Ghost

 < Day Day Up > 



For our final forensic duplication, we will use Symantec’s Norton Ghost, Personal Edition. Ghost is a popular tool that allows fast and easy cloning, or copying, of computer system hard drives. In addition to direct local file images, Ghost can clone directly between two computers using a network, USB, or parallel connection. Ghost is a relatively inexpensive cloning solution, available from http://www.symantec.com.

Implementation

When cloning computer systems, Ghost makes assumptions about the file systems it detects and recognizes. For example, on a Windows system, to speed cloning, it recognizes the logical file system, copies individual files, and skips certain files such as Windows swap files. Since for forensic purposes we want a true sector-by-sector copy of the hard drive, this would not be an adequate utility. However, Ghost does have a user-selectable option “for the use of law enforcement agencies who require forensic images.”

Although Ghost is a DOS-based application, it has a GUI boot wizard that walks you through the creation of a boot disk for your particular needs. For this particular example, we will create a boot disk that supports our CD recorder to allow burning and spanning of the forensic image directly to CD-ROMs. Although this may take significantly more time than writing to tape, you should know that this option exists.

After installing Norton Ghost, we will create a boot disk using the Norton Ghost Boot Wizard from the Norton Ghost Utilities. For this particular instance, we’ll create a CD-ROM boot disk that supports our CD burner. Select CD/DVD Startup Disk With Ghost:

click to expand

  1. The boot wizard prompts for boot files from a bootable floppy disk. To get these from the floppy, insert the floppy and choose Get MS-DOS. Norton Ghost will then copy Command.com and io.sys to use in creating the bootable CD.

  2. After the files are copied, be sure to select Use MS-DOS. Then click Next, and then click OK.

    click to expand

  3. It will then prompt you for the location of Ghost.exe. This should already have the correct information so simply click Next.

    click to expand

  4. The wizard prompts you for the floppy drive and recommends formatting the disk first. If you have already reformatted the disk, it is not always necessary, but if there is any doubt—you should always take the time to reformat it fully.

  5. A review dialog box lets you check the settings. Click Next to continue.

    click to expand

  6. Next you are presented with the standard Windows Format dialog box. Click Start to format the floppy disk and close the dialog box once the formatting is complete.

  7. After you format the disk and close the Format dialog box, the required system files are copied to the floppy disk. Note that this process does not create a true controlled DOS boot disk as discussed previously in this chapter. You will need to examine the system files to determine if any hard-coded references to disk compression utilities appear and make the appropriate changes and add any programs, such as a write blocker, after the boot disk process has completed.

  8. After the required files are copied, you have finished creating the boot disk. Click Finish to exit the boot wizard.

  9. Now that you have a boot disk, shut down Windows and connect the 2.5GB hard drive found under the suspect’s desk to the forensic workstation’s IDE chain. Use your newly created boot disk to start Norton Ghost. Click OK to continue.

  10. As mentioned previously, the default options are for rapid cloning of systems, which is not forensically sound. To enable the options we require, we must go into the Options menu.

  11. The Options menu has several tabs, the first of which is Span/CRC. Since we will be burning the forensic image to CD-ROMs, we need to enable spanning. We also want to enable AutoName so we won’t be prompted for a filename each time we insert a CD-ROM.

    click to expand

  12. Since the suspect’s drive may have bad clusters, we need to select Force Cloning from the Misc tab to ensure that the imaging process continues if a bad cluster is detected.

    click to expand

  13. We also want to enable the Image Disk option on the Image/Tape tab. This is the option that enables the equivalent of a forensic image. This can also be enabled from the command line using the -id command-line option.

    click to expand

  14. Save the settings, which will update the GHOST.INI file, and click Accept to go back to the main program window.

  15. In the main program window, choose Local | Disk | To Image.

  16. You are asked to select the source drive to image. Here, we want drive 1, so select it and click OK.

    click to expand

  17. We want to copy the files to our CDR, which the Ghost boot disk recognized. Select it from the drop-down list.

  18. This is evidence Tag4, so that’s what we’ll call the image file. We also put in a description that includes drive- and case-specific information as shown next.

    click to expand

  19. In this case, we want high compression. Compressing the data will require fewer CDRs and probably result in a shorter image duplication process. Select High from the Compress Image dialog.

  20. A nice option allows us to make the first CD of the image set bootable. This can simplify the restore process, so we’ll select Yes.

  21. To make the CD bootable, we need a floppy boot disk to read. Make sure that the floppy disk is in drive A:; then click Yes.

  22. Norton informs us that the image process will require approximately three CDs. We have many blank CDRs available, so click Yes.

  23. Now the imaging process begins. The status window shows a progress indicator, the percentage complete, the time elapsed, and the time remaining.

    click to expand

  24. When the first CDR is completed, the program prompts for the next CDR. Insert a blank CDR and click OK.

  25. After inserting the third CDR, a dialog box informs us that the imaging was completed successfully.

Now you have performed a forensic duplication using Norton Ghost Personal Edition.

start sidebar
Case Study: Search and Seizure!

As the newest police officer, you are often drafted to perform seizure duty for your county. You received a call today from one of your superiors informing you that a computer store is going to be raided later this afternoon and that you are the designated forensic duplication officer for this event. Armed with EnCase, Safeback, SnapBack, and Ghost, you suit up in your bullet-proof vest and join the rest of the team.

During examination of the work area, a desktop (~6GB) and laptop (~3.9GB) computer were identified. Additionally, the top-right drawer of the suspect's desk contained another laptop drive (~1.3GB), mounted in a drive carriage for the suspect's particular laptop, and an additional (~2.5GB) desktop hard drive was found taped to the bottom of the suspect's desk.

Normally, you would use one method to obtain all of the forensic images. However, to expose you to various types of forensic duplication software, this chapter demonstrates the duplication process using EnCase, Safeback, SnapBack, and Ghost.

EnCase   EnCase was used in this chapter to capture the first 6GB hard drive discovered in the raid. The evidence files were saved to the forensic workstation's storage drive for analysis in the next chapter.

Safeback   Safeback was used to duplicate the 3.9GB laptop drive discovered in the seizure. The evidence files were also saved to the forensic workstation's storage drive for analysis in the next chapter.

SnapBack   SnapBack was used to forensically duplicate the 1.3GB laptop hard drive seized in the raid. The duplication was saved to a tape backup, one of the only storage options for this tool.

Ghost   To illustrate the use of another media for saving evidence, we used Ghost. By using Ghost, we were able to save the forensic duplication directly to three CDs for further analysis. The source hard drive we duplicated was 2.5GB, seized from under the suspect's desk during the raid.

If we did not have a CDR unit in our forensic workstation, Ghost can send an image across a network. Snapback also has this capability, and EnCase allows preview and acquisition through a crossover network cable. Keep this in mind if you cannot mount the source and storage drives in the same machine (which can happen in some hardware RAID configurations!).

end sidebar



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net