Dear forum members,
I have two norton ghost images with me which seem to taken with the "-ir" switch (raw backup). Now I need to analyze them using a forensic tool. I have Enacse 4.20 which does not support ghost image format. Restoring the image and then creating Encase images would be too much of pain. Mount Image Pro also doesnt support .gho images. Neither does FTK. Does anyone know of any other forensic tool that can help with the analysis of ghost images?
Cinux
GCFA, GCIA, CEH
From a post by Steve Hailey on securityfocus dot com
The -fnf switch turns off the Ghost fingerprint creation which is what the original question was about. During normal operation of ghosting only the Active data, Ghost places a fingerprint of itself between the Master Boot Record and the first Boot Record. When creating a forensic quality clone, we would want to use this switch so as not to add a signature that was not present on the original media.
The -ir switch (Image Raw) implements a sector-by-sector copy when using Ghost. That is, Ghost creates an image file that is an exact copy of the source disk - including all active and latent data, unpartitioned space (if imaging a physical disk) and surplus sectors. This is one of the most important switches for Forensic Analysts, and is commonly called the â??forensic switch.â? If the original subject media has the Ghost fingerprint present already from previous imaging activity, then yes, this will also be present on the forensic clone.
When using the -ir switch, Ghost will report that it is creating a raw disk image in the image file creation process, and restoring a raw disk image when creaating working copies. Understand however that a true â??raw copyâ? of an image is just that - the raw data, sector for sector. A true raw image file will hash out with the same hash value as the original partition or physical disk that it was created from. Although Ghost reports it is creating a raw image, it is not truly raw â?? the image file will contain proprietary information, and is in a proprietary format. The resultant Ghost images cannot be examined using forensic software packages that can read true RAW images.
Interesting. So I wonder, if Ghost is used to restore a Ghost image, does it remove the "fingerprint" and other other induced artifacts so that a "forensic image" is created? Would the restored image and the original have the same hash?
Ghost has an explorer that can be used to mount the images and review them. I've never tried it with images that were created with the -IR switch so I don't know if the Ghost Explorer gives you access to the unallocated areas, but I doubt it.