If you clone a image file to a CD the attributes will change to read
only....so you won't really have an exact replica. You could zip up the
hard drive and put the zip file on a CD but you would loose any deleted
files that weren't in the recycle bin. It would be better to clone it to a
portable drive or even another hard drive. Perhaps one of those USB
Firewire external Maxtor.

However If you plan on examining deleted files they may not be included in
the image file. I don't see why data that was deleted  outside of a recycle
bin would be included in a image file. I have a fixed 350 meg swap file. I
routinely delete the swap file from a DOS prompt immediately prior to
imaging the drive in-order to reduce the size of the image file. I have
imaged with and without the swap file and it makes a significant difference
in the size of the image file. If Drive Image was cloning the entire
partition including deleted files then deleting it wouldn't make a
difference. I would ask Symantec to make sure everything is in fact copied
from the drive when you ghost it.

Maybe I am missing something here but is there some reason you can't
replace the hard drive with another one by cloning the existing one to it.
Then you would have the original one to copy and exam at your leisure. If
you use an exact replacement no one would be the wiser, and even if you
don't only a sophisticated user would notice. You could always tell the
suspect your updating his computers with bigger hard drives and some more
ram. Of course I am assuming that these computers are the property of your
client.

The best place to go to clone the drive with the deleted files intact, and
then exam them would be a data recovery center. Examining drives a byte at
a time without jeopardizing existing data...especially deleted files.... is
what they do. You could check with Advanced Data Solutions,
http://www.adv-data.com . Their Senior Data Recovery technician is Tim
Lider at [log in to unmask]
I am sure you realize that the cost of such an examination with deleted
file recovery would be many thousands of dollars.

Mark Rode
The NOSPIN Group


>  need to do forensics on a Hard Drive, that is, I need to replicate a hard
>drive, including any deleted files, onto CDROM disc(s) for examination viz.
>a possible legal proceeding. I have not seen the computer equipment or
>talked to the client but essentially this is the situation:
>
>Boss fears an employee is stealing client information in order to start up
>his own business. A desktop PC and a laptop computer needs to be examined
>to determine if there's any digital evidence of this conduct. He's a good
>employee so Boss does not wish to offend the employee with this suspicion.
>
>I plan to do a sector by sector copy of the hard drives. I intend to remove
>the hard drives in question (don't want to start up the systems themselves
>and lose the swap file, caches, etc.), hook them up to a basic DOS system
>and run GHOST 5.2 to create the image. Later, I will burn the CDROM
>disc(s). The process needs to be documented to preserve a chain of evidence
>and avoid any questionable handling which might undermine the evidence
>gathering.
>
>Additionally, does anyone see a flaw in this course of action or can
>suggest a better method?

            Do you want to signoff PCBUILD or just change to
                    Digest mode - visit our web site:
                   http://freepctech.com/pcbuild.shtml