[prev in list] [next in list] [prev in thread] [next in thread]
List: forensics
Subject: Re: Ghost Norton Fingerprint signature
From: Valdis.Kletnieks () vt ! edu
Date: 2005-05-29 4:08:52
Message-ID: 200505290408.j4T48rsb024517 () turing-police ! cc ! vt ! edu
[Download RAW message or body]
On Sat, 28 May 2005 19:39:20 PDT, Steve Hailey said:
> The oriignal question was along the lines of "how to find the signature,"
> not "would the signature be present in a forensic clone of a drive that already
> contained the signature." My original information is correct based on the
> question asked.
Your *original* answer was a bit misleading...
> switch." If the original subject media has the Ghost fingerprint present
> already from previous imaging activity, then yes, this will also be present on
> the forensic clone.
This is subtly different than what you originally said:
> You will typically find the signature for Ghost in the sectors between the
> Master Boot Record and the first Boot Record. You'll know it when you see it.
> If the disk was cloned using the proper switches to create a forensically sound
> sector-by-sector clone, you will not find a signature.
There's *two* clones being discussed here - your forensic clone and an earlier
one. If we're discussing the *original* clone being made with those switches,
then yes, there won't be a signature on the disk (unless of course the original
had aquired a signature from an even *earlier* cloning). If we're discussing the
*forensic* clone (an obvious conclusion if you read the sentence as "If you
made your forensic clone using the switches you'd want for a forensically sound
clone"), there's the implication that doing so would make an existing signature
apparently dissapear...
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic