Before you start
Pre-flight checklist Complete this before opening any imaging tool ▶
- 1 Record the case / ticket number before touching anything.
- 2 Record the hostname, IP address, and the current local time on the remote machine.
-
3
Confirm your image destination is reachable (UNC path like
\\server\cases\CaseXXor a mapped drive) and has enough free space — assume 1× the source drive size minimum. - 4 Close all non-essential applications on the remote machine to reduce disk I/O noise during imaging.
- 5 Note whether the machine has any BitLocker / FileVault / VeraCrypt full-disk encryption active. If so, coordinate with the account owner to ensure the volume is unlocked before imaging (FTK images the physical stream; an encrypted locked drive will produce an unreadable image).
-
6
Take a screenshot of the desktop and running processes (
Task Manager → Details) for your case notes.
Tool downloads
FTK Imager
The primary imaging tool. Creates E01 / AD1 / RAW images, acquires RAM, and can mount evidence items for preview. Runs on Windows only.
↗ Exterro (official)Requires a free Exterro account to download. Use the latest stable release.
WinPmem
Lightweight Windows memory acquisition tool. Use this if FTK Imager's built-in RAM capture is unavailable or if you want a standalone memory dump utility.
↗ GitHub Releases (official)Download the latest winpmem_mini_*.exe — single executable, no install needed.
Autopsy
Browser / analysis platform for reviewing FTK images. Not needed for acquisition, but useful if you need to triage the image without a full FTK Pro license.
↗ Autopsy (official)Download the Windows installer. Not required on the remote machine.
Procedures by target type
Select the correct target type for your situation. When in doubt: capture RAM first, then image the physical drive.
RAM / Memory capture Volatile — do this first if live-system evidence is needed ▶
RAM is destroyed on reboot. It may contain running processes, encryption keys, credentials, clipboard contents, and network connections invisible on disk. Capture it before imaging the drive if the system is still live and you suspect active malware or an ongoing compromise.
- 1 Open FTK Imager as Administrator.
- 2 Go to File → Capture Memory…
-
3
Set Destination path to your network share or mapped drive (e.g.
\\server\cases\Case01\).Never write to the system drive (
C:\). Use the UNC path or pre-mapped drive letter. -
4
Set Destination filename to something like
HOSTNAME_RAM_YYYYMMDD.mem. - 5 Leave "Include pagefile" checked if available — the pagefile extends effective RAM coverage.
- 6 Click Capture Memory and wait for completion. Do not interact with the machine during capture.
- 7 After completion, record the output filename and size in your case notes.
Physical drive (full disk image) Bit-for-bit copy of an entire drive — preferred for most investigations ▶
A physical image copies every sector of the drive — including unallocated space, deleted files, and file system metadata. This is the gold standard for forensic integrity. Use E01 format (EnCase Evidence File) for built-in hashing and compression; use RAW if you need maximum compatibility with other tools.
- 1 Open FTK Imager as Administrator.
- 2 Go to File → Create Disk Image…
-
3
Source type: Physical Drive. Click Next.
Choose "Physical Drive" (not Logical Drive) to capture everything including the MBR/GPT, partition table, and slack space.
-
4
Select the target drive from the list (e.g.
\\.\PHYSICALDRIVE0). Confirm you have the correct drive by checking the size. Click Finish. - 5 Click Add… in the Image Destination(s) panel. Choose image type E01 (recommended) or Raw (dd).
- 6 Fill in case metadata: Case Number, Evidence Number, Examiner, Description. This embeds in the E01 header.
- 7 Set image destination to your network share / mapped drive. Set a fragment size if splitting across FAT32 volumes (max 4 GB per fragment); otherwise use 0 (no split).
- 8 Ensure Verify images after they are created is checked. Click Start.
-
9
Wait for imaging and verification to complete. FTK will display MD5 and SHA1 hashes. Record both in your case notes.
Imaging a 500 GB drive over a LAN may take 2–4 hours. Do not disconnect the remote session.
-
10
Confirm the
.E01(and any segment files.E02,.E03…) and the.txtcase summary are present at the destination.
Logical drive / partition Faster acquisition of a single volume — less forensically complete ▶
A logical image captures only the allocated file system of a single partition (e.g. C:\). It is faster and smaller than a physical image, but it omits unallocated space, deleted file remnants, the MBR, and partition metadata. Use this only when a full physical image is impractical and you need specific user-accessible files quickly.
- 1 Open FTK Imager as Administrator.
- 2 Go to File → Create Disk Image… → Source type: Logical Drive.
-
3
Select the drive letter (e.g.
C:\) from the dropdown. Click Finish. -
4
Click Add… — choose AD1 (AccessData Logical Image) or E01. Fill in case metadata.
AD1 is the native logical format for FTK; E01 is more widely compatible if you plan to open the image in Autopsy or another tool.
- 5 Set destination to your network share. Ensure Verify images after they are created is checked. Click Start.
- 6 Record the final MD5 / SHA1 hashes from the completion dialog in your case notes.
VSS / Volume Shadow Copies Historical snapshots — useful for recovering deleted or modified files ▶
Windows automatically creates Volume Shadow Copies (VSS) at system restore points, Windows Update events, and (on servers) scheduled backup tasks. A shadow copy is a point-in-time snapshot of the volume. It may contain files that were later deleted, earlier versions of documents, or a view of the system before ransomware encryption. Always check for shadow copies — they are often overlooked and can be decisive.
-
1
First, enumerate available shadow copies. Open a CMD as Administrator and run:
vssadmin list shadows
Note the Shadow Copy Volume paths (e.g.\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1). - 2 In FTK Imager, go to File → Add Evidence Item… → Source type: Logical Drive.
-
3
In the drive dropdown, look for entries named like HarddiskVolumeShadowCopy1. These are the VSS snapshots. Select the one corresponding to the date you need.
If you do not see them, the dropdown may not list VSS volumes. In that case you can mount the shadow copy as a drive letter:
mklink /d C:\vss1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\, then point FTK at that drive letter. -
4
Image the shadow copy volume the same way as a logical drive (see Logical Drive procedure above). Use a filename that identifies the snapshot date, e.g.
HOSTNAME_VSS1_20240315.E01. -
5
Record the VSS creation timestamp (from
vssadmin list shadowsoutput) alongside the image hash in your case notes.
Cloud-connected accounts OneDrive, Google Drive, Dropbox, M365 — FTK cannot image these directly ▶
Cloud storage services (OneDrive, Google Drive, Dropbox, SharePoint, Exchange Online) do not live on the local drive in a way FTK Imager can capture. The local sync folder contains only what has been synced and not evicted by on-demand sync; the authoritative copy lives in the cloud. FTK will image whatever is locally cached, but you may miss files that were cloud-only. For a complete cloud acquisition you need one of the following approaches.
Option A — Provider admin export (no extra tools)
- 1 Microsoft 365 (OneDrive / Exchange / SharePoint): Use the Microsoft Purview compliance portal (compliance.microsoft.com) → Content Search or eDiscovery to export mailbox and OneDrive contents as PST / ZIP. Requires M365 E3/E5 or a Compliance add-on.
- 2 Google Workspace: Use Google Vault (vault.google.com) to place a legal hold and export Gmail, Drive, and Chat data. Requires Vault license.
- 3 Dropbox for Teams: Admin can export account contents via the Dropbox Admin console or Dropbox Business API.
Option B — Sync the local cache before imaging
-
1
Before imaging, open OneDrive / Google Drive / Dropbox on the remote machine and force a full sync (right-click tray icon → Sync now). This maximises locally cached content before you capture the drive image.
This is imperfect — files evicted by Files On Demand will still be stubs on disk. Use Option A for completeness.
- 2 After sync completes, proceed with a full physical or logical drive image (see procedures above).
Evidence integrity & chain of custody
Post-acquisition checklist Complete after every imaging session ▶
- 1 Confirm the image file(s) are present at the destination and file sizes are non-zero.
- 2 Save the MD5 and SHA1 hashes reported by FTK Imager to your case notes and to a separate text file alongside the image.
-
3
Save the FTK Imager
.txtcase log file (auto-generated alongside the image) — it contains acquisition timestamps and hash verification results. - 4 Record the name of the person who performed the acquisition, the date/time (UTC preferred), and the tool version used.
- 5 Verify the destination share is access-controlled. Only authorized investigators should be able to read the image files.
- 6 Update the case ticketing system with: image filename, size, hashes, acquisition datetime, and IT responder name.
Suggested naming convention
CASENO_HOSTNAME_TARGET_YYYYMMDD[_PART].ext
Examples:
IR2024-042_WKSTN-JSMITH_PHYS_20240315.E01
IR2024-042_WKSTN-JSMITH_RAM_20240315.mem
IR2024-042_WKSTN-JSMITH_VSS1_20240201.E01
Common mistakes & red flags
vssadmin list shadows and capture any that exist.