Clonezilla as a Forensic Imaging Tool

I understand that there are many imaging tools available, both free and commercial, but I wanted to share my testing results using Clonezilla as a digital forensic imaging tool. It may be useful for someone looking to add another reliable option to their forensic toolkit.

If you have never heard of or used Clonezilla before, it is a free and open-source tool that can be used to preserve the state of a computer system at a specific point in time. As a digital forensic examiner, I wanted to evaluate it from a forensic acquisition perspective and determine whether it can be trusted for use in our field.

Clonezilla Live can be used to create a bootable drive, which allows the examiner to boot directly into the Clonezilla environment without relying on the host operating system. This is important because it minimizes the risk of modifying the target system during acquisition. Once booted, Clonezilla presents several boot options. Each option controls the startup environment, such as normal mode, loading Clonezilla fully into RAM, accessibility modes, hardware diagnostics, or system configuration.

According to the official website, Clonezilla supports a wide range of filesystems, including ext2, ext3, ext4, reiserfs, reiser4, xfs, jfs, btrfs, f2fs, nilfs2, FAT12, FAT16, FAT32, exFAT, NTFS, HFS+, APFS, UFS, Minix, and VMFS. This extensive filesystem support makes Clonezilla a versatile imaging tool, especially in environments where multiple operating systems may be involved.

Another feature I appreciated was the language support. After selecting the boot environment, Clonezilla allows you to choose from a list of 17 languages. While I wish I could read and speak all of them, I selected English and continued with the process.

Test Environment

I used the following tools for testing:

Tool Name

Version

Clonezilla Live

Release branch: stable, Clonezilla live version: 3.3.0-33

SUMURI Paladin

9.3.2 (Build 3046)

FTK Imager

4.7.1.2

1.5GB Virtual Partition

NTFS Filesystem

All testing was conducted within a virtual machine environment. This approach allowed me to easily capture results and switch between Paladin and Clonezilla for validation and comparison. I also want to highlight Paladin as an excellent forensic platform with powerful acquisition and verification capabilities.

Clonezilla Live can be downloaded from its official website and used to create a bootable USB device. This bootable media can then be used to boot target systems and create backups, clones, or forensic images.

Establishing a Forensic Baseline

The first step in the testing process was booting the virtual machine into Paladin and hashing the target partition. This hash value served as a reference point to verify whether Clonezilla would maintain the integrity of the partition during the imaging process.

Imaging the Partition with Clonezilla

Next, I booted the virtual machine into Clonezilla and proceeded with imaging the target partition.

The following steps were performed:

  1. Selecting the imaging mode in Clonezilla.

  1. Carefully selecting the destination drive where the image would be saved. This is an important step, as the destination drive is mounted read/write and must be different from the source drive.

  1. Selecting Expert Mode, which provides additional options suitable for forensic acquisition, including image hashing and advanced configuration settings.

    

  1. Clonezilla created a raw image of the partition. While raw images are forensically complete, they can be large in size.

  1. Clonezilla compressed the image using gzip, resulting in a .gz file that contains the raw image.

  1. Clonezilla also generated hash files, including “SHA1SUMS” and “MD5SUMS,” to verify the integrity of the acquired image.

Verification and Integrity Validation

After imaging was completed, I booted the virtual machine back into Paladin and hashed the original partition again. The hash value matched the initial reference hash, confirming that Clonezilla did not alter the source partition during acquisition.

I then used FTK Imager to hash the raw image file. The resulting hash matched the hash value calculated by Paladin, confirming that the image was an exact forensic copy of the original partition.

Additionally, Clonezilla generated file-level hashes stored in a compressed .gz file. These hashes were calculated using the BLAKE3 hashing algorithm (b3sum), which is known for its speed and cryptographic strength.

A review of the raw image contents confirmed the presence of all test data, including live files and deleted artifacts. This confirmed that Clonezilla successfully captured all sectors of the partition.

Limitation Observed

One limitation observed during testing is that Clonezilla does not automatically calculate and compare the hash of the source partition with the hash of the resulting raw image, which is a standard practice in many dedicated forensic imaging tools. While Clonezilla does calculate and record a hash of the compressed image file, this hash only verifies the integrity of the compressed archive itself and does not directly confirm a bit-for-bit match between the original source partition and the uncompressed raw image.

However, this limitation can be addressed by accessing the Clonezilla shell and entering a command using the dd utility to calculate the hash of the source partition. The calculated hash can then be saved to the collection drive and compared with the hash of the raw image after decompression to ensure forensic integrity.

Conclusion

Clonezilla is a free and open-source tool capable of creating forensic-sound images of drives or partitions when configured to use sector-level imaging methods such as dd. The resulting image can be compressed to reduce storage requirements while still preserving all forensic artifacts. Although Clonezilla does not automatically hash the source partition, this can be addressed through manual hashing using the dd utility.

Based on this testing, Clonezilla can serve as a reliable forensic imaging tool and a valuable addition to a forensic examiner’s toolkit, especially in environments where open-source solutions are preferred.