@cmort
Yep.
What you want to do is not a "real" image of a disk, it is more like a set of (restorable) logical images of the volumes (+ I presume the MBR or GPT table).
Hardware duplicators/imagers are "dumb" machines and they are "filesystem agnostic" (i.e. they don't bother to see WHAT is in the source, they just copy the data "as is" at the byte, actually sector, level), whilst what you want to do needs some "intelligence", i.e. the device needs to be able to "understand" the filesystem used on the volume(s), and parse its contents, interpreting their contents and copying just the data.
GHOST can be used both as a "dd-like" imager and as a "logical imager", you were talking of the latter while - since we are in the "forensics realm" I assumed you meant the former, and I was perplexed.
The liberally mixing of terms (common to almost *any* technical conversation/documentation, since MS actually introduced it) did not help.
For future memory:
A Disk Drive is the actual hardware (or Hard Disk Drive or Hard Drive).
A DISK is the whole thing (or PhysicalDrive under Windows NT) i.e. the actual whole number of sectors from start to end of the whole device.
A DRIVE is the Partition (if Primary) or Logical Volume (or LogicalDrive under Windows NT) or in any case the *whatever*gets a drive letter in Windows.
This latter "DRIVE" can mean BOTH the actual physical extents, i.e. the actual whole number of sectors from start to end of the actual corresponring entry in the MBR, EMR or GPT table, or, ONLY the "allocated" ones as resulting from the actual filesystem indexing data.
As said, depending on the switches used, GHOST can do both a "dd-like" image, that would be the -IR switch:
http://www.forensickb.com/2008/03/ghost-as-forensic-tool.html
or operate "intelligently" and skip unused/unallocated sectors and/or unused areas of the disk.
Acronis, as well as a number of other softwares Commercial or free, among the many I will mention Clonezilla, will be able to do the same.
If you could explain in detail what will be the use (final goal) of the imaging, it may be possible to suggest you a more suitable alternative.
There is however a trade off between "intelligently" copying less data (and have possibly more compact compressed images) and "primitively" image RAW data (you transfer more data but at a higher speed).
Conversely, if you are willing to spend money to buy a dedicated hardware imager, with the same (or much less) money you could set up one or two "dedicated" PC's.
jaclaz
↧