During a recent case, we received a set of 4 compressed/split Norton Ghost image files.  The image files were created with Norton Ghost v11. As it turns out, none of the forensic tools we had available (EnCase, FTK) were able to read these compressed Norton Ghost (GHO) files.  So I reached out to list serves (all CCE’s responding, thank you) to see what alternatives exist.  At first I thought this was easy and bought Norton Ghost v15. Unfortunately it proved to be useless, because as of Norton 12/14/15 and Norton Save & Restore 2.0, they no longer have the abiltity to read GHO files (confirmed with TechSupport) and create images in .v2i format.  I also found out that Norton Ghost version 10/12/14/15 are considered Personal/Home products. Version 9/11 are Enterprise products. Luckly, we had a version of Ghost 11 available.

Using various parts from helpful responses, the following process allowed me to bring the 4 split/compressed Norton Ghost (GHO) image files into EnCase.

Note: The Ghost image files were NOT created with any ”forensic” switch, so they are not to be considered a bit-stream image.

Note: To my surprise Mount Image Pro does NOT support Ghost images at all, according to my conversation with Tech Support. Anyway, let’s get going.

Situation:

4 split/compressed Norton Ghost image files (File1.gho, File1_001.ghs, File1_002.ghs, File1_003.ghs). The image files were created with Norton Ghost v11. They needed to be loaded into EnCase.

Solution:

1. Load the 4 split/compressed GHO files into Ghost Explorer (Norton Ghost Explorer (537.81 kB, 106 downloads), version:
   updated on 2011-09-02 Note: I don’t provide support for this product or have any affiliation with the creator.)
2. Once loaded, select the partition in the left pane. In my case it showed up as NTFS.
3. Go to View -> Options. Uncheck “split image”.
4. While the partition is selected, go to File -> Compile…
5. Make sure you “split image” is unchecked in the dialog. Enter the new name of the single GHO image you are about to create.
6. Click “Save”.  This will create a single GHO file. Note: This will NOT uncompress the files. So there are additional steps we need to take.
7. Now that we have a single GHO file, you need to have access to a version of Norton Ghost that has the Ghost32.exe application. In my case this file was part of Norton v11.  I was not able to verify if this executable exists on older Norton products.
8. Use the following command line to convert the GHO into a VMware VMDK file.
   ghost32.exe -clone,mode=restore,src=C:\…\YOUR_FILENAME.gho,dst=C:\…\YOUR_NEWFILE.vmdk -batch -sure
9. Start EnCase and add your VMDK file to your case.
10. Now you can acquire the drive via EnCase or perform your analyis.

Disclaimer: The MAC date/times seem to remain in tact thoughout this process; however, you need to validate your evidence!

I just received the new Tableau Forensic Duplicator (TD1) to put it through its paces. So the first test was a to image a 40GB drive. I did so by using the 2GB DD image file options. The imaging with the unit went as expected.

When adding the DD images to EnCase I ran into a little snag however. Wrote a song about it, wanna hear it? Here it goes…

Started EnCase, created case, opened the “Add Raw Image” dialog.

Then went ahead and opened the dialog to add the “Component Files”.

Selected “Image.001″ + SHIFT + selected “Image.021″.

Clicked “Open” in the dialog box, and clicked “OK” to add the raw image.

The result: Nothing, nada, nichts; well if you call Unused Disk Area nothing.

So I tried again. This time by only selecting the first of the raw DD images. No luck either. This time I got at least an error message.

I began to question the Tableau’s DD format. So I fired up FTK Imager and tried loading the image, which worked without any problem.

Not wanting to give up I reached out to EnCase support and it turns out there is a simple, yet very important way to add raw image files.

I did everything right up until selecting the actual raw image files.

The critical thing to remember is the ORDER in which the raw image files appear in the “Component Files” window when adding raw image files. So in my case above, notice that on #1 position it shows “image.021″. Not good.

Solution:

The trick is to actually select the raw DD image files in reverse order such as:

Select “Image.021″ + SHIFT + select “Image.001″.

If you select files any other way, you can drag and drop the various component files within the “Add Raw Image” window if needed.

Hope this helps others.