Clonezilla for forensic disk image
I was wondering if it's reasonable and forensically correct to use Clonezilla for the image of an attacked machine. Since some of the commercial products are very expensive I'm turning to open source solutions.
- is an offline copy (the compromised disk is not live)
- it's Linux based and uses partclone (or dd, but I'm not sure about that one)
- with the help of the advanced options you can encrypt the copy, hash it and copy "empty" sector
In forensics, is the RAW filesystem of the image a requirement or is it not that important?
No Clonezilla is not a Forensic tool. Even using it for incident analysis is not recommended. Can it be useful, yes, but there are better free tools available for forensic and incident analysis.
Yes RAW filesystem is important. It's where all the deleted files and fragments exist.