Saturday, March 1, 2008

Ghost as a forensic tool

If you have not figured it out yet, I read several forensic listservs (great way to learn and kill half my weekend ;) and I often find myself picking a topic I read about on one of the listservs and then blogging about that topic.

So this weeks topic is about using Symantec's Ghost utility as a forensic tool. The ghost utility has been around for many years and is most commonly known for and used by IT professionals to create baseline images of workstations and servers for quick deployment. I doubt that at its inception, that ghost was ever designed to be used as a forensic tool. But somewhere along the way, Symantec added some functionality into the ghost utility to make "forensic" copies of hard drives specifically for law enforcement purposes.

Many years ago I remember going to training and hearing that ghost was an unacceptable tool to use to create a 'forensic' copy as it did not create an 'exact' image and changed a few bytes so you would never get the same hash as the original. I remember performing an exercise and creating a ghost image and comparing the hash values of the original and the ghost image to see that they did not match. As I mentioned, somewhere along the development path of the ghost utility, the ability to make an exact forensic copy was included. The best I can tell, it started with ghost v5.1, circa 1999. From the "Whats new.txt" included with that version:

"-ID (Image Disk) is similar to -IA (Image All), but also
copies the boot track, as above, extended partition
tables, and unpartitioned space on the disk. When looking
at an image made with -ID, you will see the unpartitioned
space and extended partitions in the list of partitions.
The -ID switch is primarily for the use of law enforcement
agencies who require 'forensic' images."

Then in Ghost 2002, the command line switch "-IR" was included:
"-IR The image raw switch copies the entire disk, ignoring the partition table. This is useful when a disk does not contain a partition table in the standard PC format, or you do not want partitions to be realigned to track boundaries on the destination disk. Some operating systems may not be able to access unaligned partitions. Partitions cannot be resized during restore and you need an identical or larger disk."


So what do these command line options do and which is appropriate to use?
I have tested several image files created using the various ghost command line switches and here is a summary:

This command line option appears by description to create a bit-level image (they call it a sector-by-sector) and it in fact does. If an hard drive image is created using the "ghost -ID" switch, then a bit-level image is created. The problem with this switch comes when you restore this image back out to a hard drive. This switch will cause ghost to adjust the partition boundaries on the destination drive if they are not standard. So for example, if the source HD has 32 sectors per track (SPT) and ghost image is created, when the image is restored back out to a hard drive, ghost will adjust the partition boundaries if the disk geometry is different on the destination drive and make appropriate changes in the partition table. This will obviously result in different hash values being generated. This command line option is configurable in the actual ghost application under the options->Image/Tape tab:

This command stands for "image raw" and it too makes a bit-level image resulting in an exact duplicate. The difference in this switch is that ghost will ignore the disk geometry on the destination drive when the image is restored and create the image exactly as it was on the source. An image created with the -IR switch will result in the same overall drive hash as the original, ASSUMING it is restored out to a hard drive of the same exact size. This option does NOT appear in the ghost options tab and is a command line switch only.

Ghost (with any switch) DOES not make an image file (.gho extention) that is a raw bitstream image like 'dd' does. A look at a ghost image file in a hex editor will show you that there is a header with information that ghost uses to restore the image correctly and was not on the source drive, typically the first six sectors of the image file. Then the actual bitstream copy of the source drive follows and the footer used by the ghost utility is at the end of the ghost image file. Ghost allows you to compress the image of the source drive when the image is made. This has no effect on the data when it is restored; it only affects the data as it sits in the ghost image file (.gho).

The only appropriate command line option for use when making a forensic image is the "-IR" option. Although not a common forensic tool and often believed to be unacceptable for forensic use, current versions of ghost can make an exact duplicate of a hard drive when the -IR command line option is used.

The only other problem is that there is no easy way to tell which switch was used when the image was created. If you try and look at an image that was created with the -ID or -IR switch with Ghost Explorer, an error message will appear stating that one of those command line options was used, but does not tell you which:

If you look at the details pane when restoring the image, a disk image created using the -IR command line switch will say "RAW DISK IMAGE":

An image created using the -ID command line switch will just show the file system type:

There is also no way to validate the image's integrity. I opened a ghost image file with a hex editor and erased several references to a file and ghost happily restored the image without reporting an error. Since there is no way to generate hash values for blocks or the entire HD source from within ghost, you would have to take a baseline hash BEFORE ghost is used. Then when restored that baseline hash could be compared to the restored drive hash, again using an external tool outside of ghost.

To summarize, the important things to remember if you are using ghost to create an image or if you accept a ghost image are:

If using ghost to create an image:
Create a baseline hash of the source drive before using ghost
Use ghost with the "-IR" command line switch
Make a ghost image of the "disk" not just a partition
Hash the .gho file for reference (convenience)

When accepting a ghost image file:
Ask for documentation on which command line switches were used
Verify via the details pane when restoring the image
Verify it is an image of the entire disk, not just a logical partition
Ask for a baseline source hash from before ghost was used
Verify the restored image hash to the baseline

*Note - all testing and screenshots were done using ghost 2003.


Phil Rodokanakis Saturday, 01 March, 2008  


Since you're a Guidance person, you may not know that AccessData's FTK Imager provides limited support for Ghost images. You can preview the image in FTK Imager and then convert it to another format like .E01.

The catch is that FTK Imager won't support compressed Ghost images. And since compression is turned on by default in Ghost, this workaround may not help much.

Also, given the more recent GUI versions of Ghost, I doubt that most folks that would use Ghost to acquire an image would set any of the switches and most likely will end up with an image of the logical files only (not the physical disk).

Best regards, Phil

Anonymous Saturday, 01 March, 2008  

All good points. FTK also opens GHO images, though I've never had the occasion to use GHOs with FTK or Imager. I'd think that Imager would be able to hash the image for comparison with the original disk, but again, I haven't tried GHOs with Imager.

One thing to note for those who don't routinely restore GHO or any images to another disk, is that a verification hash should be made using the correct sectors. You can restore a GHO to a larger disk, and I've seen a few posts that question why the hash of the (larger) restored disk doesn't match the original.

GHO can be very handy n building VWware machines, if you want to copy a mounted image to a virtual disk. The "forensicness" of the process isn't critical in that procedure.

Lance Mueller Saturday, 01 March, 2008  

Phil & Jimmy,

EnCase can parse a .gho file by adding the file as a raw image. There is a 6 sector Ghost header, PS6 will contain the MBR, sector 69 will contain the VBR, If you highlight the VBR, right-click and choose "Add partition", EnCase will parse the partition and dislay it logically. You can then image it.

This technique will only work on uncompressed .gho image files

Anonymous Sunday, 02 March, 2008  

Lance: Does Ghost still write on the suspect disk by default? Ghost used to places a fingerprint of itself between the Master Boot Record and the first Boot Record. You had then use the -fnf switch for turning off the Ghost fingerprint creation.


Anonymous Friday, 21 March, 2008  

I feel that Ghost is not a 100% peer-reviwed forensic imaging tool. We as digital forensic examiners and experts in our field should stick to our guns and keep with the standards such as: dd, dcfldd, EnCase, FTK. These have been tried and true and have held up in our courts of law without question unlike Ghost!

Tanmay Wednesday, 04 November, 2009  

I have a .ghs image. I am not sure whether it is compressed or not. I did add the segments in EnCase as a raw image. I don't see anything at PS6, sector 69 where I can mount the partition. FTK can't add the image either. Is their any way to find out whether A) it is a compressed image or not. B)if we can convert it into E01 format using other utility?

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles