OSFClone is a free, open source utility designed for use with PassMark OSForensics™
OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system. In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF), AFF is an open and extensible format to store disk images and associated metadata, and Expert Witness Compression Format (EWF). An open standard enables investigators to quickly and efficiently use their preferred tools for drive analysis. After creating or cloning a disk image, you can mount the image with PassMark OSFMount before conducting analysis with PassMark OSForensics™.
OSFClone creates a forensic image of a disk, preserving any unused sectors, slack space, file fragmentation and undeleted file records from the original hard disk. Boot into OSFClone and create disk clones of FAT, NTFS and USB-connected drives! OSFClone can be booted from CD/DVD drives, or from USB flash drives.
OSFClone can create disk images in the dc3dd format. The dc3dd format is ideal for computer forensics due to its increased level of reporting for progress and errors, and ability to hash files on-the-fly.
Verify that a disk clone is identical to the source drive, by using OSFClone to compare the MD5 or SHA1 hash between the clone and the source drive. After image creation, you can choose from a range of compression options to reduce the size of the newly created image, increasing portability and saving disk space.
Use OSFClone to save forensic meta-data (such as case number, evidence number, examiner name, description and checksum) for cloned or created images.
The current version of OSFClone is v1.3.1000.
OSFClone for USB Flash Drives
|Download OSFClone for USB Flash Drives|
OSFClone does its best not to leave artifacts or alter the source evidence drive. However due to different hardware, drivers variations and disk states, there could be a small chance of contamination, especially when the source drive is from a Linux / Unix machine. When integrity is of the utmost importance, we recommend using a write blocker in conjunction with OSFClone.
CD or DVD (OSFClone V1.2 or older)
To install OSFClone to a CD or DVD, you will need a CD/DVD writer and CD/DVD image writing software of your choosing. To run OSFClone, download and burn the osfclone.iso image to a CD or DVD, and choose to boot from the CD/DVD drive during system start up.
Users with Windows 7 and a CD/DVD writer can natively transfer*.iso images to CDs or DVDs. To install OSFClone using this method, right-click on the osfclone.iso image from Windows Explorer and select the Burn disc image menu-item. This will launch Windows Disc Image Burner. From this window, you can click "Burn" to transfer osfclone.iso to a CD or DVD.
USB Flash Drives (UFD)
Warning: The process of installing OSFClone to an UFD will overwrite all existing data on the drive.
Back up all existing data on your UFD to your hard disk drive prior to installing OSFClone.
The installation of OSFClone requires an UFD which is at least 2 GB in size.
- Download the osfclone.zip file and extract it to a directory of your choosing on your local hard disk drive.
In this example, we extracted the files to a folder in the program files directory at C:\Program Files (x86)\OSFClone.
- To reduce the likelihood of mistakes, remove all other USB drives or devices which you may have connected to your system.
- Plug the UFD you'd like to use for booting OSFClone into your system and make a note of its drive letter. The UFD must be at least 2 GB in size for installation to be successful.
- Start ImageUSB by double-clicking the ImageUSB.exe application.
- From the ImageUSB window, first select the drive you would like to use by checking the box next to the appropriate drive letter.
- Ensure that the "Write to UFD" radio button is selected in the next section. This option is selected by default in ImageUSB.
- In the next section, click on the "Browse" button. Navigate to and open the file named OSFClone.bin.
- Finally, click the "Write to UFD" button to install OSFClone to your USB Flash Drive.
Issue: OSFClone may be unable to boot on some UEFI enabled computer systems.
Solution: User may need to go into their BIOS and switch the Boot Mode from Unified Extensible Firmware Interface (UEFI) to Compatibility Support Mode (CSM) on their system.
Issue: OSFClone may not be forensically sound when imaging drives with ext2/3/4 filesystems. During internal testing it was found that if the evidence drive is connected during system start up, it is possible the first superblock (typically offset 1024 within the partition) on the ext2/3/4 filesystem the drive may be altered. Values that were changed include the last mount time, last write time, mount count and a byte at location 0x0178 within the superblock.
- Use a write blocker to prevent writes to the evidence drive.
- If hot-plugging is supported on the system. Connect the evidence drive to the system after booting into OSFClone.
OSFClone contains the following components:
Perl which is licensed under GPL.
AFF and AFFLIB Copyright (c) 2005, 2006, 2007, 2008 Simson L. Garfinkel and Basis Technology Corp. All rights reserved.
libewf which is licensed under GPL v3.0.
OSFClone software which is licensed under GPL v3.0.
v1.3.1000, 5 Apr 2018
- Changed Linux OS to Porteus V4.0 RC4
- Fixed bug with Compute Checksum calculation when choosing SHA256 and SHA512 would actually be computing SHA1.
- Updated dc3dd to 7.2.646
- Updated libewf to 20171104 (included libsmdev-20171112)
- Updated afflib to 3.7.16
- Updated aimage to 3.2.5
- Updated ddrescue to 1.23
- HFS+ filesystem supported for read/write.
- Support for M.2 NVME drives on Mac
v1.2.1000, 24 Jul 2017
- Added option to write acquired dd or ewf image back to a drive. Image must reside on root of partition.
v1.1.1001, 4 May 2016
- Fixed bugged where you may not be able to select partition as a source.
- Will no longer mount the drive during scanning of available drives by default. As a consequence, OSFClone will no longer show disk space usage. To return to previous behavior, this can be re-enabled in the options.
v1.1.1000, 6 Apr 2016
- Updated Tiny Core Linux to Core 7.0
- Updated dc3dd to 7.2.641
- Added HFS+ support (If journaled is enabled, drive/partition is read only).
- Updated libewf to 20160329
- Support for M.2 NVMe hard drives
- USB image of OSFClone is now UEFI/BIOS bootable which should enable booting on newer Macs (with UEFI BIOS).
- Improvement to the video selection options
v1.0.1009 - INTERNAL, 2 May 2014
- Updated Tiny Core Linux to Core 5.3
- Updated dc3dd to 7.1.614
- Updated aimage to 3.2.5
- Updated libewf to 20140427
- Added ddrescue (1.17), currently only accessible outside of script via command line
v1.0.1008b, 27 May 2011
- Updated default imaging block size, users should see speed increase.
v1.0.1008, 24 May 2011
- Better support for German keyboard, should now support dead keys.
- Allow specifying block size for dd.
- Allow specifying number of sectors to read at once for AFF.
- Added "noutc" bootcode, which should prevent clock adjustment by linux kernal.
v1.0.1007, 18 Apr 2011
- Added the support to create images in Expert Witness Compression Format with libewf (http://libewf.sourceforge.net/), format used by EnCase.
v1.0.1006, 13 Apr 2011
- Added the option to change keyboard language maps to support non US keyboard layouts
- Added support for some SCSI controllers via additional drivers, some SCSI drives should now be visible
- Added option to shutdown the PC from within the script
- Updated Tiny Core Linux to v3.5.1
- Updated afflib file system library to v3.6.9
- Changed display "turn off" timeout, currently set to 9999 minutes (effectively off, so no more blank screen screen saver)
- Added OSForensics as a permenant user (was created at startup before). There is no password for OSForensics user.
v1.0.1005, 13 Dec 2010
- Changed dd to use modified dd version "dc3dd" http://dc3dd.sourceforge.net/ (support for split files and status indicator)
- Changed mounting of drives when retrieving available free space to "-o ro,loop" to prevent any writing to drive
v1.0.1004, 07 Dec 2010
- Fixed a bug where aimage crashed the system when the system has less than 512 MB of RAM
- AFF imaging now requires the user have atleast 256MB of RAM
- AFF LZMA compression requires 1GB of RAM
v1.0.1003, 02 Dec 2010
- Fixed bug where creating an AFF image would generate extremely large log file
- Imaging with AFF will now show the interface from aimage
- Clean up code, removed/edit texts, and other minor changes
- Option for LZMA compression with AFF & Option to encrypt AFF file (uses affcrypto)
v1.0.1002, 16 Nov 2010
- Added support for AFF
- Cleaned up code
- Changed filename of script from OSFdd.pl to OSFClone.pl
v1.0.1001, 3 Nov 2010
- File compression (gzip) support added
- Supplemental (text) info log file generated when create images
- Updated Tiny Core Linux to v3.2
v1.0.1000, 20 Oct 2010