[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forensics
Subject:    Re: Ghost Norton Fingerprint signature
From:       Valdis.Kletnieks () vt ! edu
Date:       2005-05-29 4:08:52
Message-ID: 200505290408.j4T48rsb024517 () turing-police ! cc ! vt ! edu
[Download RAW message or body]


On Sat, 28 May 2005 19:39:20 PDT, Steve Hailey said:

> The oriignal question was along the lines of  "how to find the signature,"
> not "would the signature be present in a forensic clone of a drive that already
> contained the signature."  My original information is correct based on the
> question asked.

Your *original* answer was a bit misleading...

> switch."  If the original subject media has the Ghost fingerprint present
> already from previous imaging activity,  then yes, this will also be present on
> the forensic clone.

This is subtly different than what you originally said:

> You will typically find the signature for Ghost in the sectors between the
> Master Boot Record and the first Boot Record.  You'll know it when you see it.
> If the disk was cloned using the proper switches to create a forensically sound
> sector-by-sector clone, you will not find a signature.

There's *two* clones being discussed here - your forensic clone and an earlier
one.  If we're discussing the *original* clone being made with those switches,
then yes, there won't be a signature on the disk (unless of course the original
had aquired a signature from an even *earlier* cloning).  If we're discussing the
*forensic* clone (an obvious conclusion if you read the sentence as "If you
made your forensic clone using the switches you'd want for a forensically sound
clone"), there's the implication that doing so would make an existing signature
apparently dissapear...


[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]