Security Essentials Toolkit: Forensic Backups
- Exercise 1: Disk Imaging with Ghost
- Exercise 2: Forensics with dd
This chapter is from the book
This chapter is from the book
This chapter is from the book
Exercise 1: Disk Imaging with Ghost
Description
The capability to create disk images is important for incident handling for two reasons.
From a recovery standpoint, disk images can help you restore a compromised system to a known good state immediately. This is accomplished by making a binary image of the system before it is put online. This is especially true if the system's contents are fairly static. If a database with constantly changing data resides on the system, it would not be as effective.
From a forensics standpoint, the capability to make a binary copy of a compromised system has two benefits. First, it allows you to study how the system is compromised while still getting the production system back online quickly. Also, if you intend to prosecute the attacker, it allows you to save the original drive in a pristine state for evidentiary purposes while giving you a duplicate that can be used for research purposes.
Ghost from Symantec is a tool that allows for the creation and management of binary images. In addition to the incidenthandling functions discussed here, it can also be used to roll out a network of similarly configured PCs more effectively.
Objective
The objective of this exercise is to familiarize you with the process of installing Ghost, creating an image file of a disk partition, and exploring an image file.
Requirements
Hardware
Intel-based PC running Windows 2000 Professional with a floppy disk drive
Software
Symantec Ghost Corporate Edition 7.5 (Trialware is available from http://enterprisesecurity.symantec.com/content/productlink.cfm?) Note: Registration with Symantec is required.
Challenge Procedure
Following are the steps you will complete in this exercise:
- Install Ghost.
- Create a Ghost boot disk.
- Create a partition image.
- Explore a partition image.
Challenge Procedure Step-by-Step
The following steps show you how to install Ghost, create an image file of a disk partition, and explore an image file:
First, we are going to install Ghost. Download the Ghost distribution to the C:\Exercises folder. Open the distribution with WinZip. Double-click the SG75Trial executable to start the installation of Ghost. 
Next, enter the password provided by Symantec during the registration process and click OK. 
Accept the default location for expanding the installation files by clicking Next. 
In the Welcome screen, click Next. The License Agreement box appears. 
Click the I Accept the Terms in the License Agreement radio button, and
then click Next. 
In the Info box, click OK again. 
Click the Standard Tools Only (Ghost, Gdisk etc.) radio button, and then
click Next. 
In the Destination Folder box, accept the default destination folder by
clicking Next. 
Next, perform a default installation by clicking Next when the Custom
Setup screen appears. 
Click Install to start the installation. 
When the installation completes, you are given the option to view the
readme file. It can be reviewed, but it is not necessary to read it for this
exercise. Click Next to proceed. 
Click Finish to complete the installation. The InstallShield Wizard lets
you know the installation is completed. 
Now, we are going to create a Ghost boot disk. To do this, first select
Start, Symatec Ghost, Ghost Boot Wizard. 
Now, select Boot Disk with CD-R/RW, LPT and USB Support, and then click
Next. 
No additional options are needed for this exercise, so click Next again
to proceed. 
PC-DOS will work, so you just have to click Next again. 
Click Next to select the Symantec Ghost client type. 
Then, select your floppy disk drive and click Next. 
A confirmation screen appears. Review your selections, and then click
Next to create the boot disk. 
Click Start to format a floppy. 
When the format completes, close the current format window so that the
boot disk creation can proceed automatically. 
Click Finish to complete the boot disk creation. 
Now, we'll create a partition image. Leave the boot disk in the
floppy drive. Click Start, Shutdown, Restart to boot off of the Ghost disk.
Click OK for both of the evaluation reminder screens that appear. 
Click Local, Partition, To Image to create a partition image. 
Click the disk drive that has your boot partitions, and then click
OK. 
Next, select the Linux Primary partition, and click OK. 
In the Filename to Copy Image to window, navigate to C:\Exercises. Enter
Linux for the filename, and then click Save. 
You may not have enough disk space. If this is the case, the following
window will appear, so click Fast to compress the image file as it is being
created. 
After your system is done compressing, click Yes to proceed. 
A progress indicator keeps you updated. Note that this usually takes a
long period of time to complete. 
Click Continue when the completion message appears. Click Quit to exit Ghost. At the A:\Ghost command prompt, remove the disk and reboot the system to go back into Windows.
Now, let's navigate a partition image. To examine the image file
just created, select Program, Symantec Ghost, Ghost Explorer. 
Click the Open Folder icon. 
Navigate to C:\Explorer and double-click the Linux entry. The image file is loaded into the Ghost Explorer window, and you can navigate it in much the same manner you do with Windows Explorer.
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
Additional Reading
Grace, Scott. Computer Incident Response and Computer Forensics Overview. SANS Institute, http://www.sans.org/infosecFAQ/incident/IRCF.htm.
Holley, James. "Computer Forensics," SCInfo Security Magazine. September 2000, http://www.scmagazine.com/scmagazine/2000_09/survey/survey.html#secure.
Summary
A binary disk image creation tool, such as Symantec Ghost, should be part of every incident handler's toolkit. It is a quick and efficient way to restore a system back into production.
Ghost is also helpful for working with a compromised disk drive. If your intent is to prosecute an attacker, Ghost allows you to make a duplicate upon which you can actually perform your forensics while the original is left intact for evidence.