Resumable Imaging
If imaging fails at any point, resume from the last checkpoint. Works across power cycles and system restarts. The resume manifest is flushed to disk after every 512 MB checkpoint. No lost work.
Free Download
FTK Imager Alternative Free with Resume
Free forensic disk imager with resumable imaging, E01 output, three-pass SHA-256 verification and chain of custody. 4.4 MB single executable. Built by CISSP, ISSAP and ISSMP certified forensic examiners.
Sherlock Forensics Disk Imager is a free FTK Imager alternative for Windows with resumable imaging, E01 and raw dd output, three-pass SHA-256 verification and automated chain of custody documentation. It is the first free Windows GUI forensic imager that combines resume capability with E01 output and chain of custody in one 4.4 MB package.
Free forever | Windows 10/11 | No installation | No subscription
The Problem
FTK Imager Does Not Resume
FTK Imager is the most widely used free forensic disk imaging tool. It has been the default choice for examiners for over a decade. It produces E01 and raw images. It includes a file system browser and memory capture. It works.
But FTK Imager does not support resumable imaging. If a 4TB drive imaging session fails at 90% due to a USB disconnect, power loss or system crash, you start over from byte zero. The partial image is abandoned. Hours of acquisition time are lost.
For small drives, this is an inconvenience. For 4TB, 8TB and 12TB drives that are now common in forensic casework, it is a serious operational problem. A single failed 8TB acquisition can cost an examiner an entire day of lost work. Multiply that across a busy forensic lab handling dozens of cases per month and the lost productivity is significant.
Until now, resumable forensic imaging on Windows required X-Ways Forensics ($1,200+) or EnCase ($3,500+/year). Linux users had ddrescue, which resumes but produces raw output only with no GUI and no chain of custody documentation. There was no free Windows tool that combined resume, E01 output and chain of custody in one package.
Sherlock Forensics Disk Imager fills that gap.
Honest Comparison
Forensic Disk Imaging Tools Compared
We believe transparency builds trust. This table is honest. ddrescue, X-Ways and EnCase all support resume. Our differentiator is being the first free Windows GUI imager with resume, E01 output and chain of custody in one package.
| Tool | Price | Resume | E01 | Chain of Custody | GUI | Platform |
|---|---|---|---|---|---|---|
| Sherlock Forensics Disk Imager | FREE | Yes | Yes | Yes | Yes | Windows |
| FTK Imager | FREE | No | Yes | Partial | Yes | Windows |
| ddrescue | FREE | Yes (CLI) | No | No | No | Linux |
| Guymager | FREE | No | Yes | No | Yes | Linux |
| X-Ways Forensics | $1,200+ | Yes | Yes | Yes | Yes | Windows |
| EnCase | $3,500+/yr | Yes | Yes | Yes | Yes | Windows |
Pricing based on publicly available information as of April 2026. X-Ways pricing varies by license tier. EnCase pricing is annual subscription. Contact each vendor for current quotes. FTK Imager's "Partial" chain of custody means it logs some metadata but does not produce a standalone chain of custody document.
Differentiator
First Free Windows GUI Imager with Resume + E01 + Chain of Custody
Other tools have resume. ddrescue has had it for years. X-Ways and EnCase have had it for years. We are not claiming to invent resumable imaging. We are claiming to be the first tool that delivers all of the following in one free package:
- Free (no license, no subscription, no trial)
- Not $1,200 like X-Ways. Not $3,500/year like EnCase. Free forever with no feature restrictions.
- Resumable imaging
- If imaging is interrupted by power loss, USB disconnect or system crash, resume from the last successfully written sector. Not available in FTK Imager or Guymager.
- E01 output format
- Standard Expert Witness Format compatible with EnCase, FTK, X-Ways, Autopsy and Magnet AXIOM. Not available in ddrescue.
- Chain of custody documentation
- Automated imaging log with source drive identification, examiner name, timestamps and three SHA-256 hash values. Not available in ddrescue or Guymager.
- Windows GUI
- Native Windows application with a graphical interface. Not a Linux CLI tool that requires terminal experience.
- Three-pass SHA-256 verification
- Source hash, destination hash and source re-read hash. Detects transient drive errors that two-pass verification misses.
No other free tool on any platform combines all six of these capabilities.
Features
What You Get
E01 and Raw DD
Choose Expert Witness Format (E01) with compression and embedded metadata or raw dd for universal compatibility. Both formats receive identical three-pass SHA-256 verification.
Three-Pass Verification
Source drive hash, destination image hash and source re-read hash. The third pass catches transient drive errors and degradation that standard two-pass verification cannot detect.
Chain of Custody
Every imaging session produces an automated log with drive identification, examiner details, timestamps and all hash values. Integrates with the Sherlock chain of custody framework used across all our forensic tools.
4.4 MB Portable
Single executable. No installer. No runtime dependencies. No .NET framework. Copy it to a USB drive alongside your write blocker and you have a complete imaging toolkit.
Write Blocker Integration
Works with Sherlock Forensics USB Write Blocker and all hardware write blockers from Tableau (OpenText) and CRU. The imaging log records write protection status for chain of custody.
Transparency
What Sherlock Forensics Disk Imager Does Not Do
Honesty about limitations is a sign of competence. Sherlock Forensics Disk Imager is a focused tool. It does one job: forensic disk imaging with resume and verification. Here is what it does not do.
Limitations
- No file system browser. FTK Imager includes a built-in file system browser for previewing drive contents before imaging. Sherlock does not. If you need to preview files before acquisition, use FTK Imager for browsing and Sherlock for imaging.
- No memory capture. FTK Imager can capture volatile memory (RAM). Sherlock focuses exclusively on disk imaging. For memory acquisition, use FTK Imager, WinPmem or Magnet RAM Capture.
- No file recovery or analysis. Sherlock creates forensic images. It does not analyze them. For file system analysis, deleted file recovery and artifact parsing, use Autopsy, X-Ways, FTK or Magnet AXIOM.
- No macOS or Linux support. Sherlock Forensics Disk Imager runs on Windows only. Linux users have ddrescue for resumable imaging. macOS users need to use dd or a third-party tool.
- No network imaging. The current version images locally connected drives only. Network-based imaging (iSCSI, network shares) is not supported in this release.
For most forensic workflows, Sherlock Forensics Disk Imager and FTK Imager are complementary tools rather than replacements for each other. Use both. If you need help determining the right tool for your investigation, call us at 604.229.1994.
Use Cases
Who Switches to Sherlock Forensics Disk Imager
FTK Imager Users Who Need Resume
If you have lost an imaging session to a USB disconnect or power failure on a large drive, you know the frustration. Sherlock resumes from the last checkpoint. Keep FTK Imager for browsing and memory capture. Use Sherlock for production imaging.
Linux Users Who Need Windows GUI
If you have been using ddrescue through a Linux live boot or WSL because it supports resume, Sherlock gives you the same resume capability in a native Windows GUI with E01 output and chain of custody documentation that ddrescue lacks.
Labs That Cannot Afford X-Ways or EnCase
X-Ways starts at $1,200. EnCase runs $3,500+ per year. Both support resume. If your lab needs resumable imaging but cannot justify those costs, Sherlock delivers the same resume capability for free.
Field Examiners
When you arrive at a client site for evidence preservation, you need a tool that runs immediately. Sherlock is 4.4 MB with no installation. Copy it to your forensic USB drive and you are ready to image within seconds of arrival.
Incident Responders
During active incident response engagements, imaging speed and reliability are critical. A failed 4TB acquisition during a breach investigation costs hours you do not have. Resume capability eliminates that risk.
Law Enforcement on a Budget
Small police departments and municipal agencies that need forensic-grade imaging without the budget for commercial tools. Free tool, full chain of custody, court-ready documentation.
Technical Detail
How Resume Works
Sherlock Forensics Disk Imager maintains a resume manifest file alongside the forensic image during acquisition. The manifest records the source drive serial number, the imaging format, the last successfully verified sector offset and a running SHA-256 computation state. The manifest is written to disk after every 512 MB checkpoint.
When imaging is interrupted for any reason, the partial image and manifest remain on the destination drive. When the examiner relaunches Sherlock and selects the same source and destination, the tool detects the existing partial acquisition. It verifies the integrity of completed data against the manifest, confirms the source drive serial number matches and offers to resume from the last checkpoint.
For E01 format, resume operates at segment boundaries. Each E01 segment is self-contained with internal CRC checksums. Sherlock verifies all completed segments before continuing. For raw dd format, resume uses sector-level tracking with 512 MB checkpoint granularity.
The resume mechanism works across power cycles and system restarts. Because the manifest is flushed to disk at every checkpoint, even an abrupt power loss preserves the resume state. The maximum data loss from an unclean interruption is 512 MB, the distance between checkpoints. Compare this to FTK Imager where any interruption loses the entire acquisition.
For context on how resume integrates with the broader forensic workflow, see our chain of custody documentation. The resume manifest becomes part of the chain of custody record, documenting any interruptions that occurred during acquisition.
Integrity
Three-Pass SHA-256 Verification
Standard forensic imaging tools perform two-pass verification: they hash the source drive once and hash the destination image once, then compare. If the hashes match, the image is deemed forensically sound.
Sherlock Forensics Disk Imager adds a third pass. After computing the source and destination hashes, it re-reads the source drive entirely and computes a third SHA-256 hash. All three values must match.
The third pass detects a specific failure mode: transient read errors on the source drive. A drive with developing bad sectors may return different data on subsequent reads of the same sectors. If the source drive returned corrupted data during imaging that it does not reproduce on the verification read, the Pass 1 and Pass 3 hashes will differ. Two-pass verification cannot detect this because it only reads the source once for hashing.
When Pass 1 and Pass 3 differ, Sherlock flags the acquisition as potentially compromised and logs the discrepancy. The examiner can then decide whether to re-image with ddrescue (which handles bad sectors more aggressively) or document the discrepancy in their report.
Three-pass verification adds time. For a 2TB drive, expect roughly 4 to 6 additional hours for the third pass. This is configurable. Examiners who need faster turnaround can select two-pass verification in the settings. For casework heading to court, we recommend the three-pass default.
Legal
Court Admissibility
Courts evaluate forensic methodology rather than tool brand or price. A free tool that produces proper SHA-256 hashes, complete chain of custody documentation and reproducible results meets the same evidentiary standards as a $3,500/year commercial platform.
Under the Daubert standard, admissibility of forensic evidence depends on whether the methodology is scientifically valid, whether it has been tested and whether it produces reliable results. Bit-for-bit disk imaging with SHA-256 hash verification is a well-established forensic methodology accepted by courts worldwide. The tool used to perform the imaging is less important than the methodology followed and the documentation produced.
Sherlock Forensics Disk Imager produces the documentation elements courts require: source drive identification, write protection verification, complete imaging parameters, SHA-256 hash values with timestamps and examiner identification. For additional guidance on forensic tool validation, refer to the NIST Computer Forensics Tool Testing Program and SWGDE best practices.
Questions
FTK Imager Alternative FAQ
Is Sherlock Forensics Disk Imager a real FTK Imager alternative?
Yes, for forensic disk imaging specifically. Sherlock Forensics Disk Imager creates E01 and raw dd images with three-pass SHA-256 verification, just like FTK Imager. The key difference is resume capability. If imaging is interrupted, Sherlock resumes from the last sector. FTK Imager requires starting over. Sherlock does not include FTK Imager's file system browser or memory capture features.
Do other tools besides Sherlock support resumable imaging?
Yes. ddrescue on Linux supports resumable imaging but produces raw output only with no GUI and no chain of custody documentation. X-Ways Forensics ($1,200+) and EnCase ($3,500+/year) support resume on Windows with full forensic features. Sherlock Forensics Disk Imager is the first free Windows GUI tool that combines resume, E01 output and chain of custody in one package.
What is three-pass SHA-256 verification?
Three-pass verification computes three separate SHA-256 hashes: one from the source drive, one from the destination image and one from a re-read of the source drive. All three must match. The third pass detects transient read errors or drive degradation that occurred during imaging. Standard two-pass verification only reads the source once for hashing and cannot detect this condition.
Can I use Sherlock alongside FTK Imager?
Yes. Many examiners use both tools. FTK Imager for file system browsing, memory capture and quick previews. Sherlock Forensics Disk Imager for production forensic imaging where resume capability and three-pass verification are needed. Both tools produce standard E01 images that are compatible with all major forensic analysis platforms.
Is Sherlock Forensics Disk Imager free?
Yes. Completely free with no trial period, no feature restrictions and no license required. Single 4.4 MB executable for Windows 10 and 11. No installation, no registration and no subscription.
Get Started
Stop Losing Imaging Sessions
Download Sherlock Forensics Disk Imager and never restart a failed acquisition from scratch again. Free forever. 4.4 MB. No installation. Built by the same team that delivers forensic investigations and incident response across British Columbia.
Since 2006CISSP, ISSAP, ISSMP certified604.229.1994
Need Help Choosing the Right Imaging Tool?
Call us. We will assess your requirements in a five-minute phone call and recommend the right tool for your workflow. If Sherlock is not the right fit, we will tell you what is.
Call 604.229.1994- Phone
- 604.229.1994
Sherlock Forensics Disk Imager is provided for lawful forensic use only. Terms of Service