There’s a moment at the start of every investigation where you’re staring at a hard drive and thinking, “I need to copy this thing perfectly, right now, without screwing anything up.” That pressure never gets old. And for the last several years, the tool I keep coming back to for that job is FTK Imager. It costs nothing. It works. And honestly, it does a few things that some paid tools still fumble.
Let me walk you through how I actually use it, and why it deserves a permanent spot on your forensic workstation.
FTK Imager, made by Exterro, is a forensic imaging tool. You install it on a Windows machine, point it at a drive or at live memory, and it creates an exact bit-for-bit duplicate of whatever you’re targeting. Not just the files you can see in Explorer. Everything. Deleted file remnants sitting in unallocated space, file slack, hidden partitions, all of it. That’s what separates a forensic image from dragging and dropping a folder.
You can grab it from Exterro’s website. They’ll ask for your contact info before the download, which is mildly annoying but worth it.
One thing to be clear about: FTK Imager is an acquisition tool, not an analysis platform. It captures evidence. Once you’ve got your image, you’ll bring it into something like Autopsy, EnCase, X-Ways, or Magnet AXIOM to actually dig through the data. Think of it as the camera, not the darkroom.
Also, it only runs on Windows. But you can absolutely use it to image drives pulled from Linux boxes or other systems. Just connect the drive to your Windows workstation (through a write-blocker, please) and image away.
FTK Imager handles more than just hard drives, though that’s what most people use it for.
Physical drive imaging gives you the full bit-for-bit copy of an entire disk. This is what you want for a proper forensic acquisition. Nothing gets left behind.
Logical drive imaging captures only what the active file system shows you. It’s faster, but you’re only getting the files and folders visible under whatever user permissions were active when you ran the tool. Fine for some use cases, but you’re leaving potential evidence on the table.
Memory capture is the one thing people forget about, and it shouldn’t be. RAM holds things that vanish the second someone powers off the machine: running processes, active network connections, plaintext passwords, encryption keys. If you’re responding to a live incident and you don’t grab memory first, you’ve already lost data you can’t get back.
Beyond those three, you can image specific folders, CD/DVDs, and even load up existing image files to browse their contents.
Image mounting. Seriously, this one is underrated.
Once you’ve created a forensic image, FTK Imager lets you mount it as a read-only drive letter in Windows. Suddenly, you can browse the entire file system in Explorer, exactly as it looked on the original device. Need to pull a specific file out? Done. Want to run a script or a targeted scan against the image? Go for it. Because it’s mounted read-only, there’s zero risk of contaminating the evidence.
I use this all the time when I need a quick look at something without spinning up a full analysis platform.
Before anything else: run FTK Imager as an administrator. And if that drive you’re about to image is evidence in any kind of investigation, connect it through a hardware write-blocker. No exceptions. One accidental write to the original drive and your evidence integrity is compromised.
Pick your source. Go to File, then Create Disk Image. You’ll choose from Physical Drive, Logical Drive, Image File, Contents of a Folder, or Fernico Device (for optical media). For a full forensic copy, Physical Drive is almost always the right call. Select the specific drive from the dropdown and move on.
Set up your destination. Click “Add” and choose your image format. Your options are Raw (dd), SMART, E01, and AFF. I almost always go with E01. It supports compression, stores metadata right inside the image file, and it’s the format most forensic tools expect to see. You can actually output multiple formats at once if you need to, which is a nice touch.
If you pick E01, you’ll get prompted to enter case details: case number, evidence number, your name, and notes. Fill this out. Future you will be grateful, and if this ever goes to court, proper documentation matters.
Choose where to save it. Pick a destination folder on a separate drive. Not the drive you’re imaging. A separate external drive or network share. Give the file a name that actually tells you something useful six months from now.
Tweak compression and fragmentation if you want. Compression ranges from 0 (none) to 9 (maximum). Higher compression shrinks the file but takes longer. You can also split the image into fragments, like 2GB chunks, which can help if you’re dealing with FAT32 file systems or need to transfer the image to media with file size limits.
Hit Start and wait. FTK Imager shows you progress and throughput speed. Depending on the drive size and your connection (USB 2.0 vs. 3.0 vs. direct SATA), this could take anywhere from minutes to many hours.
Check verification. When imaging finishes, FTK Imager automatically calculates MD5 and SHA-1 hashes of both the source and the image, then compares them. If they match, your copy is identical to the original. Always confirm this. The verification results get saved to a text file in the same directory as your image, so you’ve got a record.
This is faster than disk imaging, usually just a few minutes, but the data you get can be just as valuable.
Go to File, then Capture Memory. Pick your destination path and filename. You’ll see two optional checkboxes worth knowing about.
Include pagefile.sys, which grabs the Windows page file along with RAM. The page file is where Windows dumps memory contents to disk when RAM fills up, so it can contain fragments of data that were in memory at some point. It makes the capture larger, but I usually include it.
Create AD1 file that wraps the memory dump in Exterro’s proprietary container format. Unless you specifically need AD1 for compatibility with other AccessData tools, skip it. A raw memory dump works with Volatility and most other memory analysis tools without any hassle.
Click Capture Memory, let it run, and you’re done.
For disk images, the real analysis happens in dedicated forensic platforms. Autopsy is free and open-source if budget is a concern. EnCase, X-Ways, and Magnet AXIOM are the heavy hitters on the commercial side. These tools parse file systems, carve deleted files, pull browser history and registry artifacts, build timelines, and handle keyword searches across the entire image.
For memory dumps, Volatility Framework is the standard. It’s open-source and incredibly capable. You can extract running processes, network connections, command history, loaded registry keys, and sometimes even recover passwords and encryption keys from a memory capture.
Don’t try to use it on phones or tablets. Mobile forensics is a completely different world with specialized tools like Cellebrite, GrayKey, MSAB XRY, and Oxygen Forensic Detective. FTK Imager isn’t built for that.
And on the topic of speed: your bottleneck is almost always the connection between the evidence drive and your workstation. USB 3.0 or direct SATA connections make a real difference compared to USB 2.0. FTK Imager has gotten faster over the years, but physics is still physics.
I’ve watched forensic tools come and go. Expensive suites launch with flashy features, then get acquired, then get abandoned. FTK Imager just keeps working. It handles the most critical step in any forensic workflow (getting a clean, verified copy of the evidence) and it does it reliably, in industry-standard formats, without costing a dime.
If you’re building out a forensic toolkit, or you’re an incident responder who needs to grab a disk or memory image fast, FTK Imager should already be installed on your workstation. And if it isn’t, that’s a great place to start.
Our products are designed to work with
you and keep your network protected.