Why a Forensic Firm Gives Tools Away
Sherlock Forensics has operated as a digital forensics consultancy since 2006. Our work is forensic examinations, expert testimony and security consulting. We are not a software company. We do not have product managers or quarterly revenue targets for software sales.
Over 20 years of casework we built internal tools to solve problems that commercial products either ignored or overcharged for. A hash calculator that does exactly what we need. A metadata extractor that pulls the fields investigators actually care about. A port scanner designed for incident response rather than penetration testing.
These tools sat on our workstations for years. We decided to package them for public release because the forensic community benefits when practical tools are freely available. Investigators working small cases, solo practitioners starting their practice, IT staff handling their first incident response. These people need functional tools, not $500 enterprise licenses.
Today we are releasing four desktop tools as free downloads. Each tool is a standalone Windows executable that requires no installation and no administrator privileges. Every download is SHA256 verified so you can confirm integrity before use.
1. Sherlock PST Viewer (Free Edition)
Version: 0.1.4
Platform: Windows 10/11
Download: sherlock-pst-viewer.html
The PST Viewer Free Edition opens Microsoft Outlook PST and OST files without requiring Outlook. It provides full-text search across all messages, folder tree navigation and individual email export. The tool operates in read-only mode and cannot modify the source file.
Who It Is For
IT administrators who need to access archived or orphaned mailboxes. Paralegals conducting initial document review. Anyone who needs to read PST or OST files without an Outlook license. Investigators who need to triage email evidence before deciding whether a full forensic examination is warranted.
What It Does
- Opens PST and OST files without Outlook installed
- Full-text search across all messages including headers and body content
- Folder tree navigation matching the original mailbox structure
- Individual email export (EML format)
- Attachment viewing and extraction
- Read-only access by design
What It Does Not Do
The Free edition does not include forensic features. There is no SHA256 per-message hashing, no chain of custody reporting and no batch export. Those features require the Pro edition at $67 USD. We are transparent about this boundary because investigators need to understand the evidentiary limitations of the tool they are using.
Also available: the dedicated OST Viewer page with OST-specific documentation and download.
2. Sherlock Hash Calculator
Version: 0.1.4
Platform: Windows 10/11
Download: sherlock-hash-calculator.html
File hashing is the foundation of digital forensics. Every forensic examination begins and ends with hash verification. The Sherlock Hash Calculator computes cryptographic hashes for files and text strings using industry-standard algorithms.
Who It Is For
Forensic examiners who need quick hash verification during examinations. IT security professionals validating file integrity after a suspected compromise. System administrators verifying software downloads. Incident responders checking file hashes against known-malicious indicators of compromise (IOCs).
What It Does
- Computes MD5, SHA1 and SHA256 hashes simultaneously
- Drag-and-drop file input
- Text string hashing for password verification and data comparison
- Hash comparison tool to check two values against each other
- Copy-to-clipboard for each hash value
- Handles large files without memory issues
Why We Made It Free
Hash calculation is a fundamental operation that every investigator performs multiple times per case. Charging for this capability would be like charging for a ruler. Windows includes certutil for command-line hashing, but a visual interface with drag-and-drop and simultaneous multi-algorithm output saves time during active examinations. This tool exists because we needed it on our own workstations and there was no reason to keep it internal.
3. Sherlock Metadata Inspector
Version: 0.1.4
Platform: Windows 10/11
Download: sherlock-metadata-inspector.html
Document metadata is frequently the most valuable evidence in a case. Author names, creation dates, modification history, GPS coordinates in photographs and software version strings all reside in file metadata. The Sherlock Metadata Inspector extracts and displays this information from common file types.
Who It Is For
Forensic examiners analyzing document provenance. Attorneys reviewing documents for inadvertent metadata disclosure before production. HR professionals examining documents in workplace investigations. OSINT analysts extracting metadata from publicly available files. Photographers and journalists verifying image origin and authenticity.
What It Does
- Extracts metadata from Office documents (DOCX, XLSX, PPTX), PDFs, images (JPEG, PNG, TIFF) and common file types
- Displays EXIF data from photographs including GPS coordinates, camera model and timestamps
- Shows document properties: author, creation date, modification date, revision count and software version
- PDF metadata extraction including producer, creator application and encryption status
- Export metadata to text file for documentation
- Drag-and-drop interface for rapid triage
Why We Made It Free
Metadata inspection should be routine, not reserved for organizations with tool budgets. An attorney should be able to check a document for hidden metadata before filing it publicly. A journalist should be able to verify the origin of a photograph. A forensic examiner should have instant access to file metadata without launching a full forensic platform. We use this tool daily and every investigator should have something equivalent.
4. Sherlock Port Scanner
Version: 0.1.4
Platform: Windows 10/11
Download: sherlock-port-scanner.html
Network reconnaissance is a standard procedure in incident response, security assessments and network forensics. The Sherlock Port Scanner provides TCP port scanning with service identification in a lightweight desktop application. It is designed for authorized network assessment, not adversarial use.
Who It Is For
Incident responders identifying exposed services on compromised networks. System administrators auditing their own infrastructure. Security consultants performing authorized assessments. Forensic examiners documenting network state during an investigation. IT staff troubleshooting connectivity issues.
What It Does
- TCP port scanning with configurable port ranges
- Common service identification (HTTP, HTTPS, SSH, RDP, SMB, FTP and others)
- Scan results export for documentation
- Configurable timeout and threading for scan speed control
- Visual interface with color-coded port status
- No installation required
Why We Made It Free
Nmap exists and is excellent. But Nmap requires installation, command-line familiarity and occasionally administrator privileges. During incident response you sometimes need to scan a network segment from a workstation where you cannot install software. The Sherlock Port Scanner runs as a standalone executable with a visual interface. It does not replace Nmap for comprehensive assessments but it fills the gap when you need a quick scan from a restricted workstation.
Download Verification
Every tool download is published with a SHA256 hash on its respective download page. We recommend verifying every download before execution. This is standard practice in forensics and should be standard practice everywhere.
To verify a download:
- Download the tool from its page on www.sherlockforensics.com/pages/tools.html
- Note the SHA256 hash published on the download page
- Compute the SHA256 hash of your downloaded file (use the Sherlock Hash Calculator or
certutil -hashfile filename SHA256on Windows) - Compare the two values. They must match exactly
If the hashes do not match, do not execute the file. Contact us immediately.
Version 0.1.4 Release Notes
All four tools ship at version 0.1.4. This version includes:
- Stability improvements for large file handling
- UI consistency across the tool suite
- Updated SHA256 verification hashes
- Windows 11 compatibility testing completed
- Reduced executable size for faster downloads
These are early-version tools. We use them in production daily and they are stable for their intended purposes. If you encounter an issue, contact us directly. We fix bugs reported by investigators because we rely on the same tools ourselves.
No Telemetry, No Registration, No Strings
None of the Sherlock desktop tools collect data, phone home, require registration or display advertisements. There are no analytics embedded in the executables. There is no "free trial" that expires after 30 days. The tools do not check for updates automatically.
We publish tools this way because forensic examiners cannot install software that transmits data from examination workstations. Any tool that phones home is disqualified from use in a forensic environment. Our tools are designed for forensic workstations first and everything else second.
The Forensic Pedigree
These tools were built by the same team that conducts forensic examinations and provides expert testimony. Ryan Green (CISSP, ISSAP, ISSMP) has over 20 years of digital forensics experience and has been qualified as an expert witness in multiple jurisdictions. The tools reflect the requirements and methodology of actual casework.
This matters because forensic tools need to behave predictably. They need to access files in read-only mode when that is what they claim. They need to produce accurate output that an examiner can rely on when testifying. They need to be simple enough that their operation can be explained to a judge or jury.
Commercial forensic tools built by software companies sometimes prioritize features over forensic integrity. A flashy interface sells licenses. Accurate read-only access and reliable hash computation do not make good screenshots for marketing materials. Our tools prioritize correctness because our reputation depends on the accuracy of our work.