How to Create a Storage Device Image

Table of Contents

Preface

2
Methodology
Test Environment
Manual Best Use
Warning
Resources Needed

Steps 1, 2, 3, 4

Plug in USB
Open FTK Imager
Add Evidence

Steps 5, 6

4
Verify Drive

Steps 7, 8

5
Record Hash Values
Create Disk Image

Steps 9, 10

6
Select Drive

Steps 11, 12

Additional Disk Image settings

Steps 15, 16

Disk Image Settings

Steps 13, 14

Execute disk image process

Verify Hash Values match

Page | 1

Preface:
This instructional manual will provide the necessary procedures to create a bit for bit copy of a
storage media such as a USB flash drive or Hard Disk Drive. This procedure will specifically
explain how to acquire an image of a USB flash drive, but the procedure should work with any
storage device connected to a computer.
Methodology:
The basic methodology of this procedure will be to connect a USB flash drive to a computer and
use software to create a bit for bit copy of the data on the drive, and validate that the data is
the same.
Testing Environment:
This procedure will take place on a personal computer running Microsoft Windows 10 operating
system.
Manual Best Use:
It is best to review the procedure once before starting, and then follow the procedure step by
step to ensure the procedures are followed accurately.
Warning:
Although this procedure is relatively safe, take care to use caution while working with
electronic components that are powered on. Also ensure that the procedure is followed in a
static free environment to prevent damage to electronic components due to static electricity.
Resources Needed:
This procedure will require a computer running Microsoft Windows with an internet
connection, and FTK Imager 3.1.1. FTK Imager can be downloaded for free at accessdata.com.
Page | 2

Procedure Steps:
Step 1: Plug the USB storage device containing data into a USB port on the computer.

Step 2: Open FTK Imager 3.1.1.

Step 3: From the menu bar of FTK Imager, click on File and select Add Evidence Item:

Figure 1: FTK Imager File screenshot

Step 4: Select Physical Drive and click Next >:

Figure 2: FTK Imager Select Source screenshot

Page | 3

Step 5: Select the USB Drive from the drop down menu and click Finish:

Figure 3: FTK Imager Select Drive screenshot

Step 6: From the FTK Imager menu bar, select File then select Verify Drive/Image:

Figure 4: FTK Imager File screenshot

Page | 4

Step 7: Record the MD5 and SHA-1 hash values resulting from the verify drive process:

Figure 5: FTK Imager Verify Drive results

Step 8: From the FTK Imager menu bar, select File and Create Disk Image:

Figure 6: FTK Imager File screenshot

Page | 5

Step 9: Select Physical Drive and click the Next > button:

Figure 7: FTK Imager Select Source screenshot

Step 10: Select the USB flash drive from the drop down menu and click Finish:

Figure 8: FTK Imager Select Drive screenshot

Page | 6

Step 11: Click the Add button:

Figure 9: FTK Imager Create Image screenshot

Step 12: Select Raw (dd) and click the Next > button:

Figure 10: FTK Imager Select Image Type screenshot

Page | 7

Step 13: Fill out the appropriate text fields and click the Next > button:

Figure 11: FTK Imager Evidence Item Information screenshot

Step 14: Set an appropriate path and filename to store the created image, set the fragment
size to 0, to create one image file and click Finish:

Figure 12: FTK Imager Select Image Destination screenshot

Page | 8

Step 15: Now click start on the Create Image window:

Figure 13: FTK Imager Create Image screenshot

Step 16: Once the image process completes, compare the produced MD5 and SHA-1 hash
values to the values recorded in Step 7 to ensure that they are the same. This indicates that a
bit for bit copy of the USB flash drive has been successfully created.

Figure 14: FTK Imager Drive/Image Verify Results screenshot

Page | 9