Another use of Ghost?

Will you readers add your thoughts about an idea, born of a mistake I made this week?

I restored my computer with an image file after it was attacked and the OS destroyed by unknown invaders from the web. Looking back now, it seems obvious that a Ghost image should have been made of the damaged partition. This could be used to identify the culprit by extracting individual files from the Ghost image and sending them to experts for evaluation. The Ghost image could even be restored to the computer for study, including trying various anti-malware processes to evaluate their effectiveness in getting rid of the dangerous programs.

The Ghost image could also preserve data on the damaged partition that was lost when I restored the previous state with Ghost. Individual files can be restored, examined for the presence of malware, possibly cleaned if infected, and used again on the clean computer. Theoretically, that is. What do you think?

What else could be done with the Ghost image of an infected partition?

 

TonyT,

Thanks for the response. I must have covered most possibilities. I thought of it too late this time, and so maybe this note will encourage folks to make a ghost file as well as restore from a ghost file when their computer is attacked. We need information about the attacker in case it's something new and unknown, and that was lost when I simply restored a clean image.

 

Hi Christer,

Not having any experience restoring an image, I was carried away by the thought of both rapidly eliminating the problem, and having an opportunity to use Ghost. However, I couldn't boot into XP at all, and having run into this kind of attack previously, and never being able to do anything but reinstall the OS to get back in business I didn't think I wanted to play with other options.

I decided after the fact that I will make an image of the infected partition if this occurs again, and it should be safer and more illuminating to study the damage leisurely with all the tools of a fully intact Operating System. I did look at the partition timidly with my 98se, which no longer had a working antivirus program (an oversight now corrected) but I was, as I said, anxious to see how Ghost would work.

 

Hi Christer,
Thanks for your input.

You're right, that's a case where investigation is possible, and I wonder if the investigation could be done better, as well, or less well on an image. In my case the OS refused to boot even to safe mode, so any study would be difficult and primitive, and dangerous to my other partition, which apparently was as yet uninfected.

If several of us try out my thought and evaluate its helpfulness, it would be worthwhile. From one experience with Ghost, it's certainly nice to be back in business so fast. I'd like not to put off recovery if the same information is available in the image. Also remember all data added to the disk since the original ghost image is potentially available on the image of the infected partition.

 

I hope we can put an end to that!

 

I'm a Drive Image user. I'll be the first to admit that I'm a lousy troubleshooter. I just try and keep my images as sound as possible.