Every PI case now involves digital evidence. Divorce investigations require email and text message analysis. Corporate fraud cases demand financial communication review. Insurance fraud investigations need location data and device records. Custody disputes rely on documented parenting behavior in messages and social media. The days of surveillance-only PI work are over.
The challenge for private investigators is that digital evidence is fragile. Opening an email attachment in Outlook modifies the file. Copying a text message by screenshot destroys metadata. Viewing a photo in a standard gallery app changes the last-accessed timestamp. Any of these actions can render evidence inadmissible because the opposing attorney will argue the data was altered after collection.
Forensic tools solve this problem by operating in read-only mode. They never modify source files. They compute SHA-256 hash values that mathematically prove the evidence is identical to the original. They generate chain of custody documentation that records every action taken on the evidence. This is what separates investigative findings from courtroom evidence.
The Cost Problem: Enterprise Tools vs PI Budgets
The forensic tool market was built for law enforcement agencies and large corporations. Cellebrite UFED costs $15,000 or more per year with mandatory annual license renewals. MSAB XRY runs $12,000 annually. Oxygen Forensic Detective charges $3,500 per year. These tools are designed for agencies processing hundreds of devices per month with six-figure budgets.
Private investigators operate on case-by-case budgets. A PI handling a divorce case cannot justify a $15,000 tool purchase when the entire engagement fee might be $3,000. The result is that most PIs either skip digital evidence entirely or use consumer-grade tools that produce output no court will accept.
Sherlock forensic tools are built for this gap. Sherlock PST Viewer Forensic Edition costs $67 one-time. Sherlock Android Acquirer Forensic Edition costs $399 one-time. No subscriptions. No annual renewals. No per-case licensing. Buy once and use on every case for the life of the software.
| Tool | Annual Cost | 3-Year Total | Licensing Model |
|---|---|---|---|
| Cellebrite UFED | $15,000 | $45,000 | Annual subscription |
| MSAB XRY | $12,000 | $36,000 | Annual subscription |
| Oxygen Forensic Detective | $3,500 | $10,500 | Annual subscription |
| Sherlock PST Viewer | $67 | $67 | One-time purchase |
| Sherlock Android Acquirer | $399 | $399 | One-time purchase |
A PI firm can equip itself with both Sherlock forensic tools for $466 total. The same firm would spend $45,000 over three years on Cellebrite alone. That is a 99% cost reduction with equivalent forensic output for consent-based logical extraction cases.
PST Viewer for Email Evidence in PI Cases
Email is central to corporate fraud investigations, divorce cases involving financial deception and insurance fraud documentation. Outlook PST and OST files contain every message, attachment, calendar entry and contact in an account. Sherlock PST Viewer opens these files in strict read-only mode without modifying a single byte.
- Divorce and infidelity cases
- Search PST archives for communications with specific individuals, date ranges covering the period in question and keywords related to financial transfers, property or relationship communications. Export relevant messages with SHA-256 per-message hashing for family court submission.
- Corporate fraud and embezzlement
- Analyze employee email archives for communications with vendors, financial institutions or competitors. Identify forwarding of confidential documents to personal accounts. Trace approval chains for irregular transactions. The Forensic Edition generates court-ready PDF reports with sender IP attribution from RFC-822 Received headers.
- Insurance fraud documentation
- Review email correspondence for communications that contradict insurance claims. Identify messages discussing pre-existing conditions, planned activities inconsistent with claimed injuries or coordination with other parties involved in fraudulent claims.
- Forensic Edition features ($67)
- SHA-256 per-message hashing, keyword and date-range search across entire PST archives, chain of custody reports, court-ready PDF output with evidence cards including SPF/DKIM/DMARC authentication results. Read-only analysis preserves evidence integrity.
Android Acquirer for Mobile Evidence in PI Cases
Mobile devices contain text messages, call logs, location data, photos, app data and browsing history that are relevant to nearly every PI case type. Sherlock Android Acquirer performs forensic extraction from Android devices with consent-gated workflows designed for private investigation work.
- Fraud and custody cases
- Extract text messages and call logs that document communication patterns. Location data from device records can confirm or contradict statements about whereabouts at specific times. Photo metadata reveals when and where images were captured.
- Missing persons investigations
- When a missing person's Android device is available with family consent, forensic extraction can recover recent communications, location history, app usage and browsing activity that may indicate the person's last known movements and contacts.
- Forensic Edition features ($399)
- Full logical extraction with SHA-256 hash verification, device identification details, selective data collection by category, forensic PDF reports with chain of custody documentation. Consent-gated workflow requires documented authorization before extraction begins. No permanent software installed on the device.
Court Admissibility: Why Forensic-Grade Tools Matter
The difference between a PI's findings and courtroom evidence is forensic methodology. Judges and opposing counsel evaluate digital evidence on three criteria: integrity, authentication and chain of custody.
Integrity. Was the evidence modified after collection? Forensic tools prove integrity through SHA-256 hashing. The hash computed at collection time must match the hash computed at presentation time. If a single bit changes, the hash changes completely. Sherlock tools compute hashes automatically during analysis and include them in every report.
Authentication. Does the evidence come from the source it claims to come from? For email, this means verifying RFC-822 Received headers, sender IP addresses and SPF/DKIM/DMARC authentication results. For mobile devices, this means recording device serial numbers, IMEI numbers and extraction timestamps. Consumer tools do not capture this data.
Chain of custody. Who handled the evidence and what did they do with it? Every person who touches evidence must be documented with dates, times and purpose. Sherlock forensic tools generate automated chain of custody logs that record the examiner identity, examination date, source file hash, every search query executed and every item exported.
Chain of Custody for PI-Collected Evidence
Private investigators face heightened scrutiny on chain of custody because they are retained by a party with a stake in the outcome. Opposing counsel will challenge whether the PI altered, selected or manipulated evidence to favor their client. Automated chain of custody documentation removes this vulnerability.
Sherlock forensic tools record every action in a tamper-evident log: when the evidence file was opened, what searches were conducted, what filters were applied, what items were exported and what hash values were computed. The PI does not need to maintain a manual evidence log because the software generates it automatically. This documentation has been accepted in BC Provincial Court, BC Supreme Court and Federal Court proceedings.
Consent-Based Tools for Private Investigators
Private investigators are not law enforcement. PIs cannot obtain search warrants, compel device access or bypass device security. Every piece of digital evidence a PI collects must be obtained with the consent of the device owner or through lawful access to data the client already possesses.
Sherlock tools are designed for this reality. They do not exploit vulnerabilities, bypass encryption or use law enforcement backdoors. Sherlock Android Acquirer requires documented written consent before any extraction begins. Sherlock PST Viewer analyzes PST files that the client or their organization already has lawful access to. This consent-based design protects the PI from criminal liability under unauthorized access laws and ensures the evidence is admissible.
For a detailed comparison of Sherlock vs enterprise forensic suites, see our Cellebrite alternative analysis.
PI Case Types and Digital Evidence Requirements
| Case Type | Primary Evidence | Sherlock Tool | Key Capability |
|---|---|---|---|
| Divorce / Infidelity | Email, text messages, photos | PST Viewer + Android Acquirer | Communication timeline reconstruction |
| Corporate Fraud | Email, financial documents, attachments | PST Viewer | Sender IP attribution, attachment tracking |
| Insurance Fraud | Location data, communications, photos | Android Acquirer | Location history, photo metadata |
| Missing Persons | Location history, communications, app data | Android Acquirer | Last known location, recent contacts |
| Child Custody | Text messages, call logs, photos | Android Acquirer + PST Viewer | Parenting behavior documentation |
| Employee Theft | Email, USB logs, cloud uploads | PST Viewer | Data exfiltration tracking |
| Background Checks | Public records, email verification | PST Viewer | Email header authentication |
What PIs Need vs What Enterprise Suites Offer
Enterprise forensic suites include capabilities that private investigators do not need and cannot legally use. Understanding this distinction prevents PIs from overspending on features that will never be used in their practice.
| Capability | PI Requirement | Enterprise Suite | Sherlock Tools |
|---|---|---|---|
| Consent-based extraction | Required | Included | Included |
| SHA-256 hashing | Required | Included | Included |
| Chain of custody | Required | Included | Included |
| Court-ready reports | Required | Included | Included |
| Read-only analysis | Required | Included | Included |
| Device exploit/bypass | Not legal for PIs | Included | Not included |
| Full-disk encryption bypass | Not legal for PIs | Included | Not included |
| iOS physical extraction | Rarely needed | Included | Not included |
| Cloud token harvesting | Rarely needed | Included | Not included |
| Annual license fee | Budget constraint | $3,500-$15,000/yr | $0/yr after purchase |
PIs need five core capabilities: consent-based extraction, SHA-256 hashing, chain of custody documentation, court-ready reports and read-only analysis. Sherlock tools deliver all five. Enterprise suites add exploit-based access, encryption bypass and cloud token harvesting that PIs cannot legally use. Paying for those features is paying for capabilities that create legal liability rather than investigative value.
External Resources
For additional guidance on PI digital forensics and evidence handling: