Step-by-step guide for creating a disk image (FTK Imager)

**Prerequisites**

* FTK Imager installed (latest stable build from AccessData).

# Download    https://www.exterro.com/ftk-product-downloads/

Photo credit by exterro.com

* Target workstation with the evidence device physically connected (e.g., Create a forensic Image of a USB Pen Drive.)

* Hardware write-blocker for physical drives (recommended).

* Secure destination storage with sufficient free space (external drive, evidence server).

* Chain-of-custody form and labels ready.

* Admin privileges on the imaging workstation.

## Before you start — checklist & legal considerations

1. Obtain **authorization** to image the device (warrant/consent).

2. Photograph the device, serial numbers, and port connections.

3. Note device power state (on/off), time, and IMEI/asset tag if applicable.

4. Attach evidence tag and start the Chain-of-Custody log (who, when, why).

5. Use a **write-blocker** for physical disks; do not boot suspect machines .

1. Launch FTK Imager: Double-click the FTK Imager icon to start the program. 
   

• Document the workstation & evidence

2. * In your notes/chain-of-custody, record examiner name, date/time, imaging machine hostname, and connected evidence device details (model, serial, connection type).

3. Connect evidence and enable write-blocker 

* Connect the drive through a hardware write-blocker and confirm the write-blocker powered on.

* If imaging a USB thumb drive, connect directly or via a write-blocker (recommended).or writer-blocker software .

4.Initiate Image Creation: Go to the File menu and select Create Disk Image. 

Select Evidence Source: Choose the type of source you want to image (e.g., Physical Drive for a full hard drive, Logical Drive for a partition, or Contents of a Folder). 

  * **Physical Drive** — if you want the whole disk (recommended for forensic completeness).

  * **Logical Drive** — if you only need a partition or mounted volume.

  * **Image File** / **Contents of a Folder** — alternative options.

* Select the correct device from the list (carefully confirm size/serial).

5) Select Image Type / Destination

Choose Image Format: Select the desired forensic image format. Common options include:

* Click **Next** and then **Add** to configure destination.

E01 (EnCase Format): A common format that includes case information. recommended (supports compression, metadata, checksums).

AFF (Advanced Forensic Format): A non-proprietary format. 

Raw (dd): A direct bit-by-bit copy of the disk. 

6) Configure Destination Details

Select the Specific Drive: From the list presented, select the specific drive or folder that you want to create an image of. 

Set Image Details:Destination: Specify the folder where the image file will be saved. 

Case Information: Enter details such as a case number, examiner's name, and notes for the image. 

Fragment Size (Optional): Specify a size for image fragments if you need to split a large image into smaller, more manageable files. 

Start the Acquisition: Click Finish to begin the imaging process. 

Verify the Image: After the image is created, you can view the summary to verify the process and check the hash values to ensure the image integrity. 

7)Start Imaging : click **Start**.

8) Record Final Hashes & Log

* After completion, FTK Imager will show final MD5/SHA1/SHA256 values (depending on your selection).

* Record these in the Chain-of-Custody and imaging log. Capture a screenshot of the final window as part of the evidence notebook.

Question ?

ข้อ 1. ขั้นตอนแรกสุดที่สำคัญที่สุดก่อนที่จะเริ่มสร้างดิสก์อิมเมจคืออะไร และทำไมขั้นตอนนี้จึงมีความสำคัญต่อผลทางนิติวิทยาศาสตร์ดิจิทัล (Digital Forensics)?

ตอบ."4LiC4Lix4LmJ4LiZ4LiV4Lit4LiZ4LmB4Lij4LiB4Liq4Li44LiU4LmB4Lil4Liw4Liq4Liz4LiE4Lix4LiN4LiX4Li14LmI4Liq4Li44LiU4LiE4Li34LitIOC4geC4suC4o+C4lOC4s+C5gOC4meC4tOC4meC4geC4suC4o+C5gOC4nuC4t+C5iOC4reC4m+C5ieC4reC4h+C4geC4seC4meC4geC4suC4o+C5gOC4guC4teC4ouC4meC4guC5ieC4reC4oeC4ueC4peC4peC4h+C5hOC4m+C4ouC4seC4h+C4q+C4peC4seC4geC4kOC4suC4meC4leC5ieC4meC4l+C4suC4hyAoV3JpdGUtQmxvY2tpbmcpDQrguITguLPguK3guJjguLTguJrguLLguKI6IOC4geC4suC4o+C5g+C4iuC5iSBIYXJkd2FyZSBXcml0ZSBCbG9ja2VyIOC4q+C4o+C4t+C4reC4geC4suC4oyBhY3RpdmF0ZSDguYLguKvguKHguJQgd3JpdGUgcHJvdGVjdGlvbiDguYPguJnguYDguITguKPguLfguYjguK3guIfguKHguLfguK0gKOC4luC5ieC4suC4oeC4tSkg4LmA4Lib4LmH4LiZ4Liq4Li04LmI4LiH4Liq4Liz4LiE4Lix4LiN4LmA4Lie4Li34LmI4Lit4LmD4Lir4LmJ4LmB4LiZ4LmI4LmD4LiI4Lin4LmI4Liy4LiC4LmJ4Lit4Lih4Li54Lil4Lia4LiZ4LiU4Li04Liq4LiB4LmM4LiV4LmJ4LiZ4LiX4Liy4LiH4LiI4Liw4LmE4Lih4LmI4LiW4Li54LiB4LmA4Lib4Lil4Li14LmI4Lii4LiZ4LmB4Lib4Lil4LiH4Lir4Lij4Li34Lit4LmA4LiC4Li14Lii4LiZ4LiX4Lix4Lia4LmC4LiU4Lii4LmE4Lih4LmI4LmE4LiU4LmJ4LiV4Lix4LmJ4LiH4LmD4LiI4LmD4LiZ4Lij4Liw4Lir4Lin4LmI4Liy4LiH4LiB4Lij4Liw4Lia4Lin4LiZ4LiB4Liy4Lij4Liq4Lij4LmJ4Liy4LiH4Lit4Li04Lih4LmA4Lih4LiIIOC4geC4suC4o+C4o+C4seC4geC4qeC4suC4hOC4p+C4suC4oeC4muC4o+C4tOC4quC4uOC4l+C4mOC4tOC5jOC4guC4reC4h+C4q+C4peC4seC4geC4kOC4suC4meC4meC4teC5ieC4iuC5iOC4p+C4ouC4o+C4seC4geC4qeC4suC4hOC4p+C4suC4oeC4quC4oeC4muC4ueC4o+C4k+C5jOC4guC4reC4h+C4guC5ieC4reC4oeC4ueC4pSAoRGF0YSBJbnRlZ3JpdHkpIOC5geC4peC4sOC4l+C4s+C5g+C4q+C5ieC4reC4tOC4oeC5gOC4oeC4iOC4l+C4teC5iOC5hOC4lOC5ieC4quC4suC4oeC4suC4o+C4luC4meC4s+C5hOC4m+C5g+C4iuC5ieC5g+C4meC4qOC4suC4peC5hOC4lOC5iSDguYDguJ7guKPguLLguLDguYDguJvguYfguJnguKvguKXguLHguIHguJDguLLguJnguJfguLXguYjguJXguKPguIfguIHguLHguJrguILguK3guIfguYDguJTguLTguKHguJfguLjguIHguJvguKPguLDguIHguLLguKM="

ข้อ 2. ในการสร้างดิสก์อิมเมจด้วย FTK Imager，เมื่อเราเลือก "Create Disk Image" และเลือกแหล่งที่มา (Source) เรียบร้อยแล้ว，โปรแกรมจะให้เรากำหนดรายละเอียดในหน้าต่าง "Create Image" จงอธิบายความสำคัญของตัวเลือกต่อไปนี้:

• Image Type (e.g.， RAW (dd)， E01)

• Destination (เส้นทางในการบันทึกไฟล์อิมเมจ)

ตอบ "SW1hZ2UgVHlwZTog4LmA4Lib4LmH4LiZ4LiB4Liy4Lij4LmA4Lil4Li34Lit4LiB4Lij4Li54Lib4LmB4Lia4Lia4LiC4Lit4LiH4LmE4Lif4Lil4LmM4Lit4Li04Lih4LmA4Lih4LiIDQoNClJBVyAoZGQpOiDguYDguJvguYfguJnguKPguLnguJvguYHguJrguJrguJfguLXguYjguIfguYjguLLguKLguYHguKXguLDguYDguKPguYfguKfguJfguLXguYjguKrguLjguJQg4LmB4LiV4LmI4LmE4Lif4Lil4LmM4LiI4Liw4Lih4Li14LiC4LiZ4Liy4LiU4LmA4LiX4LmI4Liy4LiB4Lix4Lia4LiU4Li04Liq4LiB4LmM4LiV4LmJ4LiZ4LiX4Liy4LiH4LiX4Lix4LmJ4LiH4Lir4Lih4LiU4LmB4Lil4Liw4LmE4Lih4LmI4Lih4Li14LiE4Li44LiT4Liq4Lih4Lia4Lix4LiV4Li04LiB4Liy4Lij4Lia4Li14Lia4Lit4Lix4LiU4Lir4Lij4Li34Lit4LmA4Lih4LiV4Liy4LiU4Liy4LiX4Liy4LmD4LiZ4LiV4Lix4LinDQoNCkUwMSAoRXhwZXJ0IFdpdG5lc3MgRm9ybWF0KTog4LmA4Lib4LmH4LiZ4Lij4Li54Lib4LmB4Lia4Lia4Lih4Liy4LiV4Lij4LiQ4Liy4LiZ4LmD4LiZ4LiX4Liy4LiH4LiZ4Li04LiV4Li04Lin4Li04LiX4Lii4Liy4Lio4Liy4Liq4LiV4Lij4LmMIOC4oeC4teC4geC4suC4o+C4muC4teC4muC4reC4seC4lOC4guC5ieC4reC4oeC4ueC4pe+8jCDguKrguKPguYnguLLguIcgY2hlY2tzdW0gKENSQzMy77yMIE1ENe+8jCBTSEEtMSkg4Liq4Liz4Lir4Lij4Lix4Lia4LiX4Lix4LmJ4LiH4Lit4Li04Lih4LmA4Lih4LiI4LmB4Lil4Liw4LmB4LiV4LmI4Lil4LiwIHNlY3Rvcu+8jCDguYHguKXguLDguYDguIHguYfguJrguYDguKHguJXguLLguJTguLLguJfguLLguYDguIrguYjguJkg4Lin4Lix4LiZ4LiX4Li14LmI77yMIOC4nOC4ueC5ieC4quC4o+C5ieC4suC4h++8jCDguKvguKHguLLguKLguYDguKXguILguK3guLjguJvguIHguKPguJPguYwg4LiL4Li24LmI4LiH4Lih4Li14LiE4Lin4Liy4Lih4LiZ4LmI4Liy4LmA4LiK4Li34LmI4Lit4LiW4Li34Lit4Liq4Li54LiH4LiB4Lin4LmI4LiyDQoNCkRlc3RpbmF0aW9uOiDguJXguYnguK3guIfguYDguKXguLfguK3guIHguJrguLHguJnguJfguLbguIHguKXguIfguYPguJnguJTguLTguKrguIHguYzguJvguKXguLLguKLguJfguLLguIfguJfguLXguYjguJfguLXguYjguKHguLXguJ7guLfguYnguJnguJfguLXguYjguKfguYjguLLguIfguYDguJ7guLXguKLguIfguJ7guK0gKOC4oeC4suC4geC4geC4p+C5iOC4suC4guC4meC4suC4lOC4guC4reC4h+C4lOC4tOC4quC4geC5jOC4leC5ieC4meC4l+C4suC4hykg4LmB4Lil4Liw4LiV4LmJ4Lit4LiH4LmE4Lih4LmI4LmD4LiK4LmIIOC4lOC4tOC4quC4geC5jOC4q+C4peC4seC4geC4kOC4suC4meC4leC5ieC4meC4l+C4suC4h+C5gOC4lOC4teC4ouC4p+C4geC4seC4meC4meC4seC5ieC4mQ0KDQo="

ข้อ 3. หลังจากกระบวนการสร้างอิมเมจเสร็จสิ้น， FTK Imager จะแสดงรายงานสรุปผล (Summary Report) อะไรบ้างในรายงานนี้ที่บ่งชี้ว่าการสร้างอิมเมจสำเร็จและถูกต้องสมบูรณ์?

ตอบ "4Liq4Li04LmI4LiH4LiX4Li14LmI4Lia4LmI4LiH4LiK4Li14LmJ4Lin4LmI4Liy4LiB4Liy4Lij4Liq4Lij4LmJ4Liy4LiH4Lit4Li04Lih4LmA4Lih4LiI4Liq4Liz4LmA4Lij4LmH4LiI4LmB4Lil4Liw4LiW4Li54LiB4LiV4LmJ4Lit4LiH4Liq4Lih4Lia4Li54Lij4LiT4LmM4LmD4LiZ4Lij4Liy4Lii4LiH4Liy4LiZ4Liq4Lij4Li44Lib4Lic4Lil4LiE4Li34LitDQoNCkltYWdlIFZlcmlmaWNhdGlvbiBSZXN1bHQ6IOC4leC5ieC4reC4h+C5geC4quC4lOC4h+C4guC5ieC4reC4hOC4p+C4suC4oeC4p+C5iOC4siAiVmVyaWZpY2F0aW9uIGNvbXBsZXRlZCBzdWNjZXNzZnVsbHkuIiDguKvguKPguLfguK0gIkltYWdlIHZlcmlmaWVkIHN1Y2Nlc3NmdWxseS4iDQoNCkhhc2ggQ29tcGFyaXNvbjog4LiE4LmI4LiyIGhhc2ggKE1ENe+8jCBTSEEtMSkg4LiX4Li14LmI4LiE4Liz4LiZ4Lin4LiT4LmE4LiU4LmJ4LiI4Liy4LiB4LiV4LmJ4LiZ4LiX4Liy4LiHIChBY3F1aXNpdGlvbiBIYXNoKSDguYHguKXguLDguIjguLLguIHguYTguJ/guKXguYzguK3guLTguKHguYDguKHguIggKEltYWdlIEhhc2gpIOC4leC5ieC4reC4h+C4leC4o+C4h+C4geC4seC4meC4l+C4uOC4geC4m+C4o+C4sOC4geC4suC4oyAoTWF0Y2gpIOC4q+C4suC4geC4hOC5iOC4suC5hOC4oeC5iOC4leC4o+C4h+C4geC4seC4mSDguYHguKrguJTguIfguKfguYjguLLguILguYnguK3guKHguLnguKXguYPguJnguK3guLTguKHguYDguKHguIjguYHguJXguIHguJXguYjguLLguIfguIjguLLguIHguJTguLTguKrguIHguYzguJXguYnguJnguJfguLLguIcg4LmB4Lil4Liw4Lit4Li04Lih4LmA4Lih4LiI4LiZ4Lix4LmJ4LiZ4LmE4Lih4LmI4LiZ4LmI4Liy4LmA4LiK4Li34LmI4Lit4LiW4Li34LitDQoNCg=="

ข้อ 4. ไฟล์อิมเมจรูปแบบ E01 ที่สร้างจาก FTK Imager มักจะไม่ใช่ไฟล์เดียว แต่จะถูกแบ่งออกเป็นหลายๆ ไฟล์ (เช่น .E01， .E02， .E03) เหตุใดโปรแกรมจึงทำเช่นนั้น และมีปัจจัยใดบ้างที่กำหนดขนาดของไฟล์เหล่านี้?

ตอบ "4LmA4Lir4LiV4Li44Lic4LilOiDguIHguLLguKPguYHguJrguYjguIfguYTguJ/guKXguYzguK3guLTguKHguYDguKHguIjguK3guK3guIHguYDguJvguYfguJnguKrguYjguKfguJnguYYg4Lih4Li1IHJlYXNvbnMg4Lir4Lil4Lix4LiB4LmGIOC4hOC4t+C4rQ0KDQrguYDguJ7guLfguYjguK3guITguKfguLLguKHguKrguLDguJTguKfguIHguYPguJnguIHguLLguKPguYDguITguKXguLfguYjguK3guJnguKLguYnguLLguKLguKvguKPguLfguK3guIjguLHguJTguYDguIHguYfguJog4LiB4Liy4Lij4Lia4Lix4LiZ4LiX4Li24LiB4LmA4Lib4LmH4LiZ4LmE4Lif4Lil4LmM4LiC4LiZ4Liy4LiU4LmA4Lil4LmH4LiB4Lil4LiHICjguYDguIrguYjguJkg4LmE4Lif4Lil4LmM4Lil4LiwIDRHQikg4LiX4Liz4LmD4Lir4LmJ4LiH4LmI4Liy4Lii4LiV4LmI4Lit4LiB4Liy4Lij4LiE4Lix4LiU4Lil4Lit4LiB4Lil4LiH4LmD4LiZIEZBVDMyIGZvcm1hdHRlZCBkcml2ZSAo4LiL4Li24LmI4LiH4Lij4Lit4LiH4Lij4Lix4Lia4LmE4Lif4Lil4LmM4LiC4LiZ4Liy4LiU4LmE4Lih4LmI4LmA4LiB4Li04LiZIDRHQikg4Lir4Lij4Li34Lit4Lit4Lix4Lib4LmC4Lir4Lil4LiU4Lic4LmI4Liy4LiZ4Lij4Liw4Lia4Lia4LmA4LiE4Lij4Li34Lit4LiC4LmI4Liy4LiiDQoNCuC5gOC4nuC4t+C5iOC4reC4geC4suC4o+C4iOC4seC4lOC4geC4suC4o+C4l+C4teC5iOC4h+C5iOC4suC4ouC4guC4tuC5ieC4mSDguKvguLLguIHguYDguIHguLTguJTguITguKfguLLguKHguYDguKrguLXguKLguKvguLLguKLguIHguLHguJrguYTguJ/guKXguYzguYYg4LmA4LiU4Li14Lii4LinIOC4iOC4sOC4leC5ieC4reC4h+C4quC4o+C5ieC4suC4h+C4reC4tOC4oeC5gOC4oeC4iOC4l+C4seC5ieC4h+C5hOC4n+C4peC5jOC5g+C4q+C4oeC5iCDguYPguJnguILguJPguLDguJfguLXguYjguKvguLLguIHguYHguJrguYjguIfguYTguKfguYkg4LiE4Lin4Liy4Lih4LmA4Liq4Li14Lii4Lir4Liy4Lii4Lih4Lix4LiB4LiI4Liw4LiI4Liz4LiB4Lix4LiU4Lit4Lii4Li54LmI4LmA4Lie4Li14Lii4LiHIHNlZ21lbnQg4LmA4LiU4Li14Lii4Lin"

อ่านเพิ่มเติม:

• Acquiring an Image with FTK Imager

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูล  เผยแพร่ความรู้และให้โอกาสในการค้นคว้าหาข้อมูลเพื่อการศึกษา   บุคคลที่สนใจโดยทั่วไป รวมถึงนักเรียน นิสิต นักศึกษา  ในการเรียนรู้เท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD