Welcome, Guest. Please Login
 
  HomeHelpSearchLogin FAQ Radified Ghost.Classic Ghost.New Bootable CD Blog  
 
Page Index Toggle Pages: 1
Send Topic Print
Need help Defining Ghost "Image"? (Read 4726 times)
ciscobee
N00b
Offline


Ghost 8.2 Info Needed!

Posts: 5


Back to top
Need help Defining Ghost "Image"?
Oct 23rd, 2006 at 9:40am
 
All,

I cannot find any information on symantec about this, but it could be because I am not searching for the right keywords.

When I take a Ghost Image, what am I actually getting?  Is it a copy of the Windows File Structure, a bit by bit copy of the hard drive, or something all together different.

For instance, Let's say I have 2 PC's.  PC "A" and PC "B". One day on PC "A" I delete a file called "Bob.txt", and empty the recycle bin.  Then, a few hours later, I decide to image this PC using Ghost version 8.2.

Once I create the Ghost image of PC "A" I decide I am tired of using that computer and want to restore the image to PC "B" which has a hard drive of the exact same size, make, manufacturer, but no existing data on it.

After restoring the image to PC "B" I remember that I needed a phone number, and it was in a file called "bob.txt".  I remember that I deleted it, so I will need to use an undelete utility of some sort to recover the data.

The question "Will the bob.txt file be present on the hard drive of PC B, in an undeleted state?"
 
 
IP Logged
 

ciscobee
N00b
Offline


Ghost 8.2 Info Needed!

Posts: 5


Back to top
Re: Need help Defining Ghost "Image"?
Reply #1 - Oct 23rd, 2006 at 10:05am
 
As an update ... have finished running through the Ghost 9 Manual which I downloaded from Symantec ... nothing in there which defines the image either.
 
 
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Need help Defining Ghost "Image"?
Reply #2 - Oct 23rd, 2006 at 10:32am
 
In Ghost 9 & 10 (which is based on Powerquest's Drive Image, not Ghost) an image is defined by another name, a back-up point I believe (I don't use Ghost 9/10), but it's still a file that contains the contents of your drive. I think in Ghost 9/10, the file ends in *.v2i. Someone who really knows will stop by.
 
WWW  
IP Logged
 
John.
Übermensch
*****
Offline



Posts: 2072


Back to top
Re: Need help Defining Ghost "Image"?
Reply #3 - Oct 23rd, 2006 at 12:29pm
 
Quote:
When I take a Ghost Image, what am I actually getting?  Is it a copy of the Windows File Structure, a bit by bit copy of the hard drive, or something all together different?

Ghost creates a file which contains a compressed image of the hard drive.  It's a sector by sector image.  If you have a hard drive failure, you can restore the image onto a new hard drive, even a larger one and it will look the same.

Quote:
After restoring the image to PC "B" I remember that I needed a phone number, and it was in a file called "bob.txt".  I remember that I deleted it, so I will need to use an undelete utility of some sort to recover the data.

The backup image file can be "browsed" with a Ghost utility much like Windows Explorer.  It's a very handy feature.   You can selectively restore a file or folder (or the whole thing).  You can "mount" the image and give it a drive letter.  You can't write or save into the image though.

Quote:
Once I create the Ghost image of PC "A" I decide I am tired of using that computer and want to restore the image to PC "B" which has a hard drive of the exact same size, make, manufacturer, but no existing data on it.


You cannot take a hard drive from one PC and install it in another PC and expect Windows XP to work correctly or even boot.  As a minimum, you have to do a XP Repair Install, but that only works SOME of the time.  However, if you have a data-only hard drive partition (files, movies, pictures, databases, etc.) then you can do what you want.

The same logic applies to Ghost:  You can't take an operating system image and restore it to a different computer with any guaranteed success.  Search on Microsoft website for complete information on installing a new motherboard or changing motherboards with XP because that is what you are essentially doing.
 

Ghost4me  Ghost 9, 10, 12, 14, 15.  Windows XP, Vista, Windows 7
 
IP Logged
 
ciscobee
N00b
Offline


Ghost 8.2 Info Needed!

Posts: 5


Back to top
Re: Need help Defining Ghost "Image"?
Reply #4 - Oct 23rd, 2006 at 12:45pm
 
Lets assume I can restore the image to another computer and it works just fine.  Same exact hardware specs etc.

The real question at hand is "Can I recover data, which was deleted on the imaged pc at the time when the image was taken?"

It's a hard concept to follow.  But think of forensic investigation.  An investigator would want to copy the hard drive of a computer ... save the image files.  Go back to the lab.  And then restore that image to another hard drive.  Then the investigator could use tools like OnTrack to attempt to recover files that the user would have deleted, even prior to the image being taken.
 
 
IP Logged
 
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Need help Defining Ghost "Image"?
Reply #5 - Oct 23rd, 2006 at 3:14pm
 
Ciscobee, the scenario you describe in Reply #4 would only be possible if you created the recovery point with Smart Sector Copying disabled (see page 63 in the Ghost 10.0 User's Guide).  Normally, Smart Sector Copying is enabled – and, as a consequence, only those sectors in use at the time the recovery point is created are included therein.  Sectors not in use (i.e., which may contain the remains of deleted files) would not be incorporated in the recovery point.

By the way, you might wish to look at CyberScrub Privacy Suite as a tool for securing erasing files.  I use and recommend it.
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 

John.
Übermensch
*****
Offline



Posts: 2072


Back to top
Re: Need help Defining Ghost "Image"?
Reply #6 - Oct 23rd, 2006 at 3:19pm
 
ciscobee wrote on Oct 23rd, 2006 at 12:45pm:
Lets assume I can restore the image to another computer and it works just fine.  Same exact hardware specs etc.
The real question at hand is "Can I recover data, which was deleted on the imaged pc at the time when the image was taken?"

Probably not.  If fact, I would say No.

The reason is that Ghost (or any imaging program) normally  backs up ONLY used sectors.  That's to keep the backup image file smaller.  Deleted files would be in sectors that are no longer used and hence wouldn't be backed up.

If you want to recover a file that was deleted from the original hard drive, search Google for "data recovery software" or mail the hard drive to a company (like Ontrack) that will attempt physical recovery of the disk.  File Scavenger is one software analysis program I have personally used.  I think it's about $50.

The only case that I know of where the Ghost image "might" contain the deleted files, would be if you had chosen the option to "back up ALL sectors".  This is not normally chosen because the backup image is so large, and regular image backups (say weekly or daily) give you history so you can recover a file form one of your older images.
 

Ghost4me  Ghost 9, 10, 12, 14, 15.  Windows XP, Vista, Windows 7
 
IP Logged
 
Brian
Demigod
******
Offline



Posts: 6303
NSW, Australia


Back to top
Re: Need help Defining Ghost "Image"?
Reply #7 - Oct 23rd, 2006 at 3:22pm
 
Pleonasm,

Very interesting answer. I hadn't thought about this issue before. So you are saying that one can't recover a deleted file (deleted just prior to the image being being taken) from a freshly restored image.

 
 
IP Logged
 
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Need help Defining Ghost "Image"?
Reply #8 - Oct 23rd, 2006 at 3:52pm
 
Brian, let's say that the user deletes a file and then immediately creates a recovery point with Smart Sector Copying disabled.  In this case, after restoring the recovery point, the likelihood of recovering the deleted file ought to be the same as if the recovery operation had been attempted immediately following the deletion, since the user is working with the exact same set of sectors (used and unused).

If, however, Smart Sector Copying is enabled and the user restores to the same drive on which the recovery point is based, then the remains of the deleted file might still be present, depending upon how much disk activity has occurred during the interval.  If the user had erased (wiped) the hard disk drive prior to restoring that recovery point, then the remains of the deleted file ought to be destroyed.

Ciscobee, you may also be interested in encrypting your recovery points (see page 17 in the Ghost 10.0 User's Guide).  This would reduce the likelihood that anyone could extract files from your recovery point without your permission.
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Need help Defining Ghost "Image"?
Reply #9 - Oct 23rd, 2006 at 3:55pm
 
By the way, a friend recently had the need to use the services of OnTrack on a failed hard disk drive.  The results were spectacular – OnTrack recovered all of his desired files.
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 
ciscobee
N00b
Offline


Ghost 8.2 Info Needed!

Posts: 5


Back to top
Re: Need help Defining Ghost "Image"?
Reply #10 - Oct 23rd, 2006 at 4:28pm
 
Your responses are genuinely appreciated.  It seems that Smart Sector Copying Disabled is the way to go if you actually want to capture a sector level image, complete with the used and unused.  Of course, I am curious if that would mean that the image size would be = to the size of the drive/partition?  Probably close.

I am using Ghost 8.2 so, I will have to check and see if the option to disable that feature exists.

This forum really is RAD!
 
 
IP Logged
 

Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Need help Defining Ghost "Image"?
Reply #11 - Oct 23rd, 2006 at 4:55pm
 
I think the responses here pertain to Ghost 9/10, since you mentioned downloading & reading the Ghost 9 manual.

Since you are using Ghost 8.2, you need to verify that those features mentioned above apply to Ghost 8.2 (they may not, I dunno).

I know that Pleo specifically mentioned Ghost 10 above in reply #5.

Ghost 9 & 10 are significantly different from previous versions.
 
WWW  
IP Logged
 
NightOwl
Radministrator
*****
Offline


"I tought I saw a puddy
tat..."

Posts: 5801
Olympia, WA--Puget Sound--USA


Back to top
Re: Need help Defining Ghost "Image"?
Reply #12 - Oct 23rd, 2006 at 10:26pm
 
ciscobee

Quote:
The question "Will the bob.txt file be present on the hard drive of PC B, in an undeleted state?"

The answer is probably *No*!--Ghost 2003 and Ghost 8.x operate in a very similar fashion and use the same command line switches.  So, information that applies to one usually applies to the other as well.

Quoting from the Ghost 2003 User Guide:

Quote:
Norton Ghost images contain only the actual data on a disk. If you have a 9 GB
drive with only 600 MB of data, the Norton Ghost image is approximately 600
MB, and is smaller if you use compression.

Any file that has been *deleted* will no longer be *seen* by Ghost as *data* to be backed up.  If you create an image shortly after you have deleted a file, it will not be present in the image, and therefore will not be restored to your *blank* HDD on computer B.  That's how Ghost 2003 and 8.x operate in their default mode.

But, you can change the *default* behavior of Ghost 2003 or 8.x by using command line switches when you start Ghost:

Quoting from the Ghost 8.x User Guide regarding the *-ia* (image all) and *-id* (image disk) switches:

Quote:
-ia

The image all switch forces Symantec Ghost to perform a sector-by-sector copy of all
partitions. By default, when copying a partition from a disk to an image file or to another
disk,
Symantec Ghost examines the source partition and decides whether to copy just the
files and directory structure, or to do a sector-by-sector copy
.
If it understands the
internal format of the partition, it defaults to copying the files and directory structure.

Generally this is the best option. However, if a disk has been set up with special hidden
security files that are in specific positions on the partition, the only way to reproduce
them accurately on the target partition is through a sector-by-sector copy. If you use this
switch to create an image of a dynamic disk, then the image must be restored to a disk
with identical geometry.


Quote:
-id

The image disk switch is similar to -ia (image all), but also copies the boot track, as in -ib
(image boot), extended partition tables, and unpartitioned space on the disk. When
looking at an image with -id, you see the unpartitioned space and extended partitions in
the list of partitions. The -id switch is primarily used by law enforcement agencies that
require forensic images.

When Symantec Ghost restores from an -id image, it relocates partitions to cylinder
boundaries and adjusts partition tables accordingly. Head, sector, and cylinder
information in partition tables is adjusted to match the geometry of the destination disk.
Partitions are not resizeable. You will need an identical or larger disk than the original.

Symantec Ghost does not wipe the destination disk when restoring from an -id image.
Geometry differences between disks may leave tracks on the destination disk with their
previous contents.

Use the -ia (image all) switch instead of the -id switch when copying partition-to-partition
or partition-to-image. An individual partition can be restored from an image created with
-id.


Quote:
When I take a Ghost Image, what am I actually getting?  Is it a copy of the Windows File Structure,

Sort of...quoting from the Ghost 2003 User Guide:

Quote:
When Norton Ghost creates image files or clones, it does not include hibernation
and swap files. These files are valid only for one Windows session, and when they
are included in an image file, they make it significantly larger.

Norton Ghost implements file skipping differently for each type of file system.

--FAT file systems: Files are not included on the image file or destination disk.

--NTFS file systems: A file with the same name is created on the image file or
destination disk, but the contents of the file are not copied.

The following files are skipped on all file systems:

386Spart.par
Amizvsus.pmf
Dos data.sf
Ghost.dta
Hiberfil.sys
Hibrn8.dat
Hybern8
Navsysl.dat
Navsysr.dat
Pagefile.sys
Pm_hiber.bin
Save2dsk.bin
Saveto.dsk
Spart.par
Swapper.dat
Toshiber.dat
Virtpart.dat
Win386.swp


Quote:
a bit by bit copy of the hard drive

Only if you tell Ghost to do that with the *-ia* or *-id* switches.

Quote:
or something all together different.

Yes, in its default mode--that's probably the best description  Wink !

And, *Yes*, if you do a *sector-by-sector* backup image, then the size of the image will approach the size of the disk--less the room saved with compression.
 

____________________________________________________________________________________________

No question is stupid ... but, possibly the answers are Wink !
 
IP Logged
 
ciscobee
N00b
Offline


Ghost 8.2 Info Needed!

Posts: 5


Back to top
Re: Need help Defining Ghost "Image"?
Reply #13 - Oct 24th, 2006 at 12:39pm
 
NightOwl - Props to you for knowing this information!

The -ia and -id options appear to be the ones that I am looking for.  This is an excellent explanation of this situation.

The -id option makes me curious because it allows a sector by sector image to be restored to a physical disk which may be overall larger in volume.

It is also interesting to note, that the -id option does not wipe the contents of destination disks which are larger in overall geometry that the original disk.  Meaning, that if a forensic investigation were to occur, and the -id image was restored to a volume of greater size  ...  data which may not pertain to the imaged PC would likely be found.

This is a facinating thread!  I appreciate all who have contributed as this knowledge is not centrally located anywhere else on the web!
 
 
IP Logged
 
Pleonasm
Übermensch
*****
Offline



Posts: 1619


Back to top
Re: Need help Defining Ghost "Image"?
Reply #14 - Oct 24th, 2006 at 1:08pm
 
Ciscobee,

RE:  “if a forensic investigation were to occur, and the -id image was restored to a volume of greater size  ...  data which may not pertain to the imaged PC would likely be found.”

Actually, a forensic investigation would most likely be able to recover any information on the disk to which the image is restored, since the restoration is simply overwriting all (or most) of the hard disk only once.  While a single overwrite will be successful in preventing the operation of most software-based recovery tools, it will probably not prove successful if the investigator is using hardware-based tools.

Personally, I use the seven-pass Department of Defense “stop hardware recovery” process to securely erase files:
    1. Overwrite with a randomly selected byte
    2. Overwrite with the complement of the byte used in Pass 1
    3. Overwrite with random byte values
    4. Overwrite with a randomly selected byte
    5. Overwrite with a randomly selected byte
    6. Overwrite with the complement of the byte used in Pass 5
    7. Overwrite with random byte values
 

ple • o • nasm n. “The use of more words than are required to express an idea”
 
IP Logged
 
Page Index Toggle Pages: 1
Send Topic Print