Some users report that the error points explicitly to "driver new" rather than a named driver like ewf. This often indicates that FTK Imager is failing to call the StartService Windows API for a driver it just dynamically generated.
In this specific scenario, the issue frequently relates to Temp folder permissions. FTK Imager writes a temporary .sys file to %TEMP%\FTK Imager\. If that folder is compressed, encrypted, or located on a network drive, the driver cannot start.
Fix:
The "Could not start driver (new)" error is a nuisance, but it is rarely fatal to your investigation. In 90% of cases, Solution 1 (Test Signing Mode) resolves the conflict immediately.
If you are in a lab environment, it is good practice to keep a dedicated forensic image or virtual machine with Test Mode permanently enabled so you don't have to troubleshoot drivers while on-site during a critical engagement.
Have you encountered this error recently? Did a different fix work for you? Let us know in the comments below!
AccessData offers a Portable (ZIP) version of FTK Imager that does not rely on a permanently installed driver. This version extracts and loads the driver on-the-fly from the user's temp folder. While it can still trigger signature issues, it is more resilient on locked-down corporate machines.
To understand the error, you must first understand how FTK Imager interacts with Windows.
Most user-level applications access files through the Windows API (Application Programming Interface)—the standard way to read C:\Users\...\document.docx. However, forensic imaging requires raw access to the entire physical disk (sectors, unallocated space, slack space). For this, FTK Imager relies on a kernel-mode driver.
This driver, historically named ftkimager.sys or similar, runs with Ring 0 privileges (the highest privilege level in a CPU). It bypasses the operating system’s file system permissions and reads directly from the disk device.
When you see the phrase "could not start driver (new)", it means:
The term "(new)" likely refers to a newer version of the driver used by modern FTK Imager releases (post-4.0, 64-bit versions) compared to legacy versions.
If you are using an older version of FTK Imager (like v3 or v4) on a modern operating system like Windows 11, the drivers may simply be incompatible.
AccessData (now Exterro) releases updates to keep up with Windows builds.
Some users report that the error points explicitly to "driver new" rather than a named driver like ewf. This often indicates that FTK Imager is failing to call the StartService Windows API for a driver it just dynamically generated.
In this specific scenario, the issue frequently relates to Temp folder permissions. FTK Imager writes a temporary .sys file to %TEMP%\FTK Imager\. If that folder is compressed, encrypted, or located on a network drive, the driver cannot start.
Fix:
The "Could not start driver (new)" error is a nuisance, but it is rarely fatal to your investigation. In 90% of cases, Solution 1 (Test Signing Mode) resolves the conflict immediately. ftk imager could not start driver new
If you are in a lab environment, it is good practice to keep a dedicated forensic image or virtual machine with Test Mode permanently enabled so you don't have to troubleshoot drivers while on-site during a critical engagement.
Have you encountered this error recently? Did a different fix work for you? Let us know in the comments below!
AccessData offers a Portable (ZIP) version of FTK Imager that does not rely on a permanently installed driver. This version extracts and loads the driver on-the-fly from the user's temp folder. While it can still trigger signature issues, it is more resilient on locked-down corporate machines. Some users report that the error points explicitly
To understand the error, you must first understand how FTK Imager interacts with Windows.
Most user-level applications access files through the Windows API (Application Programming Interface)—the standard way to read C:\Users\...\document.docx. However, forensic imaging requires raw access to the entire physical disk (sectors, unallocated space, slack space). For this, FTK Imager relies on a kernel-mode driver.
This driver, historically named ftkimager.sys or similar, runs with Ring 0 privileges (the highest privilege level in a CPU). It bypasses the operating system’s file system permissions and reads directly from the disk device. The term "(new)" likely refers to a newer
When you see the phrase "could not start driver (new)", it means:
The term "(new)" likely refers to a newer version of the driver used by modern FTK Imager releases (post-4.0, 64-bit versions) compared to legacy versions.
If you are using an older version of FTK Imager (like v3 or v4) on a modern operating system like Windows 11, the drivers may simply be incompatible.
AccessData (now Exterro) releases updates to keep up with Windows builds.