely on the Symantec Support pages
http//
jaclaz