Tool Guide 6 min read

Setting Up a Forensic Acquisition Workflow with Sherlock Disk Imager

Tool Guide disk imaging chain of custody

Forensic disk imaging is the bedrock of any computer forensic investigation. The acquisition workflow must produce a verifiable forensic copy of the source drive plus a chain-of-custody record that survives expert challenge in court. Sherlock Disk Imager at no cost covers the workflow end to end. This Tool Guide walks through the six standard steps from write-block setup to chain-of-custody documentation.

TL;DR: Six steps for a defensible forensic acquisition: hardware write-block setup, source identification, hash before image, image creation, hash after verify, chain-of-custody documentation. Sherlock Disk Imager handles steps 3 through 6 with one tool plus produces a court-ready PDF report.

Step 1: Hardware Write-Block Setup

Connect the source drive through a hardware write-blocker. Software write-blockers exist but courts treat them with more skepticism than hardware blockers. Confirm the write-blocker indicator LED shows the source drive as read-only before any acquisition step. Photograph the write-blocker indicator state for the engagement record plus the case file. The write-blocker is the physical evidence that the source drive was not modified during examination.

Step 2: Source Identification

Record the source drive make, model, serial number plus capacity in the acquisition log. Photograph the physical drive label. If the drive came from a Windows system, the original system identifies the drive by Windows volume serial number; record that too. Sherlock Disk Imager surfaces drive metadata in the source-selection dialog so the examiner can cross-check the metadata against the physical artifact before continuing. Any mismatch between physical drive label and software-read metadata is the first sign of evidence-tampering or drive-substitution and must be resolved before proceeding.

Step 3: Hash Before Image

Compute SHA-256 of the entire source drive before any image creation step. The pre-image hash is the chain-of-custody anchor that proves the source drive bytes did not change during acquisition. Sherlock Disk Imager performs the pre-image hash automatically as part of the standard workflow. The hash output goes into the acquisition log with timestamp plus examiner identity. If the source drive is bit-rotting, has surface damage or is failing, this is also where the read-error count surfaces. A drive with hundreds of unrecoverable read errors produces a different forensic posture than a clean drive plus the examiner needs to document that in the engagement record.

Step 4: Image Creation

Run Sherlock Disk Imager image-creation workflow targeting a clean destination drive or a forensic image file. The destination format depends on the downstream forensic tooling: E01 (EnCase Evidence File format) for FTK or EnCase ingest, raw dd for analysis with open-source tooling or AFF (Advanced Forensic Format) for compressed long-term archive. Record the destination identifier plus the image timestamp in the acquisition log. The image creation step is the slowest part of the workflow plus it must run without interruption; a partial image is not forensically usable. Plan power, runtime plus thermal headroom before starting the image step.

Step 5: Hash After Verify

Compute SHA-256 of the image plus of the source after the acquisition completes. The three hashes (pre-image source, image file, post-image source) must all match. Any mismatch invalidates the chain of custody plus the acquisition must be repeated. Sherlock Disk Imager performs the post-acquisition hash automatically as part of the standard workflow plus surfaces the comparison result in the report.

Step 6: Chain of Custody Documentation

Sherlock Disk Imager generates a court-ready PDF acquisition report with the SHA-256 hashes, the drive metadata, the timestamps plus the examiner identity. Sign the PDF report digitally or physically depending on jurisdiction plus store with the case file. The acquisition report is the deliverable that proves the forensic copy is bit-identical to the source. Without the report, the image file is just bytes; with the report, the image file is admissible evidence.

Why Sherlock Disk Imager Versus the Alternatives

The forensic disk imaging market has commercial tools (FTK Imager from AccessData, EnCase Forensic Imager from OpenText) plus open-source tools (dc3dd, dcfldd). The commercial tools are full-featured but priced for enterprise budgets. The open-source tools are powerful but command-line plus require examiner skill to produce a chain-of-custody record. Sherlock Disk Imager covers the standard workflow with a GUI plus produces a court-ready PDF acquisition report at no cost, making it suitable for the small-firm examiner, the IT-team-doing-occasional-forensics use case plus the academic or training environment.

For the practitioner running multiple acquisitions per week, Sherlock Disk Imager plus the rest of the Sherlock forensic suite (PST Viewer, NSF Viewer, OCR Reader, Universal Events Viewer, Browser Viewer, Android Acquirer) cover the most common forensic acquisition surfaces without the per-product license cost of the enterprise tool stack.