No announcement yet.

Ghosted/cloned pc

  • Filter
  • Time
  • Show
Clear All
new posts

  • Ghosted/cloned pc

    Hi all

    Just a general question

    Is there a tell tale sign that would tell me if a pc was built using ghosting/imaging software?

    I realise this may vary over the software available, so any advice would be great.


  • #2
    Re: Ghosted/cloned pc

    Sysprep will leave some traces. Look at this article

    MCITP sa, ea & va, sysadmin@cydonia.


    • #3
      Re: Ghosted/cloned pc

      As Gerth indicated, sysprep, if used will leave some traces behind. However, it is the most used widely accepted and suggested solution for imaging in the enterprise world.

      You asked if there would be “tell-tale signs” that would be indicative of if a system had been imaged. With sysprep, one would really, really have to know where to look if he or she wanted to decipher whether or not the computer had been imaged. Rearm count and sysprep panther logs are two methods. However, rearm count isn't necessarily applicable to large OEMs who have partner contracts with Microsoft, and panther logs – as referenced in Gerth’s link – can be deleted by someone who knows what they're doing.

      As for the imaging process specific part of your question, ghosting is detectible by MBR and index misalignment when you apply partitions of not exactly the same size, but ImageX file based imaging is undetectable. And, for the record, that ghosting detection is something that would require forensic software.
      Hope this helps!

      Windows Outreach Team – IT Pro