Free Download - Version 0.6.1

Resume E01 Acquisitions. Nothing Else Does.

Interrupted acquisitions pick up where they stopped with digest continuity. Pipelined engine 3x faster than serial imagers (231 to 751 MB/s measured on E01 with SHA-256 + SHA-1 + MD5). Live mission control acquisition console with entropy-shaded drive map. Single 8.4 MB executable. Built by CISSP, ISSAP and ISSMP certified forensic examiners.

Sherlock Forensics Disk Imager 0.6.1 is a free Windows forensic imaging tool that resumes interrupted E01 acquisitions with digest continuity - a capability no other mainstream imager offers (FTK Imager, Guymager and AccessData all force start-over). The pipelined acquisition engine parallelizes read, hash, compress and write for 3x throughput over serial imagers. The live mission control console surfaces entropy-shaded drive map, streaming hash lanes, throughput chart and phase pipeline in real time. Three-pass SHA-256 verification and chain of custody fields built in.

Capabilities

Key Features

Output Formats

Sherlock Forensics Disk Imager supports two acquisition formats used by every major forensic analysis platform. Raw .dd images can be written as a single monolithic file or segmented at 2 GB, 4 GB or 10 GB boundaries to accommodate FAT32 and exFAT destination volumes. EWF format produces .E01/.E02 segmented images compatible with EnCase, FTK, Autopsy and X-Ways. Both formats capture a bit-for-bit copy of the source drive including slack space, unallocated clusters and hidden host-protected areas where supported by the drive controller.

Three-Pass SHA-256 Verification

Verification is not optional and it is not a single pass. Sherlock Forensics Disk Imager reads the source drive and computes a SHA-256 hash. It then re-reads the source drive from the first sector to the last and computes a second SHA-256 hash. Finally it reads the completed image file and computes a third SHA-256 hash. All three hashes must match. If the source drive returns inconsistent data between the first and second reads, the imager flags the discrepancy. If the image hash diverges from the source hashes, the acquisition fails verification. This three-pass approach detects failing drives, intermittent read errors and write corruption on the destination media. Standards from NIST CFTT require demonstrable hash verification of forensic images.

Multi-Hash Computation

SHA-256 is the default hash algorithm. SHA-1 and MD5 are also available. All selected algorithms are computed simultaneously during a single read pass so enabling multiple hashes does not increase acquisition time. Many agencies and courts still require MD5 alongside SHA-256 for backward compatibility with older case management systems. Sherlock Forensics Disk Imager records all computed hashes in the text manifest and in the EWF header fields when using E01 format.

Resumable Imaging

FTK Imager does not resume. If your acquisition fails at 90% due to a power outage, a USB cable disconnect or a system crash, you start over. Sherlock Forensics Disk Imager resumes. When the imager launches, it checks for incomplete imaging sessions. It identifies the source drive by querying the drive serial number through Windows IOCTL calls. If a matching incomplete session exists, the imager picks up from the last verified sector boundary. No data is re-acquired unnecessarily. For large drives that take 8 to 12 hours to image, resumable acquisition is not a convenience feature. It is a necessity.

Honest scope: Resume support applies to raw .dd and segmented dd images. EWF .E01 imaging does not support resume by format design.

Chain of Custody Metadata

Every acquisition requires the examiner to enter case number, evidence number and examiner name before imaging begins. Agency and notes fields are optional but recommended. This metadata is written into both the plain-text manifest file and the EWF header fields when producing E01 images. The manifest includes drive serial number, drive model, drive capacity, sector size, acquisition start time, acquisition end time and all computed hash values. This provides a complete chain of custody record that accompanies the image file. Defense counsel and opposing experts can verify every detail without accessing the original evidence. Guidelines from SWGDE require documented chain of custody for all digital evidence acquisitions. Learn more about our chain of custody software and procedures.

Safety Controls

Sherlock Forensics Disk Imager refuses to write an image to the same physical drive it is reading from. The imager queries the physical drive number through IOCTL_STORAGE_GET_DEVICE_NUMBER for both source and destination and blocks the operation if they match. This prevents the most catastrophic operator error in forensic imaging: overwriting evidence with its own image. The application runs elevated through an embedded manifest that requests administrator privileges at launch. No separate UAC prompt is required after initial consent.

Bad Sector Handling

Damaged media is common in forensic casework. When the imager encounters an unreadable sector, it retries the read on a per-sector basis. If the sector remains unreadable after retries, the imager fills the corresponding bytes in the image with 0xBA (a non-standard fill byte that is easily identifiable in hex analysis). The offset and length of every bad sector are logged to a CSV file alongside the image. Examiners can review the CSV to determine whether unreadable regions overlap with areas of evidentiary interest. Imaging continues to completion regardless of bad sector count.

USB Write Blocker Integration

Sherlock Forensics Disk Imager auto-detects whether Sherlock Forensics USB Write Blocker is active on the system. If write protection is not enabled, the imager displays a warning and offers one-click launch of the write blocker. This integration ensures examiners do not accidentally image a drive without write protection in place. The two tools are designed to work together as a forensic acquisition workflow.

Single Executable

Sherlock Forensics Disk Imager is a single 8.4 MB executable. No installer. No C++ redistributable. No .NET runtime. No Java. Copy it to a USB drive or network share and run it. This makes deployment trivial in enterprise environments and eliminates dependency conflicts on forensic workstations that may run multiple tool versions. The executable is digitally signed and the SHA-256 hash is published for download integrity verification.

Acquisition Modes

Live Acquisition vs Dead Disk Imaging: When to Use Each

Live acquisition and dead disk imaging are two distinct forensic acquisition workflows. Dead disk imaging is the gold-standard discipline: the target machine is powered off, the source drive is removed and connected to the examiner workstation through a hardware writeblocker, then imaged. Dead disk imaging produces the most defensible evidence imaging output because the source is unchanging during the image read and the writeblocker enforces read-only access at the hardware layer. Sherlock Forensics Disk Imager is built for the dead disk imaging workflow as its primary use case.

Live acquisition is the incident-response forensic acquisition workflow when powering the target off would destroy volatile state, when the drive is encrypted with a key only mounted while the system is running or when on-scene operational constraints make dead disk imaging impractical. Live acquisition trades some forensic purity for the ability to capture state that would otherwise be lost. Sherlock Forensics Disk Imager supports live acquisition forensic acquisition where the source drive is accessible as a Windows volume; the source disk is read as-is while the system runs. For live acquisition work the examiner pairs the imager with a software writeblocker to minimize the live-system write footprint. See our USB Blocker Pro for the writeblocker side of the live acquisition workflow.

Physical acquisition is the broader forensic acquisition category that covers both live acquisition and dead disk imaging: imaging the underlying physical storage rather than the logical filesystem view. Physical acquisition captures unallocated space, deleted file artifacts, slack space and recoverable b-tree pages that logical acquisition cannot reach. Sherlock Disk Imager performs physical acquisition on removable and connected drives via Windows raw device access. For comparison see Sherlock Android Acquirer which performs logical acquisition only on Android devices; the physical acquisition vs logical acquisition distinction matters because evidence imaging from a physical acquisition source is what defense experts expect for unallocated-space and deleted-artifact recovery.

Category-First Capability

Resume Interrupted E01 Acquisitions - No Other Mainstream Imager Can Do This

Sherlock Forensics Disk Imager 0.6.1 resumes interrupted EWF E01 acquisitions with digest continuity. A 12-hour acquisition interrupted at hour 10 resumes from hour 10 instead of restarting from zero. No other mainstream imager offers this capability. FTK Imager, Guymager and AccessData all force the examiner to start over from the beginning.

Traditional forensic imagers treat interruption as a fatal condition. If the acquisition is cancelled, if the workstation crashes, if the USB cable disconnects or if the target host reboots mid-imaging the acquisition is lost. On large drives (4 TB to 16 TB modern SSD or spinning disk sizes routine in enterprise investigations) an interrupted acquisition can mean 8 to 12 hours of wasted time and a re-scheduled evidence handling window. In matters where the drive returns to service quickly the second window may not exist at all.

Sherlock Disk Imager 0.6.1 solves this at the container-format level. When an E01 acquisition is interrupted the partial container is left visibly unfinished (no hash or done sections) rather than sealed to look complete. On the next launch the imager structure-scans the partial container with checksum validation, repairs any crash damage at the segment boundary, decodes and re-hashes already-acquired chunks so the SHA-256 and SHA-1 and MD5 digests carry forward, then reopens the container in place at the last verified sector.

Digest continuity is the load-bearing property. The final image after resume carries hash values equivalent to what a single uninterrupted acquisition would have produced. Chain-of-custody documentation records the interruption event and the resume timestamp but the evidence hash is not affected. Court submission of a resumed acquisition is defensible on the same terms as an uninterrupted acquisition.

Competitor comparison. FTK Imager (AccessData Exterro) provides no resume mechanism; interrupted acquisitions restart from zero. Guymager (open-source Linux forensic imager) provides no resume mechanism. Magnet AXIOM Cyber and Magnet FORENSIC (paid tools in the $2000+ per user annual range) do not resume E01 acquisitions. Cellebrite Physical Analyzer does not perform disk imaging at all (it processes acquired images). The category as of 2026 has one tool that resumes E01: Sherlock Disk Imager.

The custom E01 segment size selector (any value from 64 MiB alongside standard presets) is validated against the source drive size so the 14,971-file segment-count ceiling built into the EWF format cannot be hit mid-acquisition. Prior versions of Sherlock and every current competitor could hit this ceiling silently on large drives at default segment size. Sherlock 0.6.1 pre-validates and refuses to proceed with a segment configuration that would exceed the ceiling.

Throughput

Pipelined Acquisition Engine - 3x Faster Than Serial Imagers

Sherlock Disk Imager 0.6.1 measures 231 to 751 MB/s on E01 with SHA-256 and SHA-1 and MD5 hashing enabled. The 3x throughput comes from a pipelined engine that overlaps reading, hashing, EWF chunk compression and writing rather than running them serially. On a 4 TB drive this saves approximately 3 hours per acquisition compared to serial-imager throughput.

Traditional forensic imagers execute the acquisition pipeline serially: read a chunk of source data, compute the hash on that chunk, compress it into the EWF container, write the compressed chunk to destination, then read the next chunk. Each stage waits for the previous stage to complete. On modern hardware (multi-core CPU and PCIe NVMe destination and SATA or NVMe source) the serial pipeline underutilizes the available compute and I/O bandwidth.

Sherlock 0.6.1 parallelizes the stages. The read thread pulls chunks from the source drive continuously into a bounded read-ahead buffer. Per-hash-algorithm threads (SHA-256 thread, SHA-1 thread, MD5 thread) consume buffered chunks in parallel. The compression pool (thread-per-core, ordered so output remains sequential) consumes buffered chunks concurrently with hashing. The write thread drains the compressed output to destination. All stages overlap and the wall-clock throughput approaches the slowest stage's raw capacity.

Measured benchmarks: 231 MB/s serial baseline versus 751 MB/s pipelined on the same hardware (Intel i7 workstation, PCIe Gen 4 NVMe source and destination, E01 output with SHA-256 and SHA-1 and MD5). On a 4 TB source drive this reduces acquisition time from approximately 4.8 hours to approximately 1.5 hours. On a 16 TB source drive the delta is approximately 19 hours reduced to approximately 6 hours.

Entropy-aware compression: incompressible data (encrypted volumes, video and image files, compressed archives) is detected by chunk-level entropy analysis and stored raw. This skips wasted compression work on chunks where compression yields no size reduction. On drives dominated by user media the throughput improvement over compression-everywhere approaches is substantial.

Concurrent verification: the full three-pass verification pipeline (source re-read and image readback) runs concurrently on the different source and destination devices instead of sequentially. Verification wall-clock is one pass instead of two. On the 4 TB example above this cuts verification from approximately 3 hours to approximately 1.5 hours.

Buyer-relevant math for the busy examiner: on a typical week involving 3 large-drive acquisitions per week, the pipelined engine and concurrent verify saves 12 to 15 hours of examiner wall-clock per week. That converts directly to case throughput or to earlier evidence-handoff windows.

Console

Live Mission Control Acquisition Console

The Sherlock 0.6.1 acquisition console surfaces the full state of the acquisition in real time. Entropy-shaded drive map, streaming hash lanes, throughput chart, read-ahead gauge, hex data tap, phase pipeline and segment odometer all live-update as the acquisition proceeds. Bad sectors mark red with crosses. Compression ratio ticks with each chunk. Examiners see the acquisition in flight rather than staring at a progress bar.

Prior versions of Sherlock and every mainstream competitor tool present the acquisition as a progress bar and a percentage counter. The examiner sees "34% complete" and waits. Sherlock 0.6.1 surfaces the underlying state so the examiner can react to what the acquisition is actually doing.

Console feature list:

  • Entropy-shaded drive map. Each pixel represents a chunk region. Colour intensity reflects data entropy. As the acquisition proceeds the map fills in. Bad sectors mark red with crosses. Verification passes sweep the map live (amber for re-read, blue for readback).
  • Live throughput chart with event ticks (segment boundaries, buffer stalls, entropy-region transitions).
  • Streaming hash lanes for SHA-256 and SHA-1 and MD5. Each lane shows chunks flowing through the hash pipeline in real time.
  • Read-ahead buffer gauge so the examiner can see when the source drive is bottlenecking the pipeline.
  • Hex data tap that fills the full card width and shows the raw bytes flowing through the read pipeline at any given moment.
  • Phase pipeline visualization showing all pipeline stages (read, hash, compress, write) live with per-stage utilization.
  • Segment odometer for E01 acquisitions showing segment-by-segment progress and the segment-count ceiling headroom remaining.
  • Live compression ratio updating per chunk so the examiner can see when incompressible regions are hit.

The console fits the window without scrolling on standard forensic workstation display resolutions. A hidden --console-demo flag runs a full simulated acquisition for training, UI review and demonstration work with no hardware or elevation required (clearly bannered as demo mode so it cannot be mistaken for real evidence).

Failed image-readback verify no longer discards a completed acquisition. Prior versions treated readback failure as fatal and rolled back the acquisition. Sherlock 0.6.1 keeps the image and manifest intact and records the failure reason in both. The examiner can inspect the failure, correct the destination media or re-verify against a different destination.

Changelog

Release History

v0.6.1 (2026-07-14)

  • CRITICAL EnCase compatibility fix. Chunk compression uses zlib-exact backend. Prior miniz backend could emit rare RFC-legal deflate streams that EnCase's verifier rejected (showing "sector groups could not be verified" and hash mismatch on images with intact data). Verified on affected evidence file. Slightly faster compression as bonus.
  • SHA-256: 7fa1e8e1b484c3ca62ee61948c2191824375de3efebc7551d24803cfb5b2e1c7

v0.6.0 (2026-07-13)

  • E01 RESUME: interrupted EWF acquisitions can now be resumed. Partial container is structure-scanned with checksum validation, crash damage is repaired, already-acquired chunks are decoded and re-hashed so digests carry forward, container is reopened in place. No other mainstream imager can resume an E01.
  • Custom E01 segment size: any value from 64 MiB alongside presets, validated against source drive so segment-count ceiling (14,971 files) cannot be hit mid-acquisition.
  • Aborted E01 containers left visibly unfinished (no hash or done sections) instead of sealed to look complete.
  • Console: verify passes sweep the data map live (amber re-read, blue readback); everything fits the window without scrolling.

v0.5.0 (2026-07-13)

  • 3x FASTER: pipelined acquisition engine. Reading, hashing (per-algorithm threads), EWF chunk compression (all cores in order) and writing overlap instead of running serially. Measured on E01 with SHA-256 + SHA-1 + MD5: 231 to 751 MB/s.
  • Incompressible data (encrypted volumes, media) detected by entropy and stored raw, skipping wasted compression work.
  • Full verification is one pass of wall-clock instead of two: source re-read and image readback run concurrently on different devices.
  • New acquisition console: entropy-shaded drive map, live throughput chart with event ticks, streaming hash lanes, read-ahead buffer gauge, hex data tap, phase pipeline, segment odometer and live compression ratio.
  • Failed image-readback verify no longer discards completed acquisition; image and manifest kept with failure reason recorded in both.

v0.4.0 (2026-07-13)

  • E01 segment size selectable: 1.5 GB (FTK default), 2 GB, 4 GB, 8 GB or 16 GB.
  • Fixed: EWF segment naming wrapped after .EZZ (segment 776) which aborted acquisitions past ~1.16 TB at default segment size. Naming now follows standard .E01-.E99, .EAA-.EZZ, .FAA-.ZZZ sequence.
  • Fixed: 31-bit chunk-table offsets could overflow with multi-GiB segments on 4K-sector sources; sections rotate before the limit.

Compare

Forensic Disk Imager Comparison

FeatureSherlock Forensics Disk ImagerFTK Imagerdd (Linux)Guymager
PriceFreeFreeFree (built-in)Free (open source)
E01 supportYesYesNoYes
Raw dd supportYes (single + segmented)YesYesYes
Resumable imagingYes (auto by serial)NoNoNo
Three-pass verificationYesNo (single pass)Manual onlyNo (single pass)
Chain of custody fieldsYes (required)Yes (optional)NoYes (optional)
Bad sector handlingRetry + 0xBA fill + CSV logSkip or abortddrescue requiredSkip + log
Single executable8.4 MB, no dependenciesInstaller requiredBuilt into LinuxPackage install
PlatformWindows 10/11WindowsLinux/macOSLinux

Why Resumable Imaging Matters

A 4 TB drive takes approximately 10 hours to image over USB 3.0. If the acquisition fails at hour nine due to a loose cable, a power interruption or a system sleep event, FTK Imager requires you to restart from sector zero. That is another 10 hours. Sherlock Forensics Disk Imager detects the incomplete session by querying the drive serial number and resumes from the last verified sector boundary. For examiners imaging multiple large drives under time pressure, this capability eliminates the most frustrating failure mode in forensic acquisition.

Cost

Cost Comparison

SolutionPriceResumes?Notes
FTK Imager (Exterro)FreeNoInstaller, dependencies, no resume after failure
EnCase Forensic Imager (OpenText)Free (legacy, EOL'd)NoNo longer maintained, legacy Windows only
Guymager (open source)FreeNoLinux only, package install required
ddrescue (GNU)FreeYesCLI only, no GUI, no chain of custody fields
Sherlock Forensics Disk ImagerFreeYes (auto by serial)Single 8.4 MB exe, three-pass SHA-256, chain of custody built in

Beyond the FTK Imager alternative comparison, Sherlock fits the broader competitor landscape: as an X-Ways Forensics alternative for the disk acquisition step (X-Ways Forensics is a paid commercial all-in-one forensic suite at $1,495 per user; for the disk imaging slice alone Sherlock is the X-Ways Forensics alternative on the disk-acquisition layer at $0 with the same E01 image and DD image output formats). FTK Imager itself was historically published by AccessData; AccessData was acquired by Exterro and FTK Imager is now an Exterro property, but the AccessData heritage is what most veteran examiners associate with the FTK Imager product line. Sherlock's evidence imaging output (raw disk image and E01 image and DD image) interoperates with every forensic analysis tool whether Autopsy, EnCase, X-Ways Forensics or FTK; the raw disk image format is universally readable and the E01 image format is the gold-standard EWF container. For the writeblocker side of the evidence imaging workflow see Sherlock Forensics USB Blocker Pro; for the broader mid-market vs enterprise positioning context see our Cellebrite vs Magnet AXIOM 2026 comparison; for the cross-product utility-tool catalogue see our Sherlock tool index and our Port Scanner.

Use Cases

Who Uses Sherlock Forensics Disk Imager

Forensic Examiners

Digital forensic professionals who need court-admissible disk images with documented chain of custody. Three-pass verification provides stronger evidence integrity than single-pass alternatives.

Law Enforcement

Police and federal investigators acquiring evidence drives during search warrants. Resumable imaging ensures large drives complete acquisition even in field conditions with unreliable power.

Incident Responders

DFIR teams imaging compromised systems during active security incidents. The single executable deploys instantly without installation and the write blocker integration prevents evidence contamination.

IT Administrators

System administrators creating forensic images of employee drives for HR investigations or compliance audits. Free licensing with no seat limits means any team member can acquire evidence properly.

Corporate IR / Breach Response

Ransomware response, insider threat investigations and breach forensics start with imaging the affected disks before any remediation touches them. Resumable acquisition handles the 4 TB and 8 TB server drives where FTK Imager forces a full restart. Free across the whole IR team so every responder can acquire defensibly without burning a license seat.

Procedure

How to Create a Forensic Disk Image

Follow this step-by-step procedure when using Sherlock Forensics Disk Imager for forensic drive acquisition. Document each step in your case notes.

  1. Enable USB Write Blocker. Launch Sherlock Forensics USB Write Blocker and activate write protection before connecting the suspect drive. Confirm the protection status indicator shows active. Do not connect the evidence drive until write blocking is confirmed. This step is critical for maintaining evidence integrity and chain of custody.
  2. Launch Disk Imager. Open Sherlock Forensics Disk Imager. The application requests administrator privileges through its embedded manifest. If Sherlock Forensics USB Write Blocker is running, the imager confirms write protection is active. If write protection is not detected, the imager displays a warning with a one-click option to launch the write blocker.
  3. Select Source Drive. Choose the suspect drive from the detected device list. The imager displays the drive serial number, model, capacity, interface type and sector size. Verify you have selected the correct source drive. The imager will refuse to proceed if the destination path resides on the same physical drive as the source.
  4. Configure Output Format and Destination. Select your output format: Raw .dd (single file or segmented at 2 GB, 4 GB or 10 GB) or EWF .E01/.E02. Choose a destination path on a separate drive with sufficient free space. Enter the required chain of custody fields: case number, evidence number and examiner name. Optionally enter agency and notes. Select hash algorithms (SHA-256 is always enabled; optionally add SHA-1 and MD5).
  5. Start Imaging. Click Start to begin acquisition. The imager reads the source drive sector by sector, computes hashes and writes the image to the destination. When the first pass completes, the imager re-reads the source drive for the second verification pass then reads the image for the third pass. All three SHA-256 hashes must match. The text manifest and EWF headers are written with all metadata. If imaging is interrupted at any point, reconnect the drive and relaunch the imager to resume automatically.

Download

Get Sherlock Forensics Disk Imager

Version 0.6.1 for Windows 10/11 (64-bit). Single executable. No license required.

File
sherlock-disk-imager.exe
SHA256
7fa1e8e1b484c3ca62ee61948c2191824375de3efebc7551d24803cfb5b2e1c7
Version
0.6.1
Released
14 July 2026
Size
8.4 MB
Platform
Windows 10/11 (64-bit)
Dependencies
None. No installer, no C++ redistributable, no .NET runtime.
Price
Free. No trial period. No feature restrictions.
7fa1e8e1b484c3ca62ee61948c2191824375de3efebc7551d24803cfb5b2e1c7

How to verify:
1. Open PowerShell (right-click Start menu, click Terminal)
2. Run: Get-FileHash .\sherlock-disk-imager.exe
3. Compare the output with the hash above. If they match, the file has not been tampered with.

Questions

Disk Imager FAQ

Is Sherlock Forensics Disk Imager free?
Yes. Sherlock Forensics Disk Imager is completely free with no trial period, no feature restrictions and no license required. Download the 8.4 MB executable and use it without limitations.
What image formats does Sherlock Forensics Disk Imager support?
Sherlock Forensics Disk Imager creates raw .dd images (single file or segmented at 2 GB, 4 GB or 10 GB boundaries) and EWF .E01/.E02 images. Both formats are widely supported by forensic analysis tools including EnCase, FTK, Autopsy and X-Ways.
What happens if imaging is interrupted by a crash or power loss?
Sherlock Forensics Disk Imager resumes automatically. When you reconnect the source drive and relaunch the imager, it detects the incomplete session by matching the drive serial number via IOCTL query. Imaging picks up from the last verified sector without restarting from the beginning.
How does three-pass verification work?
The imager performs three separate read operations. First it reads the source drive and computes a SHA-256 hash. Then it re-reads the source drive and computes a second SHA-256 hash. Finally it reads the completed image and computes a third SHA-256 hash. All three hashes must match to confirm the source was read consistently and the image is a faithful copy.
Can Sherlock Forensics Disk Imager replace FTK Imager?
For disk acquisition, yes. Sherlock Forensics Disk Imager produces the same E01 and raw dd formats as FTK Imager. It adds resumable imaging that FTK Imager lacks and three-pass verification for stronger evidence integrity. FTK Imager offers additional features like memory capture and file browsing that Sherlock Forensics Disk Imager does not include.
How does Sherlock Forensics Disk Imager handle bad sectors?
When the imager encounters an unreadable sector, it retries the read on a per-sector basis. If the sector remains unreadable after retries, it fills the corresponding bytes in the image with 0xBA and logs the offset and length to a CSV file. This ensures imaging completes even on damaged media while documenting exactly which sectors could not be read.
Are images from Sherlock Forensics Disk Imager admissible in court?
Yes when paired with proper procedure. The imager produces standard E01 and raw dd formats accepted by EnCase, FTK, Autopsy and X-Ways. Three-pass SHA-256 verification proves the image is a faithful copy of the source. Required chain of custody fields (case number, evidence number, examiner name) are embedded in the text manifest and EWF header. The tool is built by CISSP, ISSAP and ISSMP certified examiners with 20 years of Canadian courtroom experience. Admissibility ultimately depends on jurisdiction and proper handling but the imager produces every artifact courts typically require.
Does Sherlock Forensics Disk Imager run on Linux or macOS?
No. Sherlock Forensics Disk Imager is a Windows 10/11 64-bit application. For Linux, use Guymager, dcfldd or ddrescue. For macOS, the built-in dd command or commercial tools like MacQuisition. Sherlock Forensics Disk Imager focuses on the Windows acquisition workflow where FTK Imager's lack of resume capability hurts most.
Does the imager send any data to Sherlock Forensics or third parties?
No. Sherlock Forensics Disk Imager processes all data locally on your workstation. No telemetry, no cloud upload, no phone-home. The single 8.4 MB executable runs offline. Evidence drives, image files, hashes and chain of custody metadata stay on the examiner workstation.
What is the difference between live acquisition and dead disk imaging?
Dead disk imaging is the gold standard: target powered off, source drive removed and imaged through a hardware writeblocker to the examiner workstation. Dead disk imaging produces the most defensible evidence imaging output because the source is unchanging and the writeblocker enforces read-only access. Live acquisition is the incident-response workflow when powering off would destroy volatile state, when the drive is encrypted with a key only mounted while running or when on-scene operational constraints make dead disk imaging impractical. Live acquisition trades some forensic purity for the ability to capture state that would otherwise be lost. Sherlock supports both; pair live acquisition with a software writeblocker to minimize the live-system write footprint.
Is Sherlock Forensics Disk Imager an X-Ways Forensics alternative?
For the disk acquisition step, yes. X-Ways Forensics is a paid commercial all-in-one forensic suite at $1,495 per user covering acquisition + analysis + reporting. For the disk acquisition slice alone Sherlock is the X-Ways Forensics alternative at $0 with the same raw disk image, E01 image and DD image output formats. X-Ways Forensics is the right tool for end-to-end forensic case work in one product. Sherlock as an X-Ways Forensics alternative is the right tool for the imaging step when the examiner uses different downstream tools or works in a budget-constrained shop. The output is fully interoperable.
Can Sherlock Forensics Disk Imager be used with USB write blockers?
Yes. The recommended workflow for dead disk imaging is: hardware writeblocker between source drive and examiner workstation, then Sherlock Forensics Disk Imager for the imaging pass. For situations where a hardware writeblocker is not available (field triage, incident response on the go), use Sherlock Forensics USB Blocker Pro as the software writeblocker layer and Sherlock Disk Imager for the imaging pass. The two tools are designed to pair: writeblocker enforces read-only access, disk imager produces the evidence imaging output with three-pass SHA-256 verification and chain of custody fields.
What's the difference between raw disk image and E01 forensic image?
Raw disk image (.dd format) is a bit-for-bit copy of the source storage with no metadata wrapper; just the raw sectors. The DD image format is universally readable by every forensic tool. E01 image (Expert Witness Format, .E01/.E02) wraps the raw disk image in an EWF container with embedded SHA-256 hash, case metadata, examiner name and segmented-file structure. Both formats are accepted in court when proper acquisition procedure is documented. Choose raw disk image when downstream tools require it or when you want the simplest format; choose E01 image when you want the embedded metadata + segmented files for easier handling of large drives.

Get Started

Download Sherlock Forensics Disk Imager

Free forensic disk imager built by CISSP, ISSAP and ISSMP certified forensic professionals. Need a full forensic examination or incident response? Contact our team.

Since 2006CISSP, ISSAP, ISSMP certified888.883.4550

Sherlock Forensics Disk Imager is provided for lawful forensic use only. Ensure compliance with your jurisdiction's evidence handling requirements. Terms of Service

Related Sherlock Tool

For iOS device evidence acquisition alongside disk imaging workflows, see the new Sherlock Forensics iPhone and iPad Analyzer. Logical MobileBackup2 acquisition with encrypted-backup decryption and 70+ artifact analysis views for iPhone and iPad evidence. Windows workstation, court-defensible chain of custody, Forensic Edition $599 one-time.

Download

Your email is optional. If you provide it, we send 3 product introduction emails over the next 2 weeks. No long-term marketing. No data sharing. Skip the field and download directly.