Thiago Teixeira
EN | PT

FTK Imager

Exterro / AccessData

Free disk imaging tool — acquires bit-for-bit forensic copies of drives.

Digital Forensics & IR Commercial GUI Learning Windows
Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

FTK Imager is the free imaging tool from Exterro (formerly AccessData). It is the standard for forensic acquisition of disks, partitions, memory, and individual files in Windows environments.

What it does:

  • Create bit-for-bit images in raw (dd), E01 (EnCase), AFF, or S01 formats.
  • Compute MD5 + SHA-1 of the source and image for chain-of-custody.
  • Capture live RAM to a .mem file.
  • Mount images read-only and browse content.
  • Export the protected $MFT, registry hives, and Volume Shadow Copies.

Use cases

  • First-responder acquisition before powering off a suspect host
  • Capturing volatile RAM in a kidnap-and-go scenario
  • Producing court-defensible E01 images