On 17 Apr 2007, at 04:37, Jerry Kemp wrote: > Can anyone suggest a commercial ghost type disk duplicator for Mac > OS X?? > > Without providing a lot of details, this would be used in a > criminal investigation, where a disk would be removed from a > system, imaged and restored to alternate disk drives for analyst. In order to avoid compromising the investigation the drive needs to be bitwise copied and handled such that it physically cannot be written to during copying. Bitwise copying is where you take each one or zero on the drive and copy it across to the same place on the target. I usually do this under Linux using the `dd` command (eg: `dd if=/dev/hda of=/dev/ hdb`) and have not had so much luck using `dd` under OS X - disk- naming convenions are different (eg: "/dev/disk0s3") but aside from that, it just doesn't seem to behave right, somehow. YMMV. Bitwise copying ensures that no misunderstandings occur when attempts are made to copy files that the operating-system cannot parse, or filesystems that it is not familiar with. For example, one could install a driver for the Linux EFS filesystem under Windows, make an EFS partition on the hard-drive and store all one's contraband data on there. Were the drive connected to a default install of Windows or OS X, that o/s would be unable to read the files on that partition, thwarting copying in the regular manner. A bitwise copy ensures that - even if you can't read the files themselves - they are preserved (for forensic review on appeal, if necessary). Also allows one can recover recovery from the copy files that were deleted from the file allocation table on the original disk. You can safely copy from a 40gig drive to an 80gig drive during a bitwise copy, as all the partition-table information will be retained. I _think_ that Norton's Ghost for Windows does largely copy partitions that it recognises in a bitwise manner, however I'm not sure how it handles the boot-sector and I'm pretty sure it won't handle arbitrary partition structures that it does not recognise. You would also have to be careful to avoid its options that compress "empty" space on the original drive and consideration of this causes me to wonder how it handles deleted files. I believe that adaptors can be purchased which can be connected to a standard EIDE hard-drive and which prevent it being written to. Good practices would suggest that you not only connect this to the original when it is copied, but also to the copy during forensic examination (the copy is connected as a "slave" drive on another computer during examination). A duplicator machine is another alternative, as it too blindly copies bitwise. It is my understanding that rules of evidence may be less strict for civil cases (such that carbon copy cloner might be suitable for copying a drive were you sacking an employee for surfing porn at work) but that unless these procedures are followed then "evidence" obtained from the drive would not be considered sound during a _criminal_ case. IMO - and with all respect - if you have to ask here then you should not be conducting the investigation. Stroller.