RE: maybe a simple problem

["Clayton Hoskinson" <clayton () coxinet net>]

Ghost will do a forensic image depending on the version you are using
the switches are different.  In 2002 the switches are -ir and  -fnf, in
2003 the switch is -ia there is a text file that explains the switches
and their use with Norton I would read that to determine which ones to
use depending on the version you are using.  Of course do some testing
to make sure you are creating a true forensic image.

Clayton


> -----Original Message-----
> From: george.wasgatt () insurity com [mailto:george.wasgatt () insurity com]
> Sent: Friday, October 04, 2002 8:48 AM
> To: SRobinson () HIPUSA com; george.wasgatt () insurity com;
> greg.reber () astechconsulting com; afison () brit-tex net;
> incidents () securityfocus com
> Subject: RE: maybe a simple problem
>
>
> You are surely right, and if I had actually thought it though before
> writing
> I would have remembered.  A normal GHOST image doesn't bother backing
up
> unused space just the stuff the file system says is in use.  And yes,
> there
> is a bit by bit option that I've had to use when there was a damaged
file
> system or corrupt disk sectors were encountered.
>
> -----Original Message-----
> From: Robinson, Sonja [mailto:SRobinson () HIPUSA com]
> Sent: Friday, October 04, 2002 9:22 AM
> To: 'george.wasgatt () insurity com'; greg.reber () astechconsulting com;
> afison () brit-tex net; incidents () securityfocus com
> Subject: RE: maybe a simple problem
>
>
> I'm not sure if the newest version does a bit by bit copy.  I can't
> remember
> the switch off hand either since we never used it in my work for a
> forensics
> tool.  However, I can try to find it as I believe it DOES have the
> physical
> capability.  Historically, Ghost produced a logical "image or mirror"
of
> the
> drive, it was not a forensic "bit by bit" copy.  It only did a logical
> image
> unless specfically told otherwise, i.e. a physical bit copy.  For
example,
> a
> core build using GHOST was used to roll out 100 workstattions.  The
> physical
> drive size in each machine could vary say from 12GB to 20GB, howver,
the
> GHOST image was 6GB so this would be your logical drive.  Howver,
> forensically speaking, this is not your TRUE drive that must be
copied.
> There could be 6-14GB difference and could present issues in court
since
> you
> now don't have the "original" drive.
>
> You must be careful when doing a copy that may have potential
litligation
> issues, civil or criminal.  A logical copy of the drive (normally what
you
> get using ghost) while this is good for productin is NOT good for
> forensics.
> You must make sure that you can recreate deleted files and obtain the
> miriad
> of pieces located in swap, unallocated and free space onthe ENTIRE
> physical
> drive not just the logical pieces.
>
> Safeback, snapback, encase etc have stood up in court.  I am not sure
> about
> GHOST.  It could if you have that switch (which I can't remember w/o
some
> research) and you can prove that the physical copy from GHOST is
identical
> to that of the original drive, i.e # of sectors, bits, etc.  Suggested
you
> hash the drives using MD5 hash or similar.  Even using safeback, etc.
you
> should still verify that you have made the forensic copy not the
logical
> copy as they give you options to do so.
>
>
> -----Original Message-----
> From: george.wasgatt () insurity com [mailto:george.wasgatt () insurity com]
> Sent: Friday, October 04, 2002 7:36 AM
> To: Robinson, Sonja; greg.reber () astechconsulting com;
> afison () brit-tex net; incidents () securityfocus com
> Subject: RE: maybe a simple problem
>
>
>
> What is the certain switch in GHOST and why is it necessary.  I
thought
> that
> GHOST defaults produced a saved copy of the disk drive bit by bit the
same
> as the original.
>
> -----Original Message-----
> From: Robinson, Sonja [mailto:SRobinson () HIPUSA com]
> Sent: Thursday, October 03, 2002 1:04 PM
> To: 'Greg Reber'; Andrew Fison; incidents () securityfocus com
> Subject: RE: maybe a simple problem
>
>
> IF you alter the files onthe machine they will not hold up in court.
You
> must do a bit level back up which is normally done using a tool such
as
> safeback, snapback, encase ,etc.  You canuse Ghost if you have a
certain
> switch set but I would not suggest it.  Normally you must be
physically
> present to do so.
>
> 1)  DO not boot the machine or do a back up.  You may destroy the
files
> and
> evidence you need by doing so
> 2)  Using an approved FORENSIC method/tool (safeback, snapback,
encase,
> SOloMasster, etc.  Make TWO forensic copies.  1 for them to put back
in
> their machine and 1 for you to use as a back up to restore as many
times
> as
> necessary if you are going drive to drive.  If oyu are using a non-
> intrusive
> means of analysis such as encase then you can do analysis on this
drive as
> long AS YOU KEEP THE ORIGINAL COPY IN CUSTODY.  I always suggest and
> original and a forensic copy (unused) just in case a drive fails.
>
> Depending upon the cost (and potential loss), Ontrack can grabthe
stuff
> remotely for you.  Depends onwhat it's worth to your client.
>
> E-mail me off line for more info.  I specialize in forensics.
>
> -----Original Message-----
> From: Greg Reber [mailto:greg.reber () astechconsulting com]
> Sent: Wednesday, October 02, 2002 9:16 PM
> To: Andrew Fison; incidents () securityfocus com
> Subject: RE: maybe a simple problem
>
>
> Andrew - if there is a suspicion that the client's machine has been
> compromised, they should stop using it and have you do some quick
> forensics.
> Back up files that they need, but not the whole HD.
> http://biatchux.dmzs.com/ is a great site for free forensics tools.
>
> -greg
>
> The information in this email is likely confidential and may be
legally
> privileged. It is intended solely for the addressee. Access to this
email
> by
> anyone else is unauthorized. If you are not the intended recipient,
any
> disclosure, copying, distribution or any action taken or omitted to be
> taken
> in reliance on it, is prohibited and may be unlawful.
>
> -----Original Message-----
> From: Andrew Fison [mailto:afison () brit-tex net]
> Sent: Wednesday, October 02, 2002 2:37 AM
> To: incidents () securityfocus com
> Subject: maybe a simple problem
>
> I have a client who believes that thier win98 pc has been hacked with
some
> remote control software. They are pretty vague and not close buy so i
> cannot
> look at the machine all the time. I asked them to do netstat when they
> think
> they are being spied on but as yet they have not given me anything
useful.
> I think there is reason to believe them as the owner is involed in a
> hostile
> boardroom take over of his company by some other entities, whilst this
is
> legal, they have used other underhand methods against my customer
before
> and
> they are trying to force him to sign over the business to them a
little
> too
> swiftly.
>
> this all started when his wife was suing the pc, and a telescop came
on
> the
> screen and then disapeared, since then the machine crashes, documents
> pertaing to the business have  gone missing etc, any clues to what
this
> telescope could be?
>
> yours
>
> andrew
------------------------------------------------------------------------
--
> --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
------------------------------------------------------------------------
--
> --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
> **********************************************************************
> This message is a PRIVILEGED AND CONFIDENTIAL communication, and is
> intended
> only for the individual(s) named herein or others specifically
authorized
> to
> receive the communication. If you are not the intended recipient, you
are
> hereby notified that any dissemination, distribution or copying of
this
> communication is strictly prohibited. If you have received this
> communication in error, please notify the sender of the error
immediately,
> do not read or use the communication in any manner, destroy all
copies,
> and
> delete it from your system if the communication was sent via email.
>
>
>
>
> **********************************************************************
------------------------------------------------------------------------
--
> --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
------------------------------------------------------------------------
--
> --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com