Using Command Line Imager

Basic Instructions:
1. Download the appropriate Imager CLI package and unzip it.
2. Open a Terminal windows (Mac & Linux) or Command Prompt (Windows). Make sure the
Terminal/Command Prompt is run with elevated privileges (the su or sudo command on
Mac & Linux, right-click>Run as Administrator on Windows).
3. Use the cd command to navigate to the folder where you expanded the Imager CLI files.
4. Run the following command to list the physical drives attached to your system:
ftkimager --list-drives
5. Use a command in the structure of ftkimager [source] [destination] [options] to create an
image of your selected drive, where [source] is the physical path of the drive to image and
[destination] is the full path (excluding file extension) where the resulting image will be saved.
[source] can also be an image file for converting to another image format. Use quotes when
[source] or [destination] contain spaces. Reference the options listed below when formulating
the command.
Example:
To image the drive listed as \\.\PHYSICALDRIVE0 to an E01 named MyDrive on drive X:\ and encrypt the
image using the password test123, you would use the following command:
ftkimager \\.\PHYSICALDRIVE0 X:\MyDrive --e01 --outpass test123

Advanced Usage
ftkimager [source] [destination] [options]
The following is a list of all possible options that can be used. Multiple options can be used in the same
command.
Option
--help
--list-drives
--verify

--print-info
--quiet

Functionality
Use this option without a [source] or [destination]
to display all possible options.
Use this option without a [source] or [destination]
to list all detected physical drives.
Verifies the image after creation if [destination] is
specified. Verifies the source image if
[destination] is not specified.
Displays information about a source. [source] can
be a physical drive or image file.
Hides all create or verify progress information.

--no-sha1

Does not compute SHA1 hash during the create or

verify process.

The following options are valid only when [destination] is specified:

Option
Functionality
--s01
Outputs a SMART image.
--e01
Outputs and E01 image.
--frag X{K|M|G|T}
Defines the maximum image fragment size X. Size
can be in Kilobytes, Megabytes, Gigabytes, or
Terabytes (eg. --frag 1G will result in 1 GB image
fragments).
--compress X
Sets the image compression level X (0=none,
1=fast, ..., 9=best). If this option is not specified,
the default compression level will be used.
The following options can be used to add metadata to the destination image. Use quotes when X
contains spaces:
Option
Functionality
--case-number X
Specifies case number X.
--evidence-number X
Specifies evidence number X.
--description X
Specified evidence description X.
--examiner X
Specifies examiner X.
--notes X
Specifies evidence notes X.
The following options are used in image encryption and decryption:
Option
Functionality
--inpass P
Specifies password P to decrypt the source when
[source] is an image file.
--incert C [P]
Specifies certificate C and password P (optional) to
decrypt the source when [source] is an image file.
--outpass P
Specifies password P to encrypt the destination
image.
--outcert C [P]
Specifies certificate C and password P (optional) to
encrypt the destination image.