When Exterro FTK Imager initializes a physical capture, it attempts to load its proprietary kernel-mode driver ( ad_driver.sys ) to bypass operating system abstractions and communicate directly with storage devices or RAM. If Windows blocks this driver, the application fails to perform low-level forensic functions.
Download the archive from a secure forensic workstation.
If corporate security policies prevent you from modifying Windows driver settings, you can bypass the host operating system entirely.
The most frequent culprit on modern machines is Windows Core Isolation. The kernel driver embedded in older builds of FTK Imager does not comply with modern virtualization-based security (VBS) standards. ftk imager could not start driver new
or when the software fails to load its low-level access driver on modern or virtualized operating systems Primary Troubleshooting Steps Run as Administrator
To prevent driver initialization errors when deploying tools during a live incident response, adopt the following operational strategies:
: A bootable Linux environment that bypasses Windows driver issues entirely to image drives. When Exterro FTK Imager initializes a physical capture,
Look for a file named aexdisk.inf or similar driver-related file. Right-click the file and select . If it asks to replace an existing driver, choose Yes . 4. Disable Driver Signature Enforcement (Temporary Fix) If the driver is older, Windows might refuse it.
: If you are running Windows 11 on an ARM-based machine (like an M1/M2/M3 Mac via Parallels), FTK Imager's x64 drivers may fail to load because they are not compatible with the ARM architecture. Review of FTK Imager (Exterro)
Windows prevents standard applications from calling the API mechanisms needed to load drivers. You must enforce explicit administrator override rules. If corporate security policies prevent you from modifying
Start with the simplest fix and work your way down the list.
For most users, or Solution 3 (Disable Memory Integrity) will resolve the issue instantly. If you are in a corporate environment with strict IT policies, reach out to your security team to have the FTK Imager driver explicitly allowed.
Whether you are running a or operating from a portable USB drive