Re: Ghost Norton Fingerprint signature

On Sat, 28 May 2005 19:39:20 PDT, Steve Hailey said:

> The oriignal question was along the lines of  "how to find the signature,"
> not "would the signature be present in a forensic clone of a drive that 
> already
> contained the signature."  My original information is correct based on the
> question asked.

Your *original* answer was a bit misleading...

> switch.â??  If the original subject media has the Ghost fingerprint present
> already from previous imaging activity,  then yes, this will also be present 
> on
> the forensic clone.

This is subtly different than what you originally said:

> You will typically find the signature for Ghost in the sectors between the
> Master Boot Record and the first Boot Record.  You'll know it when you see it.
> If the disk was cloned using the proper switches to create a forensically 
> sound
> sector-by-sector clone, you will not find a signature.

There's *two* clones being discussed here - your forensic clone and an earlier
one.  If we're discussing the *original* clone being made with those switches,
then yes, there won't be a signature on the disk (unless of course the original
had aquired a signature from an even *earlier* cloning).  If we're discussing 
the
*forensic* clone (an obvious conclusion if you read the sentence as "If you
made your forensic clone using the switches you'd want for a forensically sound
clone"), there's the implication that doing so would make an existing signature
apparently dissapear...

pgpvdCgH9W3NW.pgp
Description: PGP signature