Overview

OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system. In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF), AFF is an open and extensible format to store disk images and associated metadata, and Expert Witness Compression Format (EWF). An open standard enables investigators to quickly and efficiently use their preferred tools for drive analysis. After creating or cloning a disk image, you can mount the image with PassMark OSFMount before conducting analysis with PassMark OSForensics™.

OSFClone creates a forensic image of a disk, preserving any unused sectors, slack space, file fragmentation and undeleted file records from the original hard disk. Boot into OSFClone and create disk clones of FAT, NTFS and USB-connected drives! OSFClone can be booted from CD/DVD drives, or from USB flash drives.

OSFClone can create disk images in the dc3dd format. The dc3dd format is ideal for computer forensics due to its increased level of reporting for progress and errors, and ability to hash files on-the-fly.

Verify that a disk clone is identical to the source drive, by using OSFClone to compare the MD5 or SHA1 hash between the clone and the source drive. After image creation, you can choose from a range of compression options to reduce the size of the newly created image, increasing portability and saving disk space.

Use OSFClone to save forensic meta-data (such as case number, evidence number, examiner name, description and checksum) for cloned or created images.

Download

Click to download the OSFClone zip (373 MB)

Previous Version: OSFClone v1.3.1001 Zip (285 MB)

Previous Version: OSFClone v1.2.1000 ISO (49.5MB)ZIP (54.3MB)

Installation Instructions

OSFClone does its best not to leave artifacts or alter the source evidence drive. However due to different hardware, drivers variations and disk states, there could be a small chance of contamination, especially when the source drive is from a Linux / Unix machine. When integrity is of the utmost importance, we recommend using a write blocker in conjunction with OSFClone.

CD or DVD (OSFClone V1.2 or older)

To install OSFClone to a CD or DVD, you will need a CD/DVD writer and CD/DVD image writing software of your choosing. To run OSFClone, download and burn the osfclone.iso image to a CD or DVD, and choose to boot from the CD/DVD drive during system start up.

Users with Windows 7 and a CD/DVD writer can natively transfer*.iso images to CDs or DVDs. To install OSFClone using this method, right-click on the osfclone.iso image from Windows Explorer and select the Burn disc image menu-item. This will launch Windows Disc Image Burner. From this window, you can click “Burn” to transfer osfclone.iso to a CD or DVD.

USB Flash Drives (UFD)

Warning: The process of installing OSFClone to an UFD will overwrite all existing data on the drive.
Back up all existing data on your UFD to your hard disk drive prior to installing OSFClone.

The installation of OSFClone requires an UFD which is at least 2 GB in size.

1. Download the osfclone.zip file and extract it to a directory of your choosing on your local hard disk drive.
   In this example, we extracted the files to a folder in the program files directory at C:\Program Files (x86)\OSFClone.
2. To reduce the likelihood of mistakes, remove all other USB drives or devices which you may have connected to your system.
3. Plug the UFD you’d like to use for booting OSFClone into your system and make a note of its drive letter. The UFD must be at least 2 GB in size for installation to be successful.
4. Start ImageUSB by double-clicking the ImageUSB.exe application.
5. From the ImageUSB window, first select the drive you would like to use by checking the box next to the appropriate drive letter.
6. Ensure that the “Write to UFD” radio button is selected in the next section. This option is selected by default in ImageUSB.
7. In the next section, click on the “Browse” button. Navigate to and open the file named OSFClone.bin.
8. Finally, click the “Write to UFD” button to install OSFClone to your USB Flash Drive.

Known Issues

Issue: OSFClone may be unable to boot on some UEFI enabled computer systems.

Solution: User may need to go into their BIOS and switch the Boot Mode from Unified Extensible Firmware Interface (UEFI) to Compatibility Support Mode (CSM) on their system.

Issue: OSFClone may not be forensically sound when imaging drives with ext2/3/4 filesystems. During internal testing it was found that if the evidence drive is connected during system start up, it is possible the first superblock (typically offset 1024 within the partition) on the ext2/3/4 filesystem the drive may be altered. Values that were changed include the last mount time, last write time, mount count and a byte at location 0x0178 within the superblock.

Solution(s):

• Use a write blocker to prevent writes to the evidence drive.
• If hot-plugging is supported on the system. Connect the evidence drive to the system after booting into OSFClone.

Issue: OSFClone fails to write image to NTFS location which drive contains the Windows OS installation.

Solution: User will need to disable “Turn on fast startup” in Control Panel within Windows (Power Options –> Choose what the power buttons do) and then perform a shutdown (not reboot). Once done, you’ll be able to access the NTFS partitions normally with read/write permissions in OSFClone.

Licensing

OSFClone contains the following components:

Porteus Linux
Perl which is licensed under GPL.
AFF and AFFLIB Copyright (c) 2005, 2006, 2007, 2008 Simson L. Garfinkel and Basis Technology Corp. All rights reserved.
libewf which is licensed under GPL v3.0.
OSFClone software which is licensed under GPL v3.0.