aeondave/ftk-imager

FTK Imager

Disk image browser + acquisition tool — open images, extract files, acquire memory, verify hashes.

Installation

# Windows: download FTK Imager from exterro.com/ftk-imager (free registration)
# Install .exe → launches as GUI

# CLI version (Windows + Linux)
# ftkimager.exe (Windows) / ftkimager (Linux) — same flags
# Download: https://accessdata.com/product-download

# Linux CLI: also available as part of some forensic distros (DEFT, REMnux)

---

GUI: Key Use Cases

Open and browse a disk image

File → Add Evidence Item
→ Select Image File
→ Browse to .dd / .E01 / .img / .vmdk / .vhd
→ Image mounts in Evidence Tree on left

Navigate the tree to browse partitions and file systems. FTK Imager shows:

• All files (allocated + deleted — deleted shown with red X)
• File metadata (size, timestamps, MD5/SHA1)
• Hex preview of selected file
• Text/image preview pane

Export files from an image

Right-click file or folder in Evidence Tree
→ Export Files...
→ Choose destination

Batch export: right-click a directory → Export Files → exports entire subtree.

Find deleted files

Browse to partition root → scroll or look for entries with red X icon
# OR
File → Add Evidence Item → right-click partition → Export Files → includes deleted

Verify image integrity

File → Verify Drive/Image
→ Select image → runs MD5 + SHA1 hash → compare with acquisition record

Image format conversion

File → Create Disk Image...
→ Source: Existing image
→ Select .dd as output → converts E01 → raw dd
→ or select E01 → converts dd → E01

---

CLI (ftkimager): Scriptable Acquisition and Export

# Acquire physical disk to E01 image
ftkimager \\.\PhysicalDrive0 output_case --e01 --verify --case-number "2024-001" --examiner "Dave"

# Acquire to raw .dd
ftkimager \\.\PhysicalDrive0 output.dd --verify

# Acquire specific partition
ftkimager \\.\PhysicalDrive0 output --e01 --partition 2

# Verify existing image
ftkimager output.E01 --verify

# List physical devices (Windows)
ftkimager --list-drives

# Acquire memory (volatile RAM dump)
ftkimager \\.\PHYSICALMEMORY memdump.raw --verify

# Export specific file from image by path
ftkimager image.dd --export --data-path "Users\Dave\Desktop\secret.txt" --export-path .

---

Memory Acquisition

# GUI
File → Capture Memory → select output path → capture

# CLI (Windows, run as admin)
ftkimager \\.\PHYSICALMEMORY memdump.raw --verify

# Output: memdump.raw (raw memory dump)
# Feed to Volatility3 immediately:
python3 vol.py -f memdump.raw windows.pslist

---

Supported Image Formats

| Format | Extension | Notes | |--------|-----------|-------| | Raw/DD | .dd, .raw, .img | No compression, universally supported | | EnCase | .E01, .Ex01 | Compressed, metadata-rich, industry standard | | SMART | .s01 | Older EnCase format | | VMware | .vmdk | VM disk — open directly | | VirtualBox | .vhd, .vhdx | VM disk | | AFF | .aff | Advanced Forensics Format |

Conversion priority: FTK Imager handles all → export to .dd for widest tool compatibility.

---

Hash Verification Workflow

# After acquisition, FTK Imager generates:
# image.E01 (or .dd)
# image.E01.txt — case notes with MD5/SHA1

# Verify from CLI
ftkimager image.E01 --verify

# Manual hash check
md5sum image.dd
sha256sum image.dd
# Compare with hash in acquisition notes

---

Mounting Images for Analysis

Mount as read-only drive (Windows GUI)

File → Image Mounting
→ Select image
→ Mount Type: Physical & Logical Read Only
→ Drive Letter assigned automatically

Now accessible as F:\ (or assigned letter) — open in Explorer or analyze with tools.

Mount on Linux (no FTK needed)

# Mount raw .dd image
sudo losetup -f disk.dd
sudo losetup -a   # find loop device (e.g., /dev/loop0)
sudo mount -o ro,offset=$((2048*512)) /dev/loop0 /mnt/image

# Mount E01 with ewf-tools
sudo apt install libewf-dev ewf-tools
sudo ewfmount image.E01 /mnt/ewf/
sudo mount -o ro,offset=$((2048*512)) /mnt/ewf/ewf1 /mnt/image

# Unmount
sudo umount /mnt/image
sudo ewfunmount /mnt/ewf/

---

E01 Image: Create and Read Without FTK

# Create E01 from raw dd (using ewfacquire)
ewfacquire -t output_case disk.dd

# Read/convert E01 to dd (using ewfexport)
ewfexport image.E01 -t image -f raw

# Verify E01 integrity (using ewfverify)
ewfverify image.E01

# Mount E01 (ewfmount)
sudo ewfmount image.E01 /mnt/ewf/

---

Common Challenge Workflows

Open provided disk image and browse

GUI: File → Add Evidence Item → Image File → select image
CLI: mount to /mnt/image then use standard tools

Extract specific file from image

# GUI: navigate to file → right-click → Export Files
# CLI:
ftkimager image.dd --export --data-path "path/to/file.txt" --export-path ./extracted/

Get memory dump from running system (live response)

# Windows (admin)
ftkimager \\.\PHYSICALMEMORY memdump.raw --verify
# → feed to volatility3
python3 vol.py -f memdump.raw windows.pslist

Convert E01 to dd for broader tool compatibility

# Using FTK CLI
ftkimager image.E01 converted.dd

# Using ewfexport
ewfexport image.E01 -t converted -f raw
# Output: converted.raw
mv converted.raw converted.dd

---

Integration

| Tool | Use case | |------|---------| | autopsy | GUI investigation after image acquisition | | sleuth-kit | CLI file system analysis on acquired image | | volatility3 | Memory analysis after RAM acquisition | | hashcat | Crack hashes found after extraction | | binwalk | Analyze extracted binary artifacts | | strings / xxd | Quick file content inspection |

Resources

| File | When to load | |------|--------------| | references/ | E01 acquisition parameters, multi-image cases, hash verification workflow |