During a recent case, we received a set of 4 compressed/split Norton Ghost image files. The image files were created with Norton Ghost v11. As it turns out, none of the forensic tools we had available (EnCase, FTK) were able to read these compressed Norton Ghost (GHO) files. So I reached out to list serves (all CCE’s responding, thank you) to see what alternatives exist. At first I thought this was easy and bought Norton Ghost v15. Unfortunately it proved to be useless, because as of Norton 12/14/15 and Norton Save & Restore 2.0, they no longer have the abiltity to read GHO files (confirmed with TechSupport) and create images in .v2i format. I also found out that Norton Ghost version 10/12/14/15 are considered Personal/Home products. Version 9/11 are Enterprise products. Luckly, we had a version of Ghost 11 available.
Using various parts from helpful responses, the following process allowed me to bring the 4 split/compressed Norton Ghost (GHO) image files into EnCase.
Note: The Ghost image files were NOT created with any ”forensic” switch, so they are not to be considered a bit-stream image.
Note: To my surprise Mount Image Pro does NOT support Ghost images at all, according to my conversation with Tech Support. Anyway, let’s get going.
Situation:
4 split/compressed Norton Ghost image files (File1.gho, File1_001.ghs, File1_002.ghs, File1_003.ghs). The image files were created with Norton Ghost v11. They needed to be loaded into EnCase.
Solution:
- Load the 4 split/compressed GHO files into Ghost Explorer (Norton Ghost Explorer (537.81 kB, 116 downloads), version:
updated on 2011-09-02 Note: I don’t provide support for this product or have any affiliation with the creator.) - Once loaded, select the partition in the left pane. In my case it showed up as NTFS.
- Go to View -> Options. Uncheck “split image”.
- While the partition is selected, go to File -> Compile…
- Make sure you “split image” is unchecked in the dialog. Enter the new name of the single GHO image you are about to create.
- Click “Save”. This will create a single GHO file. Note: This will NOT uncompress the files. So there are additional steps we need to take.
- Now that we have a single GHO file, you need to have access to a version of Norton Ghost that has the Ghost32.exe application. In my case this file was part of Norton v11. I was not able to verify if this executable exists on older Norton products.
- Use the following command line to convert the GHO into a VMware VMDK file.
ghost32.exe -clone,mode=restore,src=C:\…\YOUR_FILENAME.gho,dst=C:\…\YOUR_NEWFILE.vmdk -batch -sure - Start EnCase and add your VMDK file to your case.
- Now you can acquire the drive via EnCase or perform your analyis.
Disclaimer: The MAC date/times seem to remain in tact thoughout this process; however, you need to validate your evidence!
