Hello, aspiring Cyber Forensic Investigators. In our previous blogpost on Computer Forensics, you have learnt what is Imaging and its importance. In this article, you will learn about FTK Imager, a tool used for fast and forensically sound evidence acquisition.
FTK Imager may be the first tool you’ll encounter when you’re just beginning your journey into digital forensics. Developed by AccessData, it is a lightweight but powerful forensic acquisition tool used worldwide by investigators, incident responders, law enforcement and cybersecurity analysts. Its primary purpose is simple but critical: create a forensically sound image of digital evidence.
Unlike other evidence acquisition tools like dd, dcfldd or dc3dd, FTK Imager offers a clean, intuitive graphical interface, making it ideal for beginners who want to learn proper evidence handling without complex terminal syntax. Yet, despite its beginner-friendly design, FTK Imager is robust enough for professional, court-admissible investigations.
What makes FTK Imager Popular in Forensics?
FTK Imager is more than just an imaging tool. It provides a range of features essential in the early stages of forensic analysis. They are,
- Creates forensically sound disk images (E01, Raw/DD, SMART, AFF formats)
- Supports physical and logical imaging
- Can preview file systems before imaging
- Extracts volatile data such as RAM
- Generates integrity hashes (MD5, SHA-1, SHA-256)
- Verifies images after creation
- Writes detailed forensic logs
- Offers options to mount images as read-only drives
For students and early-stage analysts, these features offer a complete introduction to acquisition and evidence handling.
Installing and Setting up FTK Imager
FTK Imager runs on Windows and is available as both an installed application and a portable executable. Beginners should prefer the portable version because it can be run from a USB forensic toolkit.
Once launched, the interface is clean, with clear options for adding evidence items, creating images, viewing files and exporting data.
How To Create a Disk Image with FTK Imager?
Here’s a simple step-by-step workflow for creating a forensic image of a suspect drive using this tool.
STEP 1: Launch the Tool
Open FTK Imager and Go to File → Create Disk Image.
STEP 2: Choose the Source Type
Select what you want to acquire:
- Physical Drive
- Logical Drive
- Image File
- Folder Contents
For beginners who are practicing, use Physical Drive.
STEP 3: Select the Target Device
Choose the drive you want to image, such as:
\\.\PHYSICALDRIVE1
STEP 4: Choose the Image Format
Choose the format of the forensic Image you want to save this evidence as.
It supports:
- E01 (Expert Witness format) – Recommended for real cases
- Raw/DD – Compatible with many open-source tools
- SMART / AFF formats
Beginners should typically start with Raw/DD format for simplicity.
STEP 5: Add Case Information
You’ll be prompted to fill optional metadata. This will include information shown below.
- Case Number
- Evidence Number
- Examiner Name
- Notes
This information helps maintain chain of custody.
STEP 6: Set the Output Destination
Choose a location where you want to save your forensic image. Note that this should be separate storage drive, not the source device.
STEP 7: Enable Hashing
Hashing verifies the integrity of the Image, So, check the boxes:
- MD5
- SHA-1 or SHA-256 (recommended for modern investigations)
This tool will automatically generate and verify these hashes.
STEP 8: Start Imaging
Click “Start” and FTK Imager will begin acquiring the bit-for-bit copy, showing real-time progress, speed and any errors.
How to Preview Evidence with FTK Imager?
One of this tool’s greatest strengths is its ability to preview evidence without altering it. To view evidence with FTK Imager, go to File → Add Evidence Item → Image File.
This tool can display:
- Folder structure
- File metadata
- Deleted files
- Hex view of sectors
- File hashes
Beginners find this extremely helpful for practicing forensic interpretation.
How To Export Files from an Image?
You can even extract individual files or folders from a forensic image using this tool. To do that, Right-click any file and go to → Export File(s). FTK Imager maintains timestamps and metadata, keeping the export forensically sound.
How To Capture RAM (Volatile Memory)?
To capture volatile memory with FTK Imager, go to File–>Capture Memory as shown below.
How To Create Hashes of Individual Files?
A common beginner task is to hash individual files for the purpose of integrity. To do this, Right-click on the file you want to compute hash to. and select Compute Hash
FTK Imager can generate:
- MD5
- SHA-1
- SHA-256
hashes, depending on your settings.
How to Mount A Forensic Image?
You can mount also mount a forensic image as a read-only drive for examination. You can do this by going to File → Image Mounting. Once you are here, select from:
- Read-only mode
- Mount as a physical or logical drive
This helps beginners explore forensic artifacts using Windows tools without altering evidence.
Best Practices for Beginners
1. Always Use a Write-Blocker
Never and never connect a suspect drive directly to your system and always use a Write-Blocker.
2. Store Images Separately
Never save images on the same drive as the evidence source.
3. Document Every Action
Always document each and every action like Case details, hashes, timestamps and imaging logs. They must be preserved.
4. Verify Images:
FTK Imager does verification automatically. Always maintain the verification log.
Conclusion
FTK Imager remains one of the most essential tools for beginners in digital forensics. Its intuitive interface, strong forensic controls, built-in hashing and preview capabilities make it an ideal starting point for anyone learning evidence acquisition. Whether you’re preparing for a real investigation or building your lab skills, mastering FTK Imager gives you a strong foundation in the world of DFIR.
Follow Us
