Device Detection
Automatically detects connected Android devices via ADB. Displays device serial number, manufacturer, model name, Android version and build number. Supports multiple simultaneous device connections for batch processing workflows.
Logical acquisition via ADB. SMS, contacts, call logs, media, apps. Court-ready PDF report with SHA-256 hashes for $399 one-time. The 90% of cases that don't need a passcode break.
Sherlock Forensics Android Acquirer is a Windows and Linux forensic tool that performs logical acquisition of Android devices via ADB. It detects connected devices, checks bootloader status, inventories available data and extracts SMS, contacts, call logs, media and apps. Free for device detection and data inventory. The Forensic Edition at $399 one-time adds full data extraction, court-ready PDF reports with SHA-256 per-artifact hashing and chain of custody documentation. Replaces $10,000+ annual platforms like Cellebrite UFED for the logical acquisition cases that make up the majority of mobile forensic workflows.
Linux requires: libgtk-3, libfontconfig1, libxkbcommon. See install instructions.
Version 0.1.6 | 5.0 MB | Windows 10/11 + Linux x64 | SHA256 verified
Cellebrite alternative
The Android forensics market is dominated by Cellebrite UFED at $15,000+ per year and Magnet AXIOM at $4,000+ per year. Both are enterprise platforms designed for federal law enforcement, large police agencies and Fortune-500 forensic labs. For mid-market forensic firms, solo examiners, attorneys needing Android evidence in civil litigation, IT administrators doing internal investigations and law-enforcement secondary tools, that pricing is out of reach. Sherlock Forensics Android Acquirer is the $399 Cellebrite alternative for the buyer who needs court-ready Android forensics without the enterprise platform license.
The pricing gap is 38x at the high end. The capability gap is much smaller than the price difference suggests. Sherlock Forensics Android Acquirer does logical acquisition through ADB - the same Android Debug Bridge protocol Cellebrite and Magnet AXIOM use for their logical acquisition mode. The forensic features Cellebrite charges $15k+ for (court-ready PDF reports, SHA-256 per-artifact hashing, chain of custody logging, examiner attestation) are all in Sherlock at $399. The Magnet AXIOM alternative buyer gets the same logical acquisition surface at 1/10 the price.
Honest about scope: Sherlock Forensics Android Acquirer does NOT do physical acquisition (chip-off, JTAG, ISP), proprietary lock bypass (Cellebrite's "Advanced Logical" decryption of locked devices) or encrypted-backup decryption without the password. For a locked device with no backup password, Cellebrite is the only path. For the much larger set of cases (consented logical acquisition, unlocked device, known-password backup), the cellebrite alternative at $399 covers the same forensic ground.
Who buys the cellebrite alternative path: solo forensic examiners doing $500-$5,000 cases where a $15k tool fee kills the margin, mid-market forensic firms doing internal training without enterprise licensing, attorneys building Android evidence for civil litigation (custody, employment, IP theft), IT administrators conducting internal investigations on company-issued Android devices and law enforcement secondary tools for cases where the primary Cellebrite kit is in use elsewhere. The android forensics workflow runs the same regardless of which tool is in the buyer's hand; the Sherlock advantage is the price point and the no-subscription model.
Compare
| Feature | Free | Pro ($399) |
|---|---|---|
| Device detection and identification | Yes | Yes |
| Bootloader status check | Yes | Yes |
| Data category inventory | Yes | Yes |
| Helper APK install | Yes | Yes |
| Data extraction to folder | No | Yes |
| SMS/MMS extraction | No | Yes |
| Contacts extraction | No | Yes |
| Call log extraction | No | Yes |
| Media file extraction | No | Yes |
| App/APK extraction | No | Yes |
| Forensic PDF report | No | Yes |
| SHA-256 hash verification | No | Yes |
| Chain of custody logging | No | Yes |
| Priority support | No | Yes |
Cost
| Solution | Price | Acquisition Type | Notes |
|---|---|---|---|
| Cellebrite UFED | $10,000 to $15,000+ / year | Logical, file system, physical | Enterprise platform, annual licensing, training required |
| GrayKey | $15,000 to $30,000+ / year | Physical (passcode bypass) | iOS focused, restricted distribution, annual subscription |
| Magnet AXIOM | $4,000+ / year | Logical, file system | Annual licensing, analysis platform |
| Oxygen Forensic Detective | $3,000+ / year | Logical, file system | Annual licensing, broad device support |
| Sherlock Forensics Android Acquirer Pro | $399 one-time | Logical via ADB only | Court-ready PDF, SHA-256 per artifact, no annual fees |
| Sherlock Forensics Android Acquirer Free | $0 | Detection + inventory only | No extraction, no report |
Sherlock Forensics Android Acquirer performs logical acquisition via ADB only. We do not do chip-off, JTAG, ISP or physical extraction. We do not bypass passcodes, brute-force bootloaders or exploit baseband chips. If your case requires physical acquisition of a locked device with an unknown PIN, you need Cellebrite, GrayKey or a specialist lab. For the cases that do not require that ceiling, which is the majority of corporate, family law, eDiscovery and civil work, logical acquisition with full chain of custody is the right tool at the right price. Logical extraction still recovers data not visible in the device UI: app SQLite databases, cached content, system logs and metadata. That covers 90% of real-world Android forensic requirements at 3% of the annual cost of enterprise tools.
Capabilities
Automatically detects connected Android devices via ADB. Displays device serial number, manufacturer, model name, Android version and build number. Supports multiple simultaneous device connections for batch processing workflows.
Queries the bootloader lock status of the connected device. An unlocked bootloader indicates the device may have been modified, which is critical context for forensic analysis. This status is documented in the forensic report.
Nine independently selectable data categories for targeted acquisition.
A lightweight companion application deployed to the target device during acquisition. The helper APK provides access to protected data categories that ADB alone cannot reach on newer Android versions. It runs with standard permissions, does not root the device and can be removed after acquisition.
Pro generates a multi-page forensic PDF report documenting the acquisition. Includes device identification, examiner details, acquisition timestamps, selected data categories, SHA-256 hashes for all extracted files, bootloader status and chain of custody metadata. Structured for court submission.
Pro extracts all selected data to a structured local folder organized by data category. Each file is individually hashed with SHA-256. The output folder contains the raw extracted data alongside the forensic PDF report for a complete evidence package ready for analysis or archival.
Data categories
Sherlock Forensics Android Acquirer extracts the data categories that matter to a forensic examiner, with chain of custody preserved from the device through the forensic PDF report. The android acquisition surface covers nine primary data categories, each toggle-able independently.
The SMS and RCS message categories include sent, received and draft messages. The android sms recovery surface includes soft-deleted messages still in the Android messaging app's trash folder (recoverable indefinitely until the user purges). Recently-deleted text messages on Android 11+ are recoverable through the messaging app's recently deleted section for 30 days. For permanently deleted text messages older than the 30-day window, file-system layer recovery via Sherlock Forensics Disk Imager (separate forensic acquisition workflow) is required.
WhatsApp forensics is one of the most-requested mobile forensics capabilities. WhatsApp data on Android lives in the app's private storage area, which logical acquisition reads via ADB when the device is unlocked and USB debugging is enabled. The WhatsApp forensics surface in Sherlock Forensics Android Acquirer extracts message threads, media attachments, voice notes, group chat metadata, contact list and call logs. For end-to-end encrypted WhatsApp backups stored in Google Drive, the encryption key is required (typically obtained through legal process or the user's voluntary cooperation). The WhatsApp forensics extraction preserves message timestamps, sender IDs and media SHA-256 hashes for court-ready presentation.
Signal forensics on Android has hard limits because Signal's end-to-end encryption protects message content from any tool that does not have the user's signal database password. Sherlock Forensics Android Acquirer captures the Signal app metadata (contacts, group membership, app data structure, timestamp metadata for message events) within the limits of E2E encryption. For actual Signal message body content, the user's signal database password is required. The Signal forensics surface in Sherlock is honest about this limit; tools that claim to decrypt Signal without the password are usually claiming what they cannot deliver.
TikTok forensics is a growing category for civil and criminal investigations involving social-media evidence. The TikTok app cache on Android contains watched videos, paused-and-resumed playback positions, posted content metadata and direct message threads (when the user has granted access). Sherlock Forensics Android Acquirer extracts the TikTok cache data as part of the app data acquisition surface, with timestamps and SHA-256 hashes preserved.
The Android media library acquisition extracts photos, videos, audio recordings and the EXIF metadata embedded in image files. EXIF metadata captures device GPS coordinates, camera model, capture timestamps and editing history. For forensic photography evidence (where the chain of custody requires proof that a photo is unmodified from the moment of capture), the per-photo SHA-256 hash in the Sherlock acquisition surface establishes the chain of custody from device to exhibit.
Additional data categories include installed app inventory (package names, install dates, signing certificates), SIM card data (ICCID, IMSI, stored contacts), Wi-Fi saved networks, browser history and bookmarks, calendar events and device accounts. Each category is toggle-able independently so the examiner can scope the acquisition to the legally-authorized data set.
Rooted vs non-rooted
The rooted device question is one of the most common buyer concerns in android forensics. Rooting an Android device grants superuser access to the full file system, which unlocks data categories that non-rooted android acquisition cannot reach. But rooting modifies the device, which can break chain of custody if not performed before the forensic acquisition begins under documented protocol.
| Data category | Non-Rooted Android | Rooted Device |
|---|---|---|
| SMS, contacts, call logs | Yes (via ADB + helper APK) | Yes |
| WhatsApp messages and media | Yes (private storage via ADB) | Yes (full app database) |
| Signal metadata | Yes (within E2E limits) | Yes (still E2E-limited for content) |
| Media library + EXIF | Yes (public + app-scoped media) | Yes (including app-private media stores) |
| System logs (logcat) | Partial | Full system log access |
| Encrypted app databases (e.g. password managers) | No | Sometimes (still requires app password) |
| Deleted text messages past 30-day window | No (requires file-system forensics) | Sometimes (database journal scan) |
| Chain-of-custody integrity | Preserved (no device modification) | Modified (rooting changes device state) |
The honest forensic answer: for most cases (custody disputes, employment investigations, civil litigation involving Android evidence) the non-rooted android acquisition surface covers the data the case needs. Sherlock Forensics Android Acquirer is designed for the non-rooted path because that preserves chain of custody. If the case requires data only available on a rooted device, the examiner should consult counsel about whether to root and document the procedure under a forensic protocol. Rooting an Android device voids the manufacturer warranty in most cases; that consideration is separate from the forensic admissibility question.
Court-ready chain of custody
Android evidence in legal proceedings has to satisfy the same chain-of-custody requirements as any other digital evidence. Sherlock Forensics Android Acquirer captures the android chain of custody trail from the moment the forensic acquisition begins through the production of the court-ready PDF report.
The android chain of custody log records device serial number, manufacturer and model, Android OS version, bootloader status, acquisition timestamp, examiner identity (configurable), data categories acquired, per-artifact SHA-256 hashes and final report SHA-256. The log writes to a signed JSON sidecar alongside the acquired data so the chain-of-custody record travels with the evidence into the production set.
The android court-ready PDF report includes the cover page with case metadata, device identification, acquisition method (logical via ADB), data category inventory, per-artifact SHA-256 verification table, examiner attestation block and chain-of-custody footer on every page. The android court-ready format matches what e-discovery review platforms expect to ingest and what trial courts expect to see attached to a declaration.
The android evidence applications cover family law (custody disputes, divorce proceedings, allegations of digital harassment), civil litigation (employment, IP theft, breach-of-contract cases involving Android-stored communications), criminal defense (Android device evidence presented by the defense to challenge prosecution narratives) and corporate internal investigations (HR investigations, fraud, policy violations involving company-issued Android devices). For each scenario, the android chain of custody + court-ready PDF + SHA-256 verification trail establishes the android evidence admissibility under Federal Rule of Evidence 901 (or the jurisdictional equivalent).
For the parallel desktop-forensics evidence workflow, see the PST Viewer for email evidence. For the broader Cellebrite vs Magnet AXIOM comparison see the Cellebrite vs Magnet AXIOM 2026 comparison. For the HR-investigation use case specifically see Android evidence collection for HR investigations. For the tool-comparison context see Android forensics tool comparison 2026 and Android logical acquisition without Cellebrite.
Pricing
5+ machines? Contact us for volume pricing.
Use Cases
Police departments and federal agencies use Android Acquirer for rapid logical acquisition of suspect and victim devices. Court-ready PDF reports with SHA-256 hashing satisfy evidentiary requirements. Pairs with our expert witness services for testimony support.
Internal investigation teams extract data from company-issued Android devices during policy violation inquiries, IP theft cases and employee misconduct investigations. The structured output folder integrates with existing case management systems. Pair with our chain of custody documentation for defensible evidence handling.
Family law attorneys and private investigators acquire SMS messages, call logs and media from Android devices in custody disputes, divorce proceedings and harassment cases. Forensic PDF reports document the acquisition for court filing.
Security teams extract data from compromised Android devices during breach investigations. Browser history, installed apps and account data help reconstruct the timeline of a security incident. Used alongside our mobile forensics services.
Litigation support teams preserve Android device data for electronic discovery obligations. The structured extraction with SHA-256 verification establishes chain of custody from the moment of acquisition. Defensible collection at a fraction of enterprise tool costs.
HR teams extract SMS, messaging app content, photos and call logs from company-owned Android devices during harassment, discrimination and policy violation investigations. The forensic PDF report documents what was acquired, when, by whom and with what hash so the investigation withstands wrongful termination or grievance challenges. Pair with our workplace investigation services for end-to-end handling.
Incident response teams acquire compromised employee Androids during data exfiltration investigations, insider threat cases and breach response. Browser history, app installs, Wi-Fi networks and account telemetry build the attacker timeline. SHA-256 per-artifact hashes and chain of custody satisfy legal, insurance and regulatory reviewers without an annual enterprise license.
Guide
Questions
Get Started
Free for device detection, bootloader checks and data inventory. Pro at $399 USD for full extraction and forensic PDF reports. Built by the same team that delivers expert witness testimony and mobile forensic investigations in Canadian courts. See also: chain of custody software, forensic report generator and ADB forensics guide, workplace investigation evidence and private investigator forensic tools. Questions? Call 888.883.4550.
Linux requires: libgtk-3, libfontconfig1, libxkbcommon. See install instructions.
432cc22b132775a7b74ef9f0382f620bcfbbd20dc58f353803b391dfcf2b4fc9
How to verify:
1. Open PowerShell (right-click Start menu, click Terminal)
2. Run: Get-FileHash .\sherlock-android-acquirer.exe
3. Compare the output with the hash above. If they match, the file has not been tampered with.
Sherlock Forensics Android Acquirer is provided for lawful use. Terms of Service
Your email is optional. If you provide it, we send 3 product introduction emails over the next 2 weeks. No long-term marketing. No data sharing. Skip the field and download directly.
$399.00 USD. One-time payment. License key delivered to your email.