Notifications

Clear all

Converting a GHOST image to DD or other usable forensics img

eparent · 2010-05-13T00:37:59Z

I've got a dozen GHOST disk images that where given to to me to analyze by a client. The current tools we have do not support GHOST images, so I would like to find a tool to convert these into something more friendly to typical forensics tools such as a DD image.Does anyone have a trick to handle these type of images aside from buying a copy of EnCase?ThanksEric

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by eparent 15 years ago

15 Posts

8 Users

0 Reactions

5,089 Views

RSS

eparent

(@eparent)

Active Member

Joined: 15 years ago

Posts: 7

Topic starter 14/05/2010 6:14 pm

Well, I realized that I was using an older version of VMware Converter, but still the same issue, even with a registered version. It does appear that the tool would only recognize a forensic type ghost image. This got me thinking that my client did not check off the correct options when using Ghost.

So I took a look at the image files that they gave me… and all of them are odd sizes, so this means that some compression (or not taking unallocated space) has happened.

I will either use ghost explorer to bring the files back for analysis, or bring each image back into a VM and reimage from there.

There is a lot to be said for calling in an expert at the beginning of an incident instead of doing it wrong themselves!

Thanks for all the help on this. I certainly did learn a lot about Symantec Ghost images!
lol

ReplyQuote

sanbarrow

(@sanbarrow)

Eminent Member

Joined: 17 years ago

Posts: 23

17/05/2010 4:25 am

VMware Converter does not support *.gho images - no version does.

I would create a VM and restore the *.gho images into a virtual disk by booting the new VM with a LiveCD that can run run ghost.exe or better ghost232.exe
Then you can use that virtual disks for further analysis.

By the way - if you create the virtual disk as type one piece preallocated (monolithicFlat) you can treat the *-flat.vmdk as a dd-image

ReplyQuote

eparent

(@eparent)

Active Member

Joined: 15 years ago

Posts: 7

Topic starter 17/05/2010 6:26 am

That's exactly what I ended up doing… and making a note to remember how much of a pain in the b**t ghost images are!!!!

The client attempted to save money by making these images themselves…. but in the long run… it was a terrible terrible idea. Let's just say that converting the ghost images took a lot time!

Thanks to all for the help, and thanks for that monolithicFlat info, I will give that a try for future use!

Eric

ReplyQuote

markg43

(@markg43)

Trusted Member

Joined: 18 years ago

Posts: 77

17/05/2010 10:21 am

I don't suppose you tried to open the GHO image with FTK Imager (add evidence as an image). It support the .gho file type, you could then export as E01 or dd.

This is better than restoring to a VM.

MarkG

ReplyQuote

eparent

(@eparent)

Active Member

Joined: 15 years ago

Posts: 7

Topic starter 17/05/2010 3:42 pm

Yes we did indeed attempt this, but the GHOST images have not been created using the correct command line parameters and these are compressed which is not supported by any tools.

The VM restore was the only thing that worked. Even Ghost explorer would not access these images (as strange is this seems!)

Eric

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
302 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed