This repository documents how to create and run a portable version of FTK Imager—commonly referred to as “Imager Lite”—from a removable flash drive or WinFE USB.
This approach is ideal for forensic acquisition and triage on systems where software installation is restricted, undesirable, or prohibited.
Running FTK Imager from a portable flash drive enables Security Operations and Digital Forensics teams to:
- Perform forensic imaging without installing software on the target system
- Minimize system impact and avoid installation artifacts
- Maintain field-ready portability for live response and incident handling
- Support forensic acquisition within WinFE or live Windows environments
Before proceeding, ensure you have the following:
- A separate preparation machine (never the forensic target)
- A removable USB flash drive (FAT32 or NTFS recommended)
- A licensed or standard installation of FTK Imager on the preparation machine
- Administrator access on the preparation system
Install FTK Imager on the preparation machine only. Do not install FTK Imager on the forensic target system.
- Insert the WinFE USB or dedicated forensic flash drive into the preparation system
- Ensure sufficient free space for the FTK Imager directory and output images
Copy the entire FTK Imager installation directory from the preparation system to the flash drive.
Common installation paths:
C:\Program Files\AccessData\FTK Imager
or
C:\Program Files (x86)\AccessData\FTK Imager
📁 Recommended destination on USB:
X:\Tools\FTK_Imager
- Insert the prepared flash drive into the target system
- Boot into WinFE or the live Windows environment (as authorized)
Browse to the FTK Imager directory on the flash drive:
X:\Tools\FTK_Imager
- Right-click
FTK Imager.exe - Select Run as Administrator
- Use FTK Imager normally to acquire forensic images
Live-system imaging may produce non-replicable results due to system activity.
During execution, FTK Imager may:
- Write data to system RAM
- Trigger pagefile or temporary file changes
- Interact with active processes
Analysts must evaluate and document these risks prior to acquisition.
FTK Imager v3.4.3 and later require MFC runtime files. If these are missing on the target system, FTK Imager will fail to launch.
Copy the following files from the preparation system:
C:\Windows\System32
To the FTK Imager directory on the flash drive:
mfc100.dllmfc110.dllmfc120.dllmfc140.dll(if required)
For FTK Imager v4.5.0, also copy the following DLLs:
msvcp140.dllvcruntime140.dllmfc140u.dll
Source directory:
C:\Windows\System32
Destination:
X:\Tools\FTK_Imager
Following this procedure allows forensic and security teams to:
- Deploy FTK Imager rapidly in the field
- Avoid installing tools on sensitive systems
- Maintain forensic defensibility
- Support live response, triage, and acquisition workflows
This portable FTK Imager configuration provides a reliable and flexible solution for forensic imaging without relying on traditional installation methods.
FTK Imager is a proprietary forensic tool.
This repository provides operational guidance only and does not redistribute FTK Imager binaries.
Use is restricted to authorized forensic and incident response activities with appropriate legal approval.