GHOST | Anti-Hacker Tool Kit, Third Edition

Another tool that can be used for forensic imaging is Symantec Ghost, Personal Edition. Ghost is a popular tool that allows fast and easy cloning, or copying, of computer system hard drives . In addition to direct local file images, Ghost can clone directly between two computers using a network, USB, or parallel connection. Ghost is a relatively inexpensive cloning solution, available from http://www.symantec.com.

Implementation

When cloning computer systems, Ghost makes assumptions about the file systems it detects and recognizes. For example, on a Windows system, to speed cloning, it recognizes the logical file system, copies individual files, and skips certain files such as Windows swap files. Since for forensic purposes we want a true sector-by-sector copy of the hard drive, this would not be an adequate utility. However, Ghost does have a user -selectable option "for the use of law enforcement agencies who require forensic images."

Although Ghost is a DOS-based application, it has a GUI boot wizard that walks you through the creation of a boot disk for your particular needs. For this particular example, we will create a boot disk that supports our CD recorder to allow burning and spanning of the forensic image directly to CD-ROMs. Although this may take significantly more time than writing to tape, you should know that this option exists.

After installing Symantec Ghost, we will create a boot disk using the Symantec Ghost Boot Wizard from the Symantec Ghost Utilities. For this particular instance, we'll create a CD-ROM boot disk that supports our CD burner . Select CD/DVD Startup Disk With Ghost.

The boot wizard prompts for boot files from a bootable floppy disk. To get these from the floppy, insert the floppy and choose Get MS-DOS. Symantec Ghost will then copy COMMAND.COM and IO.SYS to use in creating the bootable CD.
After the files are copied , be sure to select Use MS-DOS. Click Next and then click OK.
Now you'll be prompted for the location of ghost.exe. This should already have the correct information, so click Next.
The wizard prompts you for the floppy drive and recommends formatting the disk first. If you have already reformatted the disk, this step is not always necessary, but if there is any doubt, you should take the time to reformat it.
A review dialog box lets you check the settings. Click Next to continue.
Next, you are presented with the standard Windows Format dialog box. Click Start to format the floppy disk and close the dialog box once the formatting is complete.
After you format the disk and close the Format dialog box, the required system files are copied to the floppy disk. Note that this process does not create a true controlled DOS boot disk as discussed previously. You will need to examine the system files to determine if any hard-coded references to disk compression utilities appear and make the appropriate changes and add any programs, such as a write blocker, after the boot disk process has completed.
After the required files are copied, you will have finished creating the boot disk. Click Finish to exit the boot wizard.
Now that you have a boot disk, shut down Windows and connect the 2.5GB hard drive found under the suspect's desk to the forensic workstation's IDE chain. Use your newly created boot disk to start Symantec Ghost. Click OK to continue.
As mentioned previously, the default options are for rapid cloning of systems, which is not forensically sound. To enable the options we require, we must go into the Options menu.
The Options menu has several tabs, the first of which is Span/CRC. Since we will be burning the forensic image to CD-ROMs, we need to enable spanning. We also want to enable AutoName so we won't be prompted for a filename each time we insert a CD-ROM.
Since the suspect's drive may have bad clusters, we need to select Force Cloning from the Misc tab to ensure that the imaging process continues if a bad cluster is detected .
We also want to enable the Image Disk option on the Image/Tape tab. This is the option that enables the equivalent of a forensic image. This can also be enabled from the command line using the -id command-line option.
Save the settings, which will update the GHOST.INI file, and click Accept to go back to the main program window.
In the main program window, choose Local Disk To Image.
You are asked to select the source drive to image. Here, we want drive 1, so select it and click OK.
We want to copy the files to our CDR, which the Ghost boot disk recognized. Select it from the drop-down list.
This is evidence Tag4, so that's what we'll call the image file. We also put in a description that includes drive- and case-specific information, as shown here.
In this case, we want high compression. Compressing the data will require fewer CDRs and probably result in a shorter image duplication process. Select High from the Compress Image dialog.
A nice option allows us to make the first CD of the image set bootable. This can simplify the restore process, so we'll select Yes.
To make the CD bootable, we need a floppy boot disk to read. Make sure that the floppy disk is in drive A:; then click Yes.
Norton informs us that the image process will require approximately three CDs. We have many blank CDRs available, so click Yes.
Now the imaging process begins. The status window shows a progress indicator, the percentage complete, the time elapsed, and the time remaining.
When the first CDR is completed, the program prompts for the next CDR. Insert a blank CDR and click OK.
After inserting the third CDR, a dialog box informs us that the imaging was completed successfully.

Now you have performed a forensic image using Symantec Ghost, Personal Edition.

Case Study: Search and Seizure!

As the newest police officer, you are often drafted to perform seizure duty for your county. You received a call today from one of your superiors informing you that a computer store is going to be raided later this afternoon and that you are the designated forensic duplication officer for this event. Armed with EnCase, SafeBack, SnapBack, and Ghost, you suit up in your bulletproof vest and join the rest of the team.

During examination of the work area, a desktop (~6GB) and laptop (~3.9GB) computer were identified. Additionally, the top-right drawer of the suspect's desk contained another laptop drive (~1.3GB), mounted in a drive carriage for the suspect's particular laptop, and an additional (~2.5GB) desktop hard drive was found taped to the bottom of the suspect's desk.

Normally, you would use one method to obtain all of the forensic images. However, to expose you to various types of forensic duplication software, this chapter demonstrates the duplication process using EnCase, SafeBack, SnapBack, and Ghost.

EnCase EnCase was used in this chapter to capture the first 6GB hard drive discovered in the raid. The evidence files were saved to the forensic workstation's storage drive for analysis in the next chapter.

SafeBack SafeBack was used to duplicate the 3.9GB laptop drive discovered in the seizure. The evidence files were also saved to the forensic workstation's storage drive for analysis in the next chapter.

SnapBack SnapBack was used to forensically duplicate the 1.3GB laptop hard drive seized in the raid. The duplication was saved to a tape backup, one of the only storage options for this tool.

Ghost To illustrate the use of another media for saving evidence, we used Ghost. By using Ghost, we were able to save the forensic duplication directly to three CDs for further analysis. The source hard drive we duplicated was 2.5GB, seized from under the suspect's desk during the raid.

If we did not have a CDR unit in our forensic workstation, Ghost can send an image across a network. Snapback also has this capability, and EnCase allows preview and acquisition through a crossover network cable. Keep this in mind if you cannot mount the source and storage drives in the same machine (which can happen in some hardware RAID configurations!).