File headers and footers -Ghost
Results 1 to 5 of 5

Thread: File headers and footers -Ghost

  1. #1
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672

    File headers and footers -Ghost

    Does anyone out there happen to know what the hex format of the headers and footers is for Symantec Ghost files? I'm looking for .GHO and .GHS files.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  2. #2
    Junior Member
    Join Date
    Aug 2004
    Posts
    7
    What I could get quickly:

    FE EF 09 02 --> GHS
    FE EF 01 --> GHO

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Tried doing a search for the magic number and didn't come up with anything after looking at magicdb.org/magic.db (also looked in my /usr/share/task/files/magic file) for .ghs/.gho/symantec...

    Perhaps you could bring a few of the files up in a hex editor and see where commonality is in the first few/last few bytes and update their db ?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Nebulus: That's definitely my intention.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  5. #5
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    So far here's what I've found.

    It appears that bytes 1 & 2 are the "header". byte 3 is either 01 or 09 depending on .GHO or .GHS.
    Byte 4 appears to be a version indicator or some sort although I don't have any older versions of ghost so I can't verify. If you have versions of ghost other than solution suite and 8 please pop the file in a hex editor, or run
    dd if=/path/to/file bs=64 count=1 | xxd
    to get the first 64 bytes of the file.

    Byte 5 is the Ghost file index indicator. Basically it's randomly generated but the .GHO will be the lowest number, and each .GHS will increment by 1. Bytes 5-8 are a unique identifier for the ghost image and they are consistent across each file in the entire image.

    To illustrate these findings:
    file1.GHO
    FE EF 01 03 D3 CC 12 43
    file1-1.GHS
    FE EF 09 03 D4 CC 12 43
    file 1-2.GHS
    FE EF 09 03 D5 CC 12 43
    file 1-3 .GHS
    FE EF 09 03 D6 CC 12 43
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides