RE: Forensic help?

[Sims Brian <brian.sims () siemens com>]

Ghost will not give you a forensically sound image.   Unless something
changes recently, Ghost won't image unallocated space, so you won't be able
to recover any deleted files.   I'd recommend using the Helix Live CD at
http://www.e-fense.com/helix/, which based on Knoppix, but will never
automatically mount any disks found, as Knoppix will.

It contains all the tools previously mentioned - dcfldd for imaging, which
you can pipe to netcat to create an image over the network.   The Sleuthkit
for analysis, which is basically just a front-end to other tools also
included.   However, the learning curve can bit a bit steep.

-----Original Message-----
From: Red Leg [mailto:redleg18 () gmail com]
Sent: Sunday, September 11, 2005 8:37 PM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Forensic help?


On 9/11/05 6:33 PM, "Red Leg" <redleg18 () gmail com> wrote:

> Hi all.
>
> I was wondering if anyone knows of a program/system that I can purchase,
as
> a private individual, that will allow me to
>
> 1) mirror a hard drive on location and
>
> 2) take that mirror and restore it to another drive. And
>
> 3) Find any CONVENTIONALLY erased files?
>
>  -- This would be either a Windows NTFS or FAT32 drive.


Wow!

Thanks all. I really appreciate the education!

I wish that I could keep the target drive, and change it out. However, this
is a Freedom of Information Act issue. I don't think they'll let me keep the
original/target.


I knew about Drive Image, but I didn't know it or Symantec Ghost would be
able to get the erased data (as in using the "Delete Key" or right click
delete).

Thanks!
Redleg18


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-------------------------------------------------------------------------------
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to Central.SecurityOffice () shs siemens com 

Thank you
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/