Security Essentials Toolkit: Forensic Backups
Exercise 1: Disk Imaging with Ghost
The capability to create disk images is important for incident handling for two reasons.
From a recovery standpoint, disk images can help you restore a compromised system to a known good state immediately. This is accomplished by making a binary image of the system before it is put online. This is especially true if the system's contents are fairly static. If a database with constantly changing data resides on the system, it would not be as effective.
From a forensics standpoint, the capability to make a binary copy of a compromised system has two benefits. First, it allows you to study how the system is compromised while still getting the production system back online quickly. Also, if you intend to prosecute the attacker, it allows you to save the original drive in a pristine state for evidentiary purposes while giving you a duplicate that can be used for research purposes.
Ghost from Symantec is a tool that allows for the creation and management of binary images. In addition to the incidenthandling functions discussed here, it can also be used to roll out a network of similarly configured PCs more effectively.
The objective of this exercise is to familiarize you with the process of installing Ghost, creating an image file of a disk partition, and exploring an image file.
Intel-based PC running Windows 2000 Professional with a floppy disk drive
Symantec Ghost Corporate Edition 7.5 (Trialware is available from http://enterprisesecurity.symantec.com/content/productlink.cfm?) Note: Registration with Symantec is required.
Following are the steps you will complete in this exercise:
- Install Ghost.
- Create a Ghost boot disk.
- Create a partition image.
- Explore a partition image.
Challenge Procedure Step-by-Step
The following steps show you how to install Ghost, create an image file of a disk partition, and explore an image file:
First, we are going to install Ghost. Download the Ghost distribution to the C:\Exercises folder. Open the distribution with WinZip. Double-click the SG75Trial executable to start the installation of Ghost.
Now, we'll create a partition image. Leave the boot disk in the floppy drive. Click Start, Shutdown, Restart to boot off of the Ghost disk. Click OK for both of the evaluation reminder screens that appear.
Click Quit to exit Ghost. At the A:\Ghost command prompt, remove the disk and reboot the system to go back into Windows.
The image file is loaded into the Ghost Explorer window, and you can navigate it in much the same manner you do with Windows Explorer.
Grace, Scott. Computer Incident Response and Computer Forensics Overview. SANS Institute, http://www.sans.org/infosecFAQ/incident/IRCF.htm.
Holley, James. "Computer Forensics," SCInfo Security Magazine. September 2000, http://www.scmagazine.com/scmagazine/2000_09/survey/survey.html#secure.
A binary disk image creation tool, such as Symantec Ghost, should be part of every incident handler's toolkit. It is a quick and efficient way to restore a system back into production.
Ghost is also helpful for working with a compromised disk drive. If your intent is to prosecute an attacker, Ghost allows you to make a duplicate upon which you can actually perform your forensics while the original is left intact for evidence.