I have obtained some ~3gb file with the extention GHO. I searched the net and found it would be (an old) ghost image. "ghost explorer" does not work on this file.
I tried it in a more recent version of ghost and changed the extention , ghost said it was also not good.
So basiclly i not know what for a file this is.
Are there programs that can analyze such file? Or what would cost a (not needed for legal case) analysis, and how long would it take to get the data from it?
On the odd occasion I have come across them I have found that they are very sensitive to having the correct version of the explorer to open them.
You may find you can open it with FTK Imager.
H
find yourself a copy of ghost 2003 (anything newer will not work). it will open them an let you restore to a new partition. if ghost is installed on the machine with the gho file you can usually just export and use ghost32.exe or ghost.exe
afaik ftk imager can open gho images, and if it can open it you can eventually use FTK imager to convert it to a more convenient format (raw or E01).
obviously since the original file wasn't a forensically sound image, you won't produce a forensically sound image, and what was lost in the gho, won't come back in the raw.
but it can be useful to mount the image using other tools like PE explorer free or as a loopback device on a linux machine
ghost versions 2003 and previous had the ability to make forensic (bit-by-bit) images. (in 2002 the switches are -ir and -fnf, in 2003 the switch is -ia if i recall). this was designed to be used to make full disk backups of corrupt/damaged systems where ghost could not parse the filesystem.
it's only these types of .gho images that ftk imager can open, they are treated as a raw disk.
ghost 2003 is his best option. it will read all .gho images. after version 2003, the forensic options were removed and the application started being windows only (no more dos mode) and moving to the *.ghs extension and format for the backup images
so, who can do it ? and what is the price / time needed
Do you know for a fact that this *is* a Ghost File?
Have you checked the hex file signature against known .GHO files to make sure there isn't an issue with extension masking??
Just a thought…
-=Art=-
I dont know what kind of file it is. the file starts with "FE EF" wich would indicate that it really is a GHO file, still I cannot process it in old Ghost explorer. I get the error "invalid drive details. this prbably isnt a ghost image file"
ok got it working now, thanks for all suggestions
used a more recent ghost explorer and all ok