DFIR-Field-Manual

FTK Imager

3 min read

FTK Imager (AccessData) is a Windows GUI data-preview and imaging tool. Creates forensic images, previews files and folders inside forensic images, exports files from images, and computes MD5 / SHA-1 hashes. Free; runs portable from USB without install. From v3.4.2 onward it is a 64-bit application.

Side: blue

Capabilities

  • Create forensic images of local hard drives, floppy disks, Zip disks, CDs / DVDs, individual folders, individual files
  • Preview files and folders on local drives, network drives, removable media
  • Preview contents of existing forensic images
  • Export files and folders from forensic images
  • Recover files deleted to Recycle Bin that have not yet been overwritten
  • Compute MD5 and SHA-1 hashes

Install vs portable

ModeWhen
Local installanalyst workstation; persistent use
Portable (USB)run on a target / field machine without installing — necessary when there is no install option on the target

Portable preparation:

  • copy FTK Imager Lite files directly to the USB device, or
  • install on a local computer first, then copy the entire Program Files\AccessData\FTK Imager folder to the USB

Once the program files are on portable media, FTK Imager.exe runs from the device on any Windows host.

Forensic-artefact awareness

Connecting a USB to a target machine leaves forensic artefacts on the target (USB device-history registry entries, prefetch, event log). Document when the USB was connected and what programs or actions were taken from it. A reliable write-blocker is still required even when running portable.

User interface

The UI is split into dockable panes:

  • Evidence Tree — current image / source tree
  • File List — files in the selected tree node
  • Properties — metadata of the selected file
  • Hex Viewer — raw bytes
  • Custom Content Sources — assembled custom selections for export

Pane management:

  • drag a pane outside the window to undock
  • drag a pane back inside until the outline snaps to redock
  • View → Reset Docked Windows restores the default layout

Workflow — image a source

  1. File → Create Disk Image
  2. Choose source type: Physical Drive, Logical Drive, Image File, Contents of a Folder
  3. Select the specific source
  4. Add destination — image type (E01 / SMART / AFF / Raw dd), destination folder, image filename, fragment size
  5. Add evidence-item information: case number, evidence number, examiner, description, notes
  6. Verify images after they are created (option) — recomputes the hash and compares
  7. Start

Output is the image file plus a hash log (<image>.txt — MD5 + SHA-1 + verification result).

Workflow — preview / triage a source

  1. File → Add Evidence Item
  2. Choose source type and the specific source
  3. Browse the Evidence Tree → File List → Properties to inspect

Right-click any item to Export Files, Export File Hash List, or add to Custom Content for batched export.

Workflow — capture memory

  1. File → Capture Memory
  2. Choose destination folder and filename
  3. Optional: include pagefile (pagefile.sys)
  4. Start

Result is a raw memory image suitable for analysis with Volatility.

Pitfalls

  • Running FTK Imager from a USB attached to a target leaves USB device-history and prefetch artefacts on the target. Document the USB attach time and every action taken.
  • A write-blocker is still required when imaging a source — FTK Imager itself does not block writes to the source media.
  • Hash verification on a multi-hundred-GB image takes time. Plan for it.
  • Image fragment size affects portability; default segment is large enough that a single image may not fit on FAT32 destinations.
  • Memory capture requires Administrator privileges on the target.

Field Manual | Forensic Tools | Autopsy | Image and Hash

Graph View

Backlinks