What is Sherlock Android Acquirer?

Sherlock Android Acquirer is a forensic acquisition tool that performs logical extraction of Android devices using ADB and a helper APK. It captures SMS, call logs, contacts, photos, app data and device metadata with SHA-256 hashing per artifact. Built by certified forensic examiners (CISSP, ISSAP, ISSMP) and priced at $399 USD for the Forensic Edition.

How does Sherlock Android Acquirer compare to Cellebrite?

Cellebrite UFED starts at approximately $15,000 USD per year with annual licensing. Sherlock Android Acquirer costs $399 USD as a one-time purchase. Cellebrite supports physical extraction and exploit-based methods across thousands of device profiles. Sherlock focuses on consent-based logical extraction via ADB, which covers the majority of corporate investigations, HR matters and civil litigation where the device owner cooperates.

Does Sherlock Android Acquirer require root access?

No. Sherlock Android Acquirer performs logical extraction through ADB with a helper APK that the device owner installs with informed consent. Root access is not required. The tool operates within standard Android permissions, which means it acquires what the operating system exposes through its content provider APIs. This is sufficient for SMS, contacts, call logs, media files and most application data.

Is there a free version of Sherlock Android Acquirer?

Yes. The Free edition performs basic device information collection and limited artifact preview. It does not include SHA-256 hashing, forensic PDF report generation or chain of custody documentation. The Free edition is designed for evaluation and for IT professionals who need basic device data without forensic requirements. There is no trial period or feature restriction countdown.

What artifacts does Sherlock Android Acquirer extract?

Sherlock Android Acquirer extracts SMS and MMS messages, call logs, contacts, photos and videos, audio recordings, downloads, application data accessible through Android content providers, Wi-Fi connection history, device information and installed application listings. Each artifact is individually hashed with SHA-256 at the time of extraction for forensic integrity verification.

Android Forensic Acquisition for $399

Why We Built an Android Acquisition Tool

Mobile forensics has been dominated by two vendors for the better part of a decade. Cellebrite UFED starts at roughly $15,000 USD per year. MSAB XRY runs in the same range. These are powerful platforms designed for law enforcement agencies with dedicated budgets for digital forensics equipment. They support physical extraction, exploit-based bypass methods and thousands of device profiles.

But the majority of Android forensic examinations do not require those capabilities. In corporate investigations the device owner typically cooperates. In HR matters the employee consents to the examination as a condition of employment. In civil litigation the party produces the device voluntarily or under court order. In family law matters both parties agree to device examination as part of discovery.

In all of these scenarios the examiner has the device unlocked and the owner's consent. Physical extraction is unnecessary. Exploit-based bypass is irrelevant. What the examiner needs is a reliable method to extract artifacts, hash each one individually and produce a court-ready report. That is a $399 problem, not a $15,000 problem.

We built Sherlock Android Acquirer to solve that specific problem. Nothing more. Nothing less.

What Sherlock Android Acquirer Does

The tool performs logical extraction of Android devices using Android Debug Bridge (ADB) combined with a helper APK. The process works as follows:

Connect the Android device to the examiner's workstation via USB
Enable USB debugging on the device with the owner's informed consent
Install the Sherlock helper APK, which requests standard Android permissions
The helper APK accesses Android content providers to collect artifacts
Each artifact is transferred to the workstation via ADB
SHA-256 hash is computed for every individual artifact at the point of extraction
A forensic PDF report is generated with chain of custody documentation

The helper APK does not root the device. It does not exploit any vulnerability. It does not bypass any security mechanism. It operates entirely within the standard Android permission model. The device owner grants permissions through the normal Android consent dialog, just as they would for any application.

Artifacts Extracted

Sherlock Android Acquirer extracts the following artifact categories through Android's content provider APIs:

Artifact Category	Details	Free Edition	Pro Edition
SMS / MMS Messages	Full message content, timestamps, sender/recipient, thread grouping	Preview only	Full extraction
Call Logs	Incoming, outgoing, missed calls with duration and timestamps	Preview only	Full extraction
Contacts	Names, phone numbers, email addresses, organization data	Preview only	Full extraction
Photos and Videos	Media files with EXIF metadata including GPS coordinates	Count only	Full extraction
Audio Recordings	Voice recordings and audio files from accessible storage	Count only	Full extraction
Downloads	Files in the Downloads directory	Count only	Full extraction
Wi-Fi History	Previously connected networks with timestamps where available	No	Full extraction
Installed Applications	Package names, version numbers, install dates, permissions granted	Listing only	Full with permissions
Device Information	Model, manufacturer, Android version, serial number, IMEI	Yes	Yes

The Forensic Edition extracts all artifacts with full content. The Free edition provides device information and artifact previews sufficient for evaluation and basic IT purposes.

SHA-256 Per-Artifact Hashing

This is the forensic feature that justifies the tool's existence. Every individual artifact extracted by Sherlock Android Acquirer receives its own SHA-256 hash at the moment of extraction. Not a single hash for the entire acquisition. Not a hash of the output directory. A cryptographic hash for each SMS message, each photo, each call log entry and each contact record.

When opposing counsel asks how you can verify that a specific text message was not altered after extraction, you produce the SHA-256 hash that was computed at the time of acquisition. That hash can be independently verified against the source data. This is the same principle that has been standard practice in disk forensics for decades but has been conspicuously absent from affordable mobile forensics tools.

The hash values are recorded in the examination log, embedded in the forensic PDF report and exported as a separate hash manifest file for independent verification.

The Consent-Gated Approach

We made a deliberate architectural decision to require device owner consent for every acquisition. This is not a limitation. It is a feature.

Consent-based acquisition solves two problems simultaneously. First, it eliminates the legal risk associated with exploit-based extraction methods. Tools that bypass device security may produce evidence that is inadmissible under certain jurisdictions' exclusionary rules. When the device owner voluntarily installs the helper APK and grants permissions through Android's standard consent dialog, the acquisition method itself is legally defensible.

Second, consent-based acquisition works reliably across Android versions and manufacturers. Exploit-based methods break with every security patch. A tool that relies on a specific vulnerability in Android 14 may not work on Android 15. Sherlock Android Acquirer uses documented Android APIs that are stable across versions. A device running Android 10 and a device running Android 16 are acquired using the same method.

For law enforcement scenarios where the device owner does not consent and a warrant authorizes bypass, Cellebrite and similar tools are the appropriate choice. We are not competing for that use case. We are serving the larger market of consent-based examinations where those tools are dramatically overpriced.

Forensic PDF Reports

Every Forensic Edition acquisition produces a forensic PDF report that includes:

Examiner identification: Name, credentials, organization and contact information for the examiner conducting the acquisition.
Device identification: Manufacturer, model, Android version, serial number, IMEI and build fingerprint of the examined device.
Chain of custody header: Date and time of acquisition, tool version, acquisition parameters and consent documentation reference.
Artifact inventory: Complete listing of all extracted artifacts organized by category with individual SHA-256 hashes.
Artifact content: Full content of text-based artifacts (SMS, contacts, call logs) rendered in the report. Media files referenced by hash and filename.
Hash manifest: Summary table of all SHA-256 hashes for independent verification.

The report is designed to be attached to an affidavit or submitted as an exhibit without additional formatting. It includes all metadata that a court requires for digital evidence admissibility under Daubert and similar standards.

Free Edition vs. Pro Edition

The Free edition exists for two reasons. First, it lets forensic examiners evaluate the tool before purchasing. Second, it serves IT professionals and administrators who need basic device information without forensic requirements.

The Forensic Edition at $399 USD is a one-time purchase. No subscription. No annual renewal. No per-device licensing. No "maintenance fees" that appear six months later. You pay $399 once and you own the license. Updates within the major version are included.

The price difference between Free and Pro reflects the forensic features: SHA-256 hashing, full artifact extraction, forensic PDF report generation and chain of custody documentation. These features require significant engineering to implement correctly and significant forensic expertise to design properly.

Why $399 Instead of $15,000

The same reason our PST Viewer costs $67 instead of $299. Sherlock Forensics is a forensic consultancy that builds tools, not a software company that sells to forensic examiners. We have no sales team making cold calls to police departments. We have no booth at DFRWS or Techno Security. We have no channel partners taking a 40% margin. We have no venture capital investors expecting 10x returns.

Our tools are built by the same examiners who use them in active casework. The development cost is real but modest because we are not supporting an enterprise software organization. The $399 price covers development, maintenance and a reasonable margin. It does not need to cover a CEO's compensation package or a San Francisco office lease.

Cellebrite is a publicly traded company with over 900 employees. Their pricing reflects the cost of that organization. Our pricing reflects the cost of ours.

Target Audiences

We built Sherlock Android Acquirer for professionals who perform consent-based Android examinations:

Corporate investigators handling internal investigations involving employee-owned or company-issued Android devices
Forensic examiners who need affordable mobile acquisition for civil cases, family law and small-scale criminal matters
Law firms conducting eDiscovery that includes mobile device data
HR departments investigating policy violations involving company Android devices
Insurance investigators examining claimant devices with consent
IT administrators who need to document device contents during employee offboarding (Free edition)

If your Android examination involves an unlocked device with owner consent, Sherlock Android Acquirer handles it for $399. If your examination requires bypassing device security without the owner's cooperation, you need Cellebrite or a similar tool at the corresponding price point.

What We Are Not Claiming

We are not claiming to replace Cellebrite. UFED is a comprehensive mobile forensics platform that supports thousands of device profiles across iOS and Android, performs physical extraction and has been validated through thousands of law enforcement cases worldwide. That capability costs $15,000 per year for a reason.

We are claiming that the majority of Android forensic examinations in the corporate, civil and family law sectors do not require those capabilities. For consent-based logical extraction with proper forensic documentation, $399 is the appropriate price point.

Read the full Android forensics guide for detailed methodology, or see how Sherlock Android Acquirer compares to other tools in our 2026 Android forensics tool comparison.