// What is FTK Imager?
FTK Imager is a free forensic imaging tool developed by Exterro (formerly AccessData). It creates forensically sound, bit-for-bit copies of storage media � disk images � that can be analysed without touching the original evidence. It also provides a lightweight evidence browser for examining image contents and exporting specific files and artefacts.
FTK Imager is distinct from the full Forensic Toolkit (FTK) product � Imager is free and focused on acquisition, while full FTK is a commercial analysis platform. Imager is the standard tool for creating images that are then analysed in Autopsy, FTK, or other platforms.
FTK Imager is a Windows application. For Linux-based imaging, the equivalent tools are dd or dcfldd (raw images) or ewfacquire for E01 format. When imaging a live Windows system, use FTK Imager's physical drive mode or the portable version (FTK Imager Lite) run directly from a USB drive to avoid installing software on the evidence machine.
// Interface Overview
| Panel | Purpose |
|---|---|
| Evidence Tree | Hierarchical view of all added evidence sources � drives, images, folders |
| File List | Contents of the selected folder in the evidence tree |
| Properties | Metadata for the selected file � hash, timestamps, size, physical location |
| Hex Viewer | Raw hex dump of the selected file or sector |
| Text Viewer | Decoded text view � ASCII or Unicode interpretation of raw bytes |
// Creating Disk Images
Creating a forensic image is the first step in any DFIR investigation. The image is a sector-by-sector copy of the source � preserving everything including deleted files, unallocated space, and file system metadata.
Imaging a physical drive
1. File ? Create Disk Image
2. Select source type:
- Physical Drive ? full drive including all partitions
- Logical Drive ? single partition (e.g. C:\)
- Image File ? re-image or convert existing image
- Contents of a Folder ? logical acquisition (no deleted files)
3. Select the source drive from the dropdown
4. Add a destination image:
- Choose format (E01 recommended)
- Set output path on a write-verified evidence drive
- Fill in case information (case number, examiner, notes)
- Set fragment size (0 = single file, or 1500MB for manageable chunks)
5. Enable "Verify images after they are created"
6. Start ? monitor progress and hash verification at completionWrite-protect the source. Before connecting a suspect drive, use a hardware write blocker to prevent any writes to the evidence. Software write blockers (Windows registry setting) are a fallback but hardware is preferred � forensic integrity depends on proving the source was not modified.
// Image Formats
| Format | Extension | Description | Best for |
|---|---|---|---|
| Expert Witness Format | .E01 | Industry standard. Supports compression, metadata, internal hash verification, multi-segment. Default choice for most investigations. | Most forensic investigations � widely supported by analysis tools |
| Raw | .dd / .img / .raw | Uncompressed bit-for-bit copy. No internal metadata. Largest file size but maximum compatibility. | When you need compatibility with Linux tools (dd, Autopsy, Volatility) |
| SMART | .s01 | Compressed format from ASR Data. Similar to E01 but less common. | Legacy SMART-based workflows |
| AFF | .aff | Advanced Forensic Format � open standard with metadata support. Less commonly used today. | Open-source toolchain workflows |
// Evidence Browsing
FTK Imager can open and browse disk images without a full analysis tool. Add evidence via File ? Add Evidence Item and select the image file.
Navigating the file system
The Evidence Tree shows the image's partition structure. Expand partitions to see the file system, then navigate directory trees just like Windows Explorer. Key directories to check during investigation:
| Path | What you'll find |
|---|---|
C:\Users\{user}\AppData\Roaming | Application data � browser profiles, malware configs, C2 artefacts |
C:\Users\{user}\AppData\Local\Temp | Common malware drop location |
C:\Windows\Prefetch | Prefetch files � evidence of program execution even after deletion |
C:\Windows\System32\winevt\Logs | Windows Event Log files (.evtx) � export for analysis |
C:\Windows\System32\Tasks | Scheduled tasks � check for persistence |
C:\ProgramData | Common malware installation directory |
C:\Users\{user}\NTUSER.DAT | User registry hive � run keys, recently opened files, typed URLs |
C:\Windows\System32\config | System registry hives � SAM, SYSTEM, SOFTWARE, SECURITY |
// Recovering Deleted Files
FTK Imager shows deleted files � they appear with a red X icon in the file list. When a file is deleted on NTFS, the directory entry is marked as deleted but the data remains on disk until overwritten. FTK Imager recovers these by parsing the MFT (Master File Table) directly.
Red X � Deleted
File's directory entry is marked deleted. Data may still be intact on disk. Recoverable unless the clusters have been overwritten.
Orphan files
Files whose parent directory has been deleted. Listed under the [orphan] node in the Evidence Tree. Common after attackers delete log directories.
Unallocated space
Sectors not assigned to any active file. May contain remnants of deleted files, previous partitions, or wiped data. Visible as [unallocated space] in the tree.
Recycle Bin
Files deleted via the Recycle Bin are stored in C:\$Recycle.Bin\{SID}\. FTK Imager shows the original path and deletion timestamp.
To export a deleted file: right-click ? Export Files. If the data clusters are intact, you'll get a working copy of the file.
// Exporting Evidence
| Export type | How | Use case |
|---|---|---|
| Export files | Right-click file or folder ? Export Files | Extract specific files � logs, registry hives, malware samples |
| Export directory listing | File ? Export Directory Listing | Generate CSV of all files with metadata � useful for timeline analysis |
| Export hash list | File ? Export File Hash List | Generate MD5/SHA-1 hashes for all files � compare against known-good baseline |
| Export custom content image | File ? Create Custom Content Image | Create a new image containing only selected files � carve specific artefacts |
When extracting Windows Event Logs (.evtx files), registry hives (NTUSER.DAT, SAM, SYSTEM), and prefetch files, hash each exported file immediately after export and log the hash alongside the source path and timestamp in your investigation notes.
// Hash Verification
Forensic integrity is proven through hashing. FTK Imager calculates MD5 and SHA-1 hashes of the source drive and the resulting image � if they match, the image is a verified bit-for-bit copy.
Verify an existing image
File ? Verify Drive/Image
? Select the image file (.E01, .dd, etc.)
? FTK Imager recalculates the hash and compares to the stored value
? Verified = image has not been modified since acquisition
? Failed = evidence integrity compromised � do not use for legal proceedingsHashing individual files
Select file in file list
? Right-click ? Properties
? MD5 Hash and SHA-1 Hash shown in the Properties panel
? Cross-reference with VirusTotal, threat intel, or known-good hash list// Memory Capture
FTK Imager can capture a live memory dump from a running Windows system. This is critical � memory contains running processes, network connections, encryption keys, plaintext credentials, and injected code that won't appear in a disk image.
File ? Capture Memory
? Destination path: output to external evidence drive (not the system drive)
? Include pagefile: Yes (recommended � additional volatile data)
? Create AD1 file: optional � wraps the dump with metadata
? Click Capture Memory
? Output: .mem file ? analyse with Volatility or Magnet AXIOMMemory capture writes to disk. Running FTK Imager on a live system modifies memory � the tool itself loads into RAM and its process appears in the dump. This is unavoidable but acceptable and must be documented. Never install FTK Imager to the suspect's drive � run from USB or a network share.
// Tips & Best Practices
Document everything. Record the time you connected the drive, the write blocker used, the image start and end times, the hash values, and the destination storage device. Forensic reports require this provenance � if you can't prove chain of custody, the evidence may be inadmissible.
Image to a drive larger than the source. An E01 image of a 1TB drive might compress to 200GB depending on data content � but always have more space than the source size in case compression is minimal. Running out of space mid-image corrupts the evidence file.
FTK Imager Lite. The portable version of FTK Imager runs directly from a USB drive without installation. This is the preferred option when imaging a live suspect machine � you avoid installing software to the evidence drive, which would modify timestamps and potentially overwrite deleted data.
E01 vs raw for analysis. E01 images work directly in Autopsy and FTK. For Volatility (memory analysis), you need a raw .mem or .raw dump. When in doubt, create both � convert E01 to raw using FTK Imager's image conversion feature if needed.