April 15th, 2008 
etdot Selecting sector and MBR options in Symantec Ghost to not result in a true unaltered image of a hard disk. Instead there are some unadvertised command line switches which must be used:
To copy the entire disk, including the entire boot track, all sectors, and unpartitioned space, and to prevent Ghost from filtering extraneous or erroneous information from the boot track, run Ghost with the -IR switch.
Ghost also puts a “fingerprint” on all drives imaged. To create an exact copy, you must use the -FNF switch to disable the fingerprinting.
It is possible to use these switches with the Ghost GUI. Simply run the following command:
ghost32.exe -IR -FNF
The GUI will launch and you can proceed through the wizard-like interface, selecting the source an destination options. As long as you do not change the copy options you should see that Ghost is copying the disk in RAW mode.
Source:
Symantec. “Forensic Imaging Using Ghost.” Document ID: 1999110813413225 [Alt URL] [Alt2 URL]. December 2007.
Posted in 
Tags: