Why We Built a Disk Imager
FTK Imager is free. It has been the default forensic disk imaging tool for over a decade. It works. So why would anyone build another free disk imager?
Because FTK Imager does not resume. If you are imaging a 4TB drive over USB 3.0 and the connection drops at 3.6TB, you start over. If power fails during an 8TB NAS acquisition, you start over. If the suspect drive develops transient read errors that cause the process to hang and you need to restart, you start over. Every forensic examiner who has worked with large drives has lost hours to failed imaging sessions that could not be recovered.
We built Sherlock Forensics Disk Imager because resumable imaging should not be a $1,200 feature locked behind X-Ways Forensics or a $3,500 annual EnCase subscription. It should be standard. It should be free. And now it is.
FTK Imager is free. So is ours. And ours resumes.
The Resume Problem in Forensic Imaging
Forensic disk imaging is a time-intensive process. A 2TB SATA drive imaged over USB 3.0 takes roughly 4 to 6 hours depending on drive health and bus speed. A 4TB drive takes 8 to 12 hours. An 8TB drive can take over 24 hours. These are real numbers from active casework, not theoretical benchmarks.
During those hours, many things can go wrong. USB cables develop intermittent connections. Write blockers overheat. Laptops go to sleep despite power settings. Source drives with developing bad sectors cause read timeouts that freeze the imaging process. Power outages happen. Windows decides to install updates and restart.
With FTK Imager, any interruption means starting the entire acquisition from byte zero. The partial image file may or may not be usable depending on what format you chose and where the interruption occurred. Most examiners delete the partial file and start fresh because there is no reliable way to resume.
With Sherlock Forensics Disk Imager, the tool tracks the last successfully written sector in a resume manifest file alongside the image. When you restart after an interruption, it reads the manifest, seeks to the correct position on the source drive and continues writing from exactly where it stopped. No data is lost. No time is wasted re-reading sectors that were already acquired. The final image is byte-identical to what a single uninterrupted session would have produced.
How Resume Works Technically
Sherlock Forensics Disk Imager maintains a small metadata file alongside the forensic image during acquisition. This file records the image format, source drive identification, the last successfully verified sector offset and a running SHA-256 state. When imaging resumes, the tool verifies the existing partial image against the recorded state, confirms it has not been modified since the interruption and continues acquisition from the next unwritten sector.
For E01 format, the resume mechanism operates at the segment boundary level. Each E01 segment is self-contained with its own internal checksums. Sherlock verifies the integrity of all completed segments before continuing. For raw dd format, the tool uses sector-level tracking with periodic checkpoints every 512 MB to enable fast resume without re-reading the entire partial image.
The resume capability works across power cycles and system restarts. The resume manifest is flushed to disk after every checkpoint, so even an abrupt power loss preserves the resume state. When the examiner relaunches the tool and selects the same source and destination, Sherlock detects the existing partial acquisition and offers to resume.
Three-Pass SHA-256 Verification
Most forensic imaging tools perform two-pass verification: they hash the source drive and hash the destination image, then compare. If both hashes match, the image is considered forensically sound. This is adequate but not optimal.
Sherlock Forensics Disk Imager performs three-pass verification. After imaging completes, the tool computes three separate SHA-256 hashes:
- Pass 1: Source drive hash
- A complete read of the source drive computing its SHA-256 hash. This establishes the cryptographic fingerprint of the original evidence.
- Pass 2: Destination image hash
- A complete read of the forensic image file computing its SHA-256 hash. This verifies the written data matches what was read from the source.
- Pass 3: Source re-read verification
- A second complete read of the source drive computing another SHA-256 hash. This confirms the source drive did not change between the first read and the verification pass, detecting transient read errors or drive degradation that occurred during imaging.
All three hashes must match. If Pass 1 and Pass 3 differ, it indicates the source drive produced inconsistent data between reads, which is a sign of failing hardware or intermittent errors. This condition is invisible to two-pass verification because the tool only reads the source once for hashing. The third pass catches drive instability that would otherwise go undetected and could produce a forensic image that does not accurately represent the source evidence.
Three-pass verification takes longer than two-pass. For a 2TB drive, expect an additional 4 to 6 hours for the third pass. We believe this is a worthwhile trade-off for the additional assurance it provides, especially when the evidence will be presented in court. Examiners who need faster turnaround can select two-pass verification in the settings.
E01 Format Compatibility
Sherlock Forensics Disk Imager produces standard E01 (Expert Witness Format) images that are compatible with every major forensic analysis platform. EnCase, FTK, X-Ways, Autopsy, Magnet AXIOM and any tool that reads E01 can open images created by Sherlock. The E01 implementation follows the published specification including case metadata, evidence segmentation and internal CRC verification.
E01 offers two advantages over raw dd for forensic imaging. First, E01 supports compression, which can reduce a 2TB disk image to 800GB or less depending on the data. This matters when your evidence storage is limited or when you need to transport images between locations. Second, E01 embeds case metadata directly in the image file: case number, evidence number, examiner name, acquisition date and notes. This metadata travels with the image and cannot be separated from it.
For examiners who prefer raw format, Sherlock also produces standard dd images. Raw images have no compression and no embedded metadata, but they are universally compatible and can be mounted directly as virtual drives on any operating system. Both formats receive the same three-pass SHA-256 verification.
Chain of Custody Documentation
Every imaging session produces a chain of custody log that documents the complete acquisition. The log includes the source drive serial number, model, capacity and interface type. It records the examiner name, the acquisition start and end timestamps, the imaging parameters selected and the output format. All three SHA-256 hash values are included with their computation timestamps.
This log is designed to be attached to a forensic report or submitted as a court exhibit without reformatting. It follows the same documentation standards used by Sherlock Forensics Android Acquirer and Sherlock Forensics PST Viewer, ensuring consistent chain of custody documentation across all Sherlock forensic tools.
For organizations that require specific chain of custody formats, the log is exported as both a human-readable text file and a structured JSON file that can be parsed by case management systems.
USB Write Blocker Integration
Sherlock Forensics Disk Imager integrates with Sherlock Forensics USB Write Blocker to provide a complete forensic imaging workflow from a single vendor. Before imaging, enable write protection with the USB Write Blocker. Then launch Sherlock Forensics Disk Imager and acquire the evidence. The imaging log records whether write protection was active at the time of acquisition, adding another layer of chain of custody documentation.
For examiners using hardware write blockers from Tableau (OpenText) or CRU, Sherlock Forensics Disk Imager works through any standard write-blocked connection. The tool reads the source drive through whatever interface is available. The write blocker is transparent to the imaging process.
4.4 MB Single Executable
Sherlock Forensics Disk Imager is a single executable file. No installer. No .NET framework dependency. No Visual C++ redistributable. No admin-required MSI package that corporate IT needs to approve. Copy the 4.4 MB file to a USB drive, plug it into your forensic workstation and run it.
This matters for field work. When you arrive at a client site for an urgent evidence preservation, you do not want to spend 20 minutes installing software and rebooting. You want to plug in your write blocker, plug in your forensic destination drive, launch the imager and start acquiring evidence. Sherlock Forensics Disk Imager is designed for that scenario.
The 4.4 MB footprint also means the tool loads instantly. There is no splash screen, no license check, no phone-home verification and no startup wizard. Launch it and you are imaging within seconds.
FTK Imager Comparison
We respect FTK Imager. It has served the forensic community well for years. This is not an attack on Exterro or their tools. This is an honest comparison of capabilities that matter to working forensic examiners.
| Feature | Sherlock Forensics Disk Imager | FTK Imager |
|---|---|---|
| Price | Free | Free |
| Resumable imaging | Yes | No |
| E01 output | Yes | Yes |
| Raw dd output | Yes | Yes |
| SHA-256 verification | Three-pass | Two-pass |
| Chain of custody log | Yes (auto) | Partial |
| File size | 4.4 MB | ~50 MB installer |
| Installation required | No | Yes |
| Memory viewer | No | Yes |
| File system browser | No | Yes |
| Platform | Windows | Windows |
FTK Imager includes a file system browser and memory viewer that Sherlock Forensics Disk Imager does not. If you need to preview drive contents before imaging or capture volatile memory, FTK Imager remains the better choice for those specific tasks. Sherlock Forensics Disk Imager focuses exclusively on disk acquisition with resume capability and three-pass verification. It does one job and does it well.
For a full comparison against six forensic imaging tools including ddrescue, Guymager, X-Ways and EnCase, see our FTK Imager alternative comparison page.
Who Should Use Sherlock Forensics Disk Imager
Sherlock Forensics Disk Imager is built for forensic examiners who image drives as part of their regular casework. Specifically:
- FTK Imager users who need resume capability for large drives. If you have ever lost a multi-hour imaging session to a USB disconnect or power failure, this tool solves that problem.
- Linux users who need a Windows GUI imager. If your forensic workstation runs Windows and you have been using ddrescue through WSL or a Linux live boot because it supports resume, Sherlock gives you the same resume capability in a native Windows GUI.
- Labs that cannot afford X-Ways or EnCase but need resume and E01 output. Until now, resumable forensic imaging on Windows required a commercial license starting at $1,200.
- Field examiners who need a portable imaging tool that fits on a USB drive alongside their write blocker.
- Incident responders performing rapid evidence preservation during active breaches where imaging speed and reliability are critical.
What We Are Not Claiming
Sherlock Forensics Disk Imager is a disk imaging tool. It does not analyze file systems. It does not recover deleted files. It does not parse registry hives or extract browser artifacts. It does not capture volatile memory. Those tasks require dedicated forensic analysis platforms like Autopsy, X-Ways or Magnet AXIOM.
We are not claiming to replace FTK Imager for all use cases. FTK Imager's file system browser and memory capture are useful features that Sherlock does not replicate. We are claiming that for the specific task of creating forensic disk images, Sherlock Forensics Disk Imager offers two features that FTK Imager lacks: resumable imaging and three-pass verification. For many examiners, those two features justify adding Sherlock to their toolkit alongside FTK Imager.