Switches: Sector copy

Article:TECH107956  |  Created: 2001-01-14  |  Updated: 2010-09-10  |  Article URL http://www.symantec.com/docs/TECH107956
Article Type
Technical Solution

Product(s)

Environment

Issue



This document discusses the Ghost switches to use for forensic imaging or for creating raw images (sector copies) that avoid error detection problems.

 


Solution



Normally, Ghost does not create an exact duplicate of a disk. Instead, Ghost recreates the partition information as needed and copies the contents of the files. Creating a copy rather than an exact duplicate reduces the time it takes to copy a disk and reduces the amount of disk space required.

Ghost uses specific switches to create more exact duplicates of the original disk. To copy the entire disk, including the entire boot track, all sectors, and unpartitioned space, and to prevent Ghost from filtering extraneous or erroneous information from the boot track, run Ghost with the -IR switch.

Comparing the source and destination after cloning
When copying a disk to another disk, a checksum of the destination disk will nearly always result in a different value than a checksum of the original disk, even when using the -IR switch. This difference is due to differences in disk geometry between the source and destination disks. Because Ghost locates the partitions on the destination disk on cylinder boundaries, the difference in disk geometry causes the partition to be located in a slightly different place than previously. Ghost adjusts partition tables accordingly, and this does not result in a loss of data. If Ghost did not locate the partitions on cylinder boundaries, it probably would not be possible to access the restored partitions other than with a disk editor.

Difference between sector copies and native cloning
To create a more exact duplicate of the original disk, Ghost creates a sector copy of the disk, rather than a native copy.
  • A sector copy copies each sector of the disk, regardless of whether that sector contains data. A sector copy is sometimes called a sector-by-sector copy.
  • A native copy copies the contents of the files and recreates the partition information as needed. A native copy is sometimes called a nonsector copy.


Sector copies usually take considerably longer to complete than native copies because sector copies are exact copies of all areas of the disk including unformatted space and formatted space that is not in use. Native cloning is much faster because Ghost recognizes the file system and clones only the disk structure information and the files, rather than all sectors on the drive. In addition, on FAT partitions, native cloning saves the files contiguously. That is, when you write the image to the destination drive, the files are no longer fragmented.

Sector copies made with the switches -ID or -IR copy the entire disk rather than individual partitions. That is, Ghost allows the Disk to Disk and the Disk to Image operations, but not the Partition to Partition and Partition to Image operations. The switch -IA can copy individual partitions.

Ghost does not resize partitions when performing sector copies.


-IR not available in all versions
The -IR switch is available in Norton Ghost 2002 and later, and Symantec Ghost 7.0 and later. It is not available in Norton Ghost 2001.

If you have Norton Ghost 2001, use the -ID switch instead. The -ID switch performs the same operation as -IR except that -ID filters extraneous or erroneous information from the boot track.


Useful Ghost switches

The following Ghost switches, except -IB, each force Ghost to perform a sector copy.

  • When using the switches -IA and -IB on the same command line, Ghost copies the entire boot track.
  • When using the switch -IB on a command line without using a sector-copy switch, Ghost natively creates the image of the disk or partition, and includes a sector copy of the boot track, rather than recreating the boot track information.
  • The switch -ID cannot be used with other sector-copy switches on the same command line.
  • The switch -IR cannot be used with other sector-copy switches on the same command line.


 

Image All
-IA
Image Boot
-IB
Image Disk
-ID
Image Raw
-IR
Copies all sectors in each partition, including blank sectors.
Yes
Not applicable
Yes
Yes
Copies the information from the boot sector. The information includes the master boot record and the master partition table.
Yes
Not applicable
Yes
Yes
Boot track:
    Filters out extraneous or erroneous boot track information.
Yes
Yes
Yes
No
    Copies entire boot track.
No
Yes
Yes
Yes
Extended partition tables:
    Recreates extended partition tables as needed.
Yes
Not applicable
No
No
    Copies the extended partition tables.
No
Not applicable
Yes
Yes
Copies unpartitioned space.
No
Not applicable
Yes
Yes



Image Boot
Use the Image Boot switch when applications use the boot track to store information. The Image Boot switch does a sector copy of the boot track. The image file includes the master boot record, partition information, and information stored in the boot track by boot managers and other programs.

The Image Boot switch does not, by itself, do a sector copy of the disk or partition. If you use -IB with -IA, Ghost does a sector copy of the disk or partition and a sector copy of the boot track. If you use -IB without -IA, Ghost does a native copy of the disk or partition and a sector copy of the boot track.

The -ID switch automatically turns on the -IB and -IA switches. If you have problems with -ID, upgrade Ghost to version 6.0 or later.

Image Disk
If having problems with this switch, upgrade Ghost to version 6.0 or later.

-IR
The Image Raw switch, -IR, tells Ghost to restore the boot track information as is without attempting to repair minor boot track problems. That is, Ghost creates an image file that is an exact copy of the source disk, including extraneous or erroneous boot track information.
Note: The IR-switch does a sector by sector copy of the entire Harddisk, it can NOT be used for partition imaging.
- It does NOT seperate the MBR from the rest of the Disk, it will create a Disk image of the entire Disk, beginning with Sector 0 (zero) going though to the rest of the disk.
- Although IA does also a sector-by-sector copy of the Disk, it ONLY copies the data portion of the Disk, it does NOT clone the MBR for instance.

How Ghost handles the parts of the disk
 

  • The contents of files - Ghost accurately copies the contents of files under all circumstances.
     
  • The boot track - Usually, the operating system uses only the first sector of the hard disk to store the partition table and boot loader (that is, the master boot record) and reserves the remaining sectors in the first track. The remaining sectors are sometimes used to hide data, to store code for a boot manager program, to store code for a dynamic drive overlay, or to store virus code. Ghost does not usually copy the entire first track. To include the entire boot track, use the switch -IB, -ID, or - IR.
  • Unused space and deleted space within partitions: When copying a FAT, NTFS, Ext2, or Ext3 partition, Ghost does not normally copy unused space within the partition or space that is occupied by files or folders that have been deleted. To include all empty space, use the switch -IA, -ID, or -IR.
  • Slack space and memory slack: Because of the way the FAT file system stores data, a disk might have deleted data, hidden data, or data from memory, stored in the slack space of a cluster. When Ghost performs a sector copy, Ghost includes the slack space. To include the slack space, use any of the sector-copy switches, -IA, -ID, or - IR.

    How data ends up in slack space:
    The FAT file system organizes a disk into clusters. Each cluster consists of several sectors. When the file system writes a file to the disk, the end of the file often does not use up the entire cluster in which it is stored. The unused space is called slack space.

    When the ending cluster (for the new file) was previously used to store a different file, that file was deleted, and the new file did not write over the entire cluster, the slack space sometimes contains data from the previous file.

    Advanced users might also know how to use the slack space to hide data, although this situation is rare.

    Also, the hardware for the disk always writes one sector at a time. When a program writes less data than will fill a particular sector, the computer might write data from memory to fill the sector. In this situation, you may find data that was never intentionally saved to disk at the end of a file.

    Note that the amount of data located in slack space at the end of a file is very small. Each disk is configured to use a specific number of sectors per cluster, and each sector is 512 bytes. The amount of data at the end of a file will depend on the number of sectors per cluster for that disk and on how much of the cluster was overwritten by the new file.
  • Bad sectors: When a cluster contains a bad sector, the operating system marks the entire cluster as bad and stops using that cluster to save new data. Other sectors in the cluster may still be good and retain their old data. It is also possible to manually mark clusters as bad in order to hide data from the normal file system commands. To include all bad clusters, use the switch -IA, -ID, or -IR.
  • Unpartitioned space: Ghost normally copies only partitioned space and the information from the master boot record and partition tables. Normal copies exclude disk areas that have not been partitioned. To include all unpartitioned space, use the switch -ID or -IR.
  • Extended partition tables: Normally, Ghost records the information necessary for recreating the extended partition tables without copying the extended partition tables. Because an extended partition table could be used to hold data, the -ID and -IR switches copy the extended partition tables instead of recreating them.


Features of the -IR switch
The information in this section is described in the other parts of this document. This summary is provided as a convenience.
 

  • The syntax for the -IR switch is as follows:

    ghost.exe -IR

    If using a consumer Ghost version, such as Norton Ghost 2002, use Ghostpe.exe instead of Ghost.exe. For a list of the consumer and corporate Ghost versions, see the document How to determine your version of Ghost.

    The switch can be used on the Ghost command line with additional switches, such as with the -CLONE switch.
     
  • The switch performs a sector copy of the entire disk, including the master boot record and partition tables.
    • The switch copies the exact contents of the master boot record and partition tables, rather than interpreting them and copying the interpreted information.
    • The -IA switch also performs a sector copy of the disk, but does not perform a sector copy of the entire disk. It copies only the data portion. The -IA switch interprets the contents of the master boot record and partition tables, and copies the interpreted information, rather than the exact contents of those areas.
  • The switch cannot be used to copy individual partitions.
  • Do not save the image file on the same disk that you are copying. This is a recursive operation and will fail.
  • The switch can be useful when a disk copy is not working. Because -IR copies the disk as-is, it does not perform all the error checking that is done in a native copy.





 

 

 


 

 



Legacy ID



2001111413481325


Article URL http://www.symantec.com/docs/TECH107956


Terms of use for this information are found in Legal Notices