What is logical acquisition of an Android device?
Logical acquisition extracts user-accessible data from an Android device through ADB (Android Debug Bridge) without modifying the device storage. It captures SMS messages, contacts, call logs, media files, installed apps and other data categories. This method preserves the original device state and produces results suitable for court proceedings.
Does the tool flag anything automatically?
Version 0.4.0 surfaces findings. A worth-a-look panel on the overview and a Findings of note report section gather what the tool noticed while reading an acquisition, most serious first: a device not in its factory state, a clock not set from the network so its timestamps may not track real time, an app installed from an APK file that can read the screen or every notification, a SIM that has left the phone since it carried a message, messaging accounts whose conversations a logical acquisition cannot reach and files whose contents do not match their name. Each finding is stated as a fact about the material collected, not a conclusion by the tool. The examiner reviews the fact and draws the conclusion.
Does the tool read location data from photos?
Version 0.4.0 reads GPS coordinates and capture time from each pulled photo's own EXIF, which records where and when the photo was taken. The device media index does not report these columns to an app without special permission because Android redacts them, but the photo file copied off the phone still carries them. The coordinates appear on the files tab and travel into a marked photo's entry in the report. This reads the EXIF the file carries; it does not track the device or recover a separate location history.
Does Sherlock Forensics Android Acquirer include a results viewer?
Yes. Version 0.3.0 adds a built-in results viewer with fourteen tabs that read an acquisition back inside the tool: overview, device, conversations, calls, contacts, apps, contact map, usage, notifications, battery, files, networks, integrity and marked items. You review SMS and MMS threads, call logs, contacts, installed apps, app usage and network history without exporting to a separate application, then mark items for the report. Prior versions collected to a folder and left review to external tools.
How does Sherlock Forensics Android Acquirer verify that acquired files were not altered?
The on-device helper hashes each file on the phone and the workstation hashes what arrives, so agreement means two independent parties hashed the same bytes. Folder verification re-hashes every file against the manifest to confirm nothing changed since acquisition. This is tamper evidence that data was not disturbed after collection. Because the manifest itself is unsigned, verification does not by itself prove the origin or authenticity of the evidence, which depends on examiner handling and chain of custody.
Do I need to install adb, the Android SDK or Java to use Sherlock Forensics Android Acquirer?
No. Sherlock Forensics Android Acquirer bundles adb, fastboot and the signed helper APK inside the .exe. First run unpacks the required tools automatically. There is no external Android SDK, Platform Tools or Java Development Kit install required. The tool runs on a clean Windows 10 or 11 workstation. Versions before 0.2.0 expected adb to be installed alongside the .exe; since 0.2.0 the tool is fully self-contained and works on a fresh workstation.
Does Android Acquirer require root access?
No. Sherlock Forensics Android Acquirer performs logical acquisition through ADB without requiring root access. The helper APK extends data access to additional categories without rooting the device. Root access would modify the device and compromise forensic integrity.
What is the helper APK and is it safe?
The helper APK is a signed companion application that Sherlock Forensics Android Acquirer deploys to the target device during acquisition. It provides access to data categories that adb alone cannot reach, such as SMS messages and call logs on non-rooted Android devices. Since 0.2.0 the helper install is recorded in the acquisition manifest with the deployment UTC timestamp and the APK SHA-256, so chain of custody is captured at deployment rather than reconstructed after the fact. Staged copies are swept off the device after acquisition with removal verified. One-click helper removal returns the device to its pre-acquisition state. The APK is code-signed and its hash is documented in the report.
Are forensic reports from Android Acquirer admissible in court?
Sherlock Forensics Android Acquirer Forensic Edition generates forensic PDF reports with SHA-256 hash verification, device identification, acquisition timestamps, examiner details and chain of custody documentation. The tool is built by CISSP, ISSAP and ISSMP certified examiners with 20 years of courtroom experience. Admissibility depends on jurisdiction and proper evidence handling, but the reports document everything courts typically require for mobile device evidence.
What Android versions are supported?
Android 6.0 (Marshmallow) through Android 15. Device detection and bootloader checks work across all supported versions. Some data categories may have limited availability on older Android versions depending on manufacturer modifications.
What data categories can be extracted?
The tool supports nine data categories: SMS/MMS messages, contacts, call logs, media files (photos, videos, audio), installed applications and APKs, Wi-Fi saved networks, browser history and bookmarks (rooted devices), calendar events and device accounts. Each category can be toggled independently before acquisition. Logical acquisition also recovers data not visible in the device UI, including scope-limited system logs and shared-storage artifacts apps write outside their sandbox. App-private SQLite databases under /data/data/ require root or file-system extraction. You do not need physical extraction for 90% of forensic cases.
Is the $399 price a subscription?
No. The $399 USD Pro license is a one-time payment. No subscriptions and no recurring charges. You own the license permanently with free updates included.
How does Android Acquirer compare to Cellebrite?
Cellebrite UFED is an enterprise platform costing $10,000+ annually with physical and file system extraction capabilities. Sherlock Forensics Android Acquirer focuses on logical acquisition at $399 one-time with no annual fees. For investigators who need court-ready logical extractions without enterprise licensing costs, Android Acquirer provides the essential capabilities at a fraction of the price. See our full
Cellebrite alternative comparison for a detailed feature-by-feature breakdown including pricing, acquisition types and court readiness.
Does Sherlock Forensics Android Acquirer work on Linux?
Yes. Sherlock Forensics Android Acquirer is available as a native Linux x64 binary. Download the .tar.gz archive, extract and run. Requires libgtk-3, libfontconfig1 and libxkbcommon.
Is the $399 license refundable?
The Pro license is sold as a final-sale digital product, no refunds. This is why the free version is unrestricted for device detection, bootloader checks and data category inventory. Test it against your case workflow on your hardware before purchasing. If something is technically broken, contact us at 888.883.4550 and we will make it right.
Does Android Acquirer send any device data to Sherlock Forensics?
No. All acquisition runs locally on your workstation. Evidence data, hashes and forensic PDF reports stay on your machine. No telemetry, no cloud upload, no phone-home. The tool talks to the connected Android device via ADB and writes output to your chosen local folder.
What is Android forensic acquisition?
Android forensic acquisition is the process of extracting digital evidence from an Android device in a way that preserves its integrity for legal proceedings. Logical acquisition uses ADB to copy user-accessible data without modifying the device. Physical acquisition images the underlying NAND or UFS storage and requires root, bootloader unlock, chip-off or JTAG. Sherlock Forensics Android Acquirer performs court-ready logical Android acquisition at $399 with SHA-256 per-artifact hashing and full chain of custody logging.
Can I do Android forensics without Cellebrite?
Yes. Sherlock Forensics Android Acquirer is a $399 Cellebrite alternative built for solo examiners, mid-market forensic firms, defense attorneys and IT teams who cannot justify a $15,000+ Cellebrite UFED license. The tool covers Android forensics via ADB across Android 6 through 15 and produces forensic PDF reports with SHA-256 hashes. It does not bypass screen locks or chip-off the device, but for the majority of civil litigation and internal investigation work the data accessible via ADB is sufficient evidence.
How do I extract WhatsApp messages from an Android phone forensically?
On a non-rooted Android device, the WhatsApp local backup at /sdcard/WhatsApp/Databases/ can be acquired via ADB if WhatsApp has produced one. Sherlock Forensics Android Acquirer pulls the database file, msgstore.db.crypt encrypted databases, media library and group metadata into a forensic container with SHA-256 hashes. For full WhatsApp forensics including app-private data, a rooted device widens the scope to /data/data/com.whatsapp/. Sherlock supports both rooted device and non-rooted android extraction paths.
Can I recover deleted text messages from an Android device?
Sometimes. Android SMS recovery depends on whether the device has been used since deletion, the storage medium and whether root access is available. Sherlock Forensics Android Acquirer acquires the SMS database file (/data/data/com.android.providers.telephony/databases/mmssms.db on rooted devices) which can contain deleted text messages in unallocated SQLite pages. On non-rooted android, only currently active SMS records are accessible via ADB. The forensic PDF report documents exactly what android sms recovery scope the acquisition achieved.
Do I need to root the Android device to do forensic acquisition?
No. Sherlock Forensics Android Acquirer performs logical Android forensics on non-rooted Android devices via ADB and the helper APK. Rooting the device modifies storage and breaks chain of custody, which courts disfavor. Non-rooted android extraction covers SMS, contacts, call logs, media, installed apps, Wi-Fi networks and calendar. Rooted device extraction additionally exposes browser history together with app-private data directories under /data/data/ such as WhatsApp, Signal and Telegram. Sherlock supports both acquisition paths.
What is the difference between logical and physical Android acquisition?
Logical Android acquisition extracts user-accessible data through ADB without modifying the device, producing court-ready Android evidence for the majority of civil, criminal and internal investigation work. Physical Android acquisition images the raw storage (NAND, eMMC or UFS) including unallocated space and deleted artifacts, but requires root, bootloader unlock, chip-off or JTAG-class tools. Cellebrite UFED and Magnet AXIOM offer both. Sherlock Forensics Android Acquirer focuses on logical Android acquisition at $399 versus $15,000+ for the enterprise platforms.
How does Sherlock Forensics Android Acquirer compare to Magnet AXIOM?
Magnet AXIOM is a $4,000+ annual subscription enterprise forensic platform covering Android, iOS, computer and cloud acquisition with deep analytics and case-management integration. Sherlock Forensics Android Acquirer is a $399 one-time license focused on Android logical acquisition via ADB with court-ready PDF reporting. AXIOM is the right tool for full-time forensic labs handling complex multi-device cases. Sherlock is the right Magnet AXIOM alternative for solo examiners, defense attorneys, IT teams and labs that need Android evidence acquisition without a four-figure annual contract.
Is Sherlock Forensics Android Acquirer court-ready for evidence admission?
Sherlock Forensics Android Acquirer Forensic Edition produces court-ready Android evidence reports with SHA-256 hashes per artifact, full android chain of custody logging, examiner identification, device fingerprint, acquisition timestamps and Daubert-aligned methodology documentation. The tool is built by CISSP, ISSAP and ISSMP certified examiners with 20+ years of courtroom testimony. Admissibility depends on jurisdiction and on the examiner following proper evidence-handling procedure, but the report format documents everything courts typically require for android court-ready digital evidence.
Can Sherlock acquire Signal messages from Android?
Signal forensics on Android is constrained by Signal's end-to-end encryption and on-device database protection. Sherlock Forensics Android Acquirer acquires the Signal application data directory on a rooted device, which includes the encrypted SQLite database, attachments cache and account metadata. Decryption of the Signal database requires the user passphrase or an extracted database key, which Sherlock does not attempt to crack. On non-rooted android, Signal data is generally inaccessible due to Android's app-private storage sandbox.
What Android versions does Sherlock Forensics Android Acquirer support?
Sherlock Forensics Android Acquirer supports Android 6.0 Marshmallow through Android 15 across Samsung, Google Pixel, OnePlus, Xiaomi, Motorola and most major OEM devices. Device detection, bootloader status check and the nine-category data inventory work on all supported versions. Newer Android security restrictions (scoped storage in Android 10, package visibility in Android 11) may reduce non-rooted android data scope on some categories, which the helper APK partially mitigates for SMS and call logs.