Click Capture Memory . Avoid touching the target machine during this process to keep the memory state stable. Technical Specifications and System Requirements
FTK Imager requires low-level system access to read physical sectors and live memory.
Right-click the drive, select "Create Disk Image," and choose your destination and format (typically E01).
FTK Imager.exe --create-image --source-type PHYSICAL --source "\\.\PhysicalDrive0" --destination "F:\case001\drive0.E01" --format E01 --case-number 2024-001 --evidence-number E001 ftk imager 3.4.0.1
Fill out the (Case Number, Evidence Number, Unique Description, Examiner Notes). This data embeds permanently into the E01 file header.
Select your desired image type (e.g., is recommended for standard investigations). Step 3: Documenting Case Metadata
: Integrity is key in court. FTK Imager automatically generates MD5 and SHA-1 hashes to provide a unique digital fingerprint, proving that your copy is an identical match to the original. Deleted File Recovery Click Capture Memory
: Version 3.4 introduced significant performance optimizations, often cutting imaging time in half compared to older builds.
When creating a forensic image in version 3.4.0.1, you are presented with several format choices. Selecting the right one impacts compression, compatibility, and data validation:
Once finished, FTK Imager displays a verification box showing the computed MD5 and SHA1 hashes, alongside any bad sectors encountered. Workflow 2: Capturing Volatile Memory (RAM) Right-click the drive, select "Create Disk Image," and
Never perform analysis directly on the original forensic image. Make a working copy of the E01/DD file and preserve the original acquisition file as your gold master archive.
Compared to modern versions of FTK Imager (e.g., 4.5.x, 4.7.x), version 3.4.0.1 may lack certain enhancements. Later versions offer: