Product Launch

Sherlock Forensics Desktop Tools Now Available for Linux

Product Launch

8 Sherlock Forensics desktop tools are now available for Linux x64 as native binaries. The lineup includes PST Viewer, OCR Reader, Forensic PDF Editor, Android Acquirer, Browser Viewer, Port Scanner, Hash Calculator and Metadata Inspector. All ship as .tar.gz archives with no installer required.

What Is Available

Every egui-based Sherlock Forensics desktop tool now ships with a Linux x64 build alongside the existing Windows version. All eight tools are built in Rust and compiled natively for Linux. No Wine, no emulation, no compatibility layers.

Tool Description Edition
PST Viewer Open PST/OST files without Outlook. Deleted-item recovery, YARA scanning, cross-PST search and SHA-256 hashing. Free + Forensic ($67)
OCR Reader Forensic OCR with per-word confidence scoring, ed25519 audit trails and EDRM XML v1.2 export. Bundled Tesseract. Free + Forensic ($67)
Forensic PDF Editor Safe PDF viewer with Threat Inspector, Redaction Lie Detector and 22 forensic panels. Rust-sandboxed parser. Free + Pro ($29/yr)
Android Acquirer Android logical acquisition via ADB. SMS, contacts, call logs, media and apps with court-ready reports. Free + Forensic ($399)
Browser Viewer Extract history, bookmarks, downloads and extensions from Chrome, Edge, Firefox, Brave, Opera, Vivaldi and Tor. Free + Forensic ($29)
Port Scanner TCP port scanning with service detection and banner grabbing. CSV export. Free
Hash Calculator SHA-256, SHA-512, MD5 and SHA-1 hashing with drag-and-drop, batch processing and CSV export. Free
Metadata Inspector View, export and strip EXIF, PDF and Office metadata. Privacy and forensic analysis. Free

Installation

Linux builds ship as .tar.gz archives. Each archive contains a single folder with the binary and any sidecar files. Installation takes three steps.

1. Download and extract

tar xzf sherlock-pst-viewer-linux-x64.tar.gz -C ~/sherlock/

2. Install runtime dependencies

All eight tools share the same dependency set.

Debian / Ubuntu
sudo apt install libgtk-3-0 libfontconfig1 libxkbcommon0 libwayland-client0 libxcb1 libssl3 curl
Fedora / RHEL
sudo dnf install gtk3 fontconfig libxkbcommon libwayland-client libxcb openssl curl
Arch
sudo pacman -S gtk3 fontconfig libxkbcommon wayland libxcb openssl curl

3. Run the binary

~/sherlock/sherlock-pst-viewer/sherlock-pst-viewer

Extracted binaries should already have the executable bit set. If they do not:

chmod +x ~/sherlock/sherlock-pst-viewer/sherlock-pst-viewer

Per-tool notes

  • OCR Reader bundles its own Tesseract binary and tessdata directory. English, Spanish, French and German ship included. No separate Tesseract installation needed.
  • Android Acquirer bundles adb. If it fails on your distro, install your distro's android-tools package. The tool falls back to system adb on PATH.
  • PDF Editor writes a .desktop file to ~/.local/share/applications/ on first run so it appears in your file manager's "Open With" list.

What Is Not on Linux Yet

Four tools remain Windows-only for now.

  • USB Write Blocker uses Windows kernel IOCTLs for per-device write blocking. Linux operators can use blockdev --setro directly.
  • Disk Imager uses Windows IOCTLs for raw disk access. Linux operators can use dd directly.
  • Universal Events Viewer currently parses Windows .evtx logs only. Linux journald support is planned for a future release.
  • LiveTriage has deep Windows API integration with no Linux equivalent planned.

Why Linux Matters for Forensics

Most forensic workstations in government and law enforcement labs run Linux. NIST CFTT validates forensic tools on both platforms. SIFT Workstation, the most widely used forensic distribution, runs Ubuntu. Investigators who work in Linux no longer need a Windows VM to open a PST file or run OCR on seized documents.

eDiscovery teams processing large PST archives on Linux servers can now use the same tool locally instead of transferring files to a Windows machine. The same applies to SOC analysts triaging browser artifacts or hashing evidence files.

FAQ

Does Sherlock Forensics PST Viewer work on Linux?
Yes. Sherlock Forensics PST Viewer is available as a native Linux x64 binary. Download the .tar.gz archive from the tools page, extract it and run the binary directly. The Linux build requires libgtk-3, libfontconfig1 and libxkbcommon. Tested on Ubuntu 22.04 and later, Fedora 38 and later, and Arch Linux.
What Linux distros are supported?
Any Linux distribution with GTK3 support works. The tools have been tested on Ubuntu 22.04 and later, Fedora 38 and later, and Arch Linux. Required runtime libraries are libgtk-3, libfontconfig1, libxkbcommon, libwayland-client0, libxcb and libssl3. Install them through your package manager.
Do I need to install Tesseract for OCR Reader on Linux?
No. Sherlock Forensics OCR Reader bundles its own Tesseract binary and tessdata directory inside the .tar.gz archive. English, Spanish, French and German language data ship included. No separate Tesseract installation is needed on Linux.

Download All 8 Linux Tools

All tools are free to download and use. Forensic and Pro editions unlock export, reporting and batch features. Visit the tools hub for download links and SHA-256 hashes.

View All Tools