Unlock the power of digital forensics with FTK Imager! In this article, we’ll show you how to create disk and memory images using this free and versatile tool.
Whether you’re a seasoned cyber investigator or just getting started, this step-by-step guide will help you acquire crucial evidence for forensic analysis, incident response, and cyber threat hunting.
FTK Imager is a free online tool for taking disk and memory images. You can download it from the Exterro website in exchange for some basic contact details. We’re using the Windows version to walk you through how to use it, but it’s available for any platform.
FTK Imager can perform a variety of imaging functions. It takes everything from physical disk images, where you’re capturing a bit-by-bit copy, to a logical image that shows user files and folders. It can also image physical disks such as DVDs or CDs.
It’s a great tool for memory analysis. FTK Imager works through write blockers, and previously captured images can be mounted to it for analysis.
You will need administrator access to download and run FTK Imager.
There are several options available for image capture:
When doing a logical image capture, it’s important to remember that you’ll be limited by the user’s permissions. You’ll only be able to see what the user has access to, and an administrator-level user is likely to have vastly different access than a system-level user.
Note: If going through a write blocker, you need first to select how the write blocker is mounted.
Select the Drive you want to capture. You’ll notice FTK Imager includes metadata about the drive.
In our example, we’ve selected a physical disk that is a primary or secondary disk VMWare for a virtual disk.
Step 2: Select the file format and compression
Then you’ll see a “Create Image” box. With FTK Imager, you can create multiple images at the same time in different file formats in addition to just the raw image. These include E01, a format used with a number of other forensic tools, SMART, and even APF. Remember to consider that some file formats are proprietary and may be necessary to work with other tools that will be used.
Next, you’ll select the destination for the image file. Note that you cannot image a drive onto itself, so you will need to use an external drive such as a USB or some other separate storage method. If you plan to use a separate section of a network drive, remember that it’s going to take up some bandwidth.
Also, be mindful that these can be very large files, so setting the compression is important. The volumes can easily become very large, particularly with logical images over multiple drives.
Another nice feature is that if you’ve selected E01 as your format, there is a place to put metadata such as a case number, evidence number, the examiner, and any additional notes.
When creating a disk image, consider whether or not you’ll need to compress it, and which file format might be best for any other tools that you’re using. Then, click Finish, and it’ll start writing the image and drop the file. Assign a name, save the pagefile if you want, and you’re done.
Creating a memory image is even more simple than disk capture, as there aren’t as many options in the FTK Imager program.
Set the destination path and file name, include the pagefile if you’d like, and, if necessary, check the box that allows you to create an AD1 file (AD1 is a proprietary evidence file format that may be useful depending on which tools you’re using).
And that’s it, you’re done! The file that comes out will be usable by most major analysis tools, including Volatility.
There you have it… disk and memory imaging made simple with FTK Imager. It might be free, but don’t let that fool you: this tool packs some serious forensic firepower.
Whether you’re preserving evidence after a major incident or just exploring a system’s ins and outs, FTK Imager helps you lock down the critical data you need.
Our products are designed to work with
you and keep your network protected.
Insane Cyber © All Rights Reserved 2025
