FTK Imager

A How-To Guide
What is FTK Imager?
● A piece of software (made by AccessData) able to acquire digital evidence
in various ways
○ physical acquisition
○ logical acquisition
○ folder/file acquisition
● Allows the investigator to quickly, efficiently, and correctly acquire
evidence from a system
● It has support for plugins and external supporting hardware such as write-
blockers as well for the most forensically sound acquisition possible
Physical Acquisition
● Physical acquisition includes everything on a hard drive.
○ Unallocated space
○ Allocated space
○ Every partition on the hard drive
Step-By-Step
● After downloading and installing from here, open FTK Imager by right-
clicking and selecting “run as administrator”
● To perform a physical acquisition, select “File” then “Create Disk Image”
● Select “Physical Drive” and click “Next”
● First make sure the drive you want to image is connected to the computer
via “Disk Manager” then in FTK Select the drive you want to acquire and
click “Finish”
● A new window will appear. Select “Add” and select “E01” and press “Next”
● Fill out the case information as well as a description of the evidence and
press “Next”
Step-By-Step (cont.)
● Select the folder to save the Image to as well as input a Filename for the
Image file.
● If you want the Image to be processed quickly make sure to put the
compression at 0. However this will make the file size bigger. Keep this in
mind. Also, FTK fragments files by default so if you simply want one large
file set this number to 0. Otherwise, keep it at its default value.
● If you want to encrypt the file, select the box “Use AD Encryption”
● Then Select “Finish”
● Finally select “Start” to acquire the Image
Logical Acquisition
● Logical Acquisition does not include entire hard drive
● It only includes
○ Partitions
○ Files within those partitions
○ Allocated space only
Step-By-Step
● After downloading and installing from here, open FTK Imager by right-
clicking and selecting “run as administrator”
● To perform a logical acquisition, select “File” then “Create Disk Image”
● Select “Logical Drive” and click “Next”
● First make sure the drive you want to image is connected to the computer
via “Disk Manager” then in FTK Select the drive you want to acquire and
click “Finish”
● A new window will appear. Select “Add” and select “E01” and press “Next”
● Fill out the case information as well as a description of the evidence and
press “Next”
Step-By-Step (cont.)
● Select the folder to save the Image to as well as input a Filename for the
Image file.
● If you want the Image to be processed quickly make sure to put the
compression at 0. However this will make the file size bigger. Keep this in
mind. Also, FTK fragments files by default so if you simply want one large
file set this number to 0. Otherwise, keep it at its default value.
● If you want to encrypt the file, select the box “Use AD Encryption”
● Then Select “Finish”
● Finally select “Start” to acquire the Image
File/Folder Acquisition
● As the name implies
○ only includes particular files or folders on a hard
drive to be imaged
Step-By-Step
● After downloading and installing from here, open FTK Imager by right-
clicking and selecting “run as administrator”
● To perform a folder acquisition, select “File” then “Create Disk Image”
● Select “Contents of a Folder” and click “Next”
● A Window will appear that explains some of the problems with Folder only
acquisitions. Simply press “Yes” to continue
● Next choose the Folder you would like to image. Then press “Finish”
● A new window will appear. Select “Add”
● Fill out the case information as well as a description of the evidence and
press “Next”
Step-By-Step (cont.)
● Select the folder to save the Image to as well as input a Filename for the
Image file.
● If you want the Image to be processed quickly make sure to put the
compression at 0. However this will make the file size bigger. Keep this in
mind. Also, FTK fragments files by default so if you simply want one large
file set this number to 0. Otherwise, keep it at its default value.
● If you want to encrypt the file, select the box “Use AD Encryption”
● Then Select “Finish”
● Finally select “Start” to acquire the Image
Conclusion
● Now you can correctly conduct forensic acquisitions of
your own
● For more information on AccessData and FTK Imager
click the link here