Digital forensics plays a crucial role in modern cybersecurity investigations. Among the many tools used by professionals in the field, FTK Imager is one of the most trusted for acquiring and preserving digital evidence. Whether you’re an investigator, analyst, or student, understanding how to use FTK Imager effectively can significantly improve the accuracy and reliability of your forensic work.
This guide covers the tool’s key features, practical use cases, and tips for maintaining evidence integrity throughout the investigative process.
FTK Imager is a free online tool for taking disk and memory images. You can download it from the Exterro website in exchange for some basic contact details. We’re using the Windows version to walk you through how to use it, but it’s available for any platform.
FTK Imager can perform a variety of imaging functions. It takes everything from physical disk images, where you’re capturing a bit-by-bit copy, to a logical image that shows user files and folders. It can also image physical disks such as DVDs or CDs.
It’s a great tool for memory analysis. FTK Imager works through write blockers, and previously captured images can be mounted to it for analysis.
FTK Imager, developed by Exterro, is a widely-used tool that enables users to create exact images of storage devices and memory. It’s available at no cost, though you’ll need to submit some contact information to download it. Once installed, FTK Imager offers several core capabilities:
Physical disk imaging: Creates bit-level copies of entire drives.
Logical imaging: Captures selected files and directories.
Image file analysis: Allows the user to open and explore existing forensic image files.
Optical media imaging: Supports CDs, DVDs, and Blu-ray discs.
Memory capture: Extracts volatile memory for in-depth threat analysis.
What sets FTK Imager apart is its balance of simplicity and functionality—it’s lightweight, easy to use, and compatible with write blockers to maintain data authenticity.
The integrity of digital evidence is paramount in legal and organizational investigations. FTK Imager supports this requirement through features that promote transparency and reliability. Some benefits include:
Cost-effective access: It’s free to use, making it accessible for both professionals and students.
Comprehensive imaging options: Covers both physical and logical acquisitions.
Preservation of original data: Ensures no modifications are made during acquisition.
Support for memory analysis: Helps uncover live or volatile data that might disappear after shutdown.
Compatibility with forensic hardware: Works well with write blockers, ensuring no accidental writes occur.
In forensic work, it’s important to distinguish between imaging and cloning:
Disk imaging involves creating a single archive file that contains a bit-for-bit copy of a device. It’s ideal for investigations, as it allows analysis without altering the original.
Disk cloning, by contrast, creates an exact duplicate of a device onto another storage unit—useful in hardware upgrades but not always ideal for evidence preservation.
Maintaining a clear and verifiable chain of custody is essential in digital forensics. Each action taken on evidence—from acquisition to analysis—should be documented. This:
Preserves the credibility of the data.
Meets legal and ethical standards.
Reduces the chance of misinterpretation.
Supports transparency and traceability throughout the case.
You will need administrator access to download and run FTK Imager.
There are several options available for image capture:
When doing a logical image capture, it’s important to remember that you’ll be limited by the user’s permissions. You’ll only be able to see what the user has access to, and an administrator-level user is likely to have vastly different access than a system-level user.
Note: If going through a write blocker, you need first to select how the write blocker is mounted.
Select the Drive you want to capture. You’ll notice FTK Imager includes metadata about the drive.
In our example, we’ve selected a physical disk that is a primary or secondary disk VMWare for a virtual disk.
Step 2: Select the file format and compression
Then you’ll see a “Create Image” box. With FTK Imager, you can create multiple images at the same time in different file formats in addition to just the raw image. These include E01, a format used with a number of other forensic tools, SMART, and even APF. Remember to consider that some file formats are proprietary and may be necessary to work with other tools that will be used.
Next, you’ll select the destination for the image file. Note that you cannot image a drive onto itself, so you will need to use an external drive such as a USB or some other separate storage method. If you plan to use a separate section of a network drive, remember that it’s going to take up some bandwidth.
Also, be mindful that these can be very large files, so setting the compression is important. The volumes can easily become very large, particularly with logical images over multiple drives.
Another nice feature is that if you’ve selected E01 as your format, there is a place to put metadata such as a case number, evidence number, the examiner, and any additional notes.
When creating a disk image, consider whether or not you’ll need to compress it, and which file format might be best for any other tools that you’re using. Then, click Finish, and it’ll start writing the image and drop the file. Assign a name, save the pagefile if you want, and you’re done.
Creating a memory image is even more simple than disk capture, as there aren’t as many options in the FTK Imager program.
Set the destination path and file name, include the pagefile if you’d like, and, if necessary, check the box that allows you to create an AD1 file (AD1 is a proprietary evidence file format that may be useful depending on which tools you’re using).
And that’s it, you’re done! The file that comes out will be usable by most major analysis tools, including Volatility.
Verifying the integrity of forensic images is non-negotiable. FTK Imager supports hash generation, which allows you to:
Generate MD5 or SHA-256 hash values at acquisition.
Recalculate and compare hash values to confirm nothing has changed.
Keep clear records for validation during later stages of analysis.
To ensure digital evidence is handled properly:
Always document acquisition times, dates, and individuals involved.
Maintain a complete chain of custody log.
Use trusted tools and hardware like write blockers.
Run regular hash verifications during the case.
Work in a controlled environment to prevent data corruption or loss.
After creating a forensic image:
Choose an analysis tool like Autopsy, EnCase, or X-Ways.
Continue documenting your activities and findings.
Adhere to applicable legal and ethical standards.
Review the data methodically to ensure accuracy and objectivity.
FTK Imager remains a cornerstone in digital forensics for good reason. It provides a reliable way to collect, preserve, and verify digital evidence—without needing expensive software licenses. By learning to use it properly and following sound forensic principles, investigators can ensure their work stands up to scrutiny both technically and legally.
Our products are designed to work with
you and keep your network protected.
Insane Cyber © All Rights Reserved 2025
