How to create copy of Suspects Evidence Using (FTK Imager)

(From )

The Forensic Toolkit Imager (FTK IMAGER) is a commercial forensic Imaging software package distributed by Access Data  (AccessData offers computer forensics software and training. Their flagship product is Forensic Toolkit, but they offer several others)

FTK Imager supports storage of disk images in EnCase’s or SMART’s file format, as well as in raw (dd) format. With Isobuster technology built in,

IMPORTANT: before proceeding must make sure that when using FTK Imager to create a forensic image of a suspect’s hard drive, make sure you are using a hardware-based write blocking device. This ensures that your operation system does not alter the suspect’s hard drive when you attach the drive to your computer.

First Download FTK Imager from ( and install the FTK Imager

Now open the FTK Imager and Click on Create Disk Image

Now a “Select source” box will open and choose “Physical Drive” click NEXT  

Now choose the drive of the Suspect Evidence you want to make image.

After choosing the Drive Click on finish to Start Creating Image of Suspect Evidence

(Note: choose option “Verify images after they are created”)

Now in Select Image Type Choose “Raw (dd)” and click on NEXT

Now In” Evidence Item Information” Fill the Following attributes, as you can see some random information given can be random as per the Suspects Evidence. Click NEXT

Now choose the location of the image you want to create and Name the Image Filename. And click on FINISH

Now in final Step Click START button to start Creating Image.

Now the Processing has started wait till the Creation completes.

As we choose Verify images after they are created, the process will verify and complete.

Successfully the Suspects Evidence Image Is Created .Now You can audit the Suspects evidence from The image Created from FTK Imager.

Author “Abdul Salam is a cyber security researcher and Corporate Trainer of Ignite Technologies. He is Having 2+ Year Experience in Cyber Security.