Free Download

Free Forensic Disk Imager FTK Imager is free. So is ours — and ours resumes.

Free forensic disk imager for Windows. Creates E01 and raw dd images with three-pass SHA-256 verification. Resumable imaging survives crashes, power loss and device disconnects. Built by CISSP, ISSAP and ISSMP certified forensic examiners. Single 4.4 MB executable. No installer. No license required.

Sherlock Forensics Disk Imager is a free Windows forensic imaging tool that creates E01 and raw dd disk images with three-pass SHA-256 verification. It resumes interrupted acquisitions automatically by matching drive serial numbers. The 4.4 MB standalone executable requires no installation and embeds chain of custody metadata into every image manifest.

Capabilities

Key Features

Output Formats

Sherlock Forensics Disk Imager supports two acquisition formats used by every major forensic analysis platform. Raw .dd images can be written as a single monolithic file or segmented at 2 GB, 4 GB or 10 GB boundaries to accommodate FAT32 and exFAT destination volumes. EWF format produces .E01/.E02 segmented images compatible with EnCase, FTK, Autopsy and X-Ways. Both formats capture a bit-for-bit copy of the source drive including slack space, unallocated clusters and hidden host-protected areas where supported by the drive controller.

Three-Pass SHA-256 Verification

Verification is not optional and it is not a single pass. Sherlock Forensics Disk Imager reads the source drive and computes a SHA-256 hash. It then re-reads the source drive from the first sector to the last and computes a second SHA-256 hash. Finally it reads the completed image file and computes a third SHA-256 hash. All three hashes must match. If the source drive returns inconsistent data between the first and second reads, the imager flags the discrepancy. If the image hash diverges from the source hashes, the acquisition fails verification. This three-pass approach detects failing drives, intermittent read errors and write corruption on the destination media. Standards from NIST CFTT require demonstrable hash verification of forensic images.

Multi-Hash Computation

SHA-256 is the default hash algorithm. SHA-1 and MD5 are also available. All selected algorithms are computed simultaneously during a single read pass so enabling multiple hashes does not increase acquisition time. Many agencies and courts still require MD5 alongside SHA-256 for backward compatibility with older case management systems. Sherlock Forensics Disk Imager records all computed hashes in the text manifest and in the EWF header fields when using E01 format.

Resumable Imaging

FTK Imager does not resume. If your acquisition fails at 90% due to a power outage, a USB cable disconnect or a system crash, you start over. Sherlock Forensics Disk Imager resumes. When the imager launches, it checks for incomplete imaging sessions. It identifies the source drive by querying the drive serial number through Windows IOCTL calls. If a matching incomplete session exists, the imager picks up from the last verified sector boundary. No data is re-acquired unnecessarily. For large drives that take 8 to 12 hours to image, resumable acquisition is not a convenience feature. It is a necessity.

Chain of Custody Metadata

Every acquisition requires the examiner to enter case number, evidence number and examiner name before imaging begins. Agency and notes fields are optional but recommended. This metadata is written into both the plain-text manifest file and the EWF header fields when producing E01 images. The manifest includes drive serial number, drive model, drive capacity, sector size, acquisition start time, acquisition end time and all computed hash values. This provides a complete chain of custody record that accompanies the image file. Defense counsel and opposing experts can verify every detail without accessing the original evidence. Guidelines from SWGDE require documented chain of custody for all digital evidence acquisitions.

Safety Controls

Sherlock Forensics Disk Imager refuses to write an image to the same physical drive it is reading from. The imager queries the physical drive number through IOCTL_STORAGE_GET_DEVICE_NUMBER for both source and destination and blocks the operation if they match. This prevents the most catastrophic operator error in forensic imaging: overwriting evidence with its own image. The application runs elevated through an embedded manifest that requests administrator privileges at launch. No separate UAC prompt is required after initial consent.

Bad Sector Handling

Damaged media is common in forensic casework. When the imager encounters an unreadable sector, it retries the read on a per-sector basis. If the sector remains unreadable after retries, the imager fills the corresponding bytes in the image with 0xBA (a non-standard fill byte that is easily identifiable in hex analysis). The offset and length of every bad sector are logged to a CSV file alongside the image. Examiners can review the CSV to determine whether unreadable regions overlap with areas of evidentiary interest. Imaging continues to completion regardless of bad sector count.

USB Write Blocker Integration

Sherlock Forensics Disk Imager auto-detects whether Sherlock Forensics USB Write Blocker is active on the system. If write protection is not enabled, the imager displays a warning and offers one-click launch of the write blocker. This integration ensures examiners do not accidentally image a drive without write protection in place. The two tools are designed to work together as a forensic acquisition workflow.

Single Executable

Sherlock Forensics Disk Imager is a single 4.4 MB executable. No installer. No C++ redistributable. No .NET runtime. No Java. Copy it to a USB drive or network share and run it. This makes deployment trivial in enterprise environments and eliminates dependency conflicts on forensic workstations that may run multiple tool versions. The executable is digitally signed and the SHA-256 hash is published for download integrity verification.

Compare

Forensic Disk Imager Comparison

FeatureSherlock Forensics Disk ImagerFTK Imagerdd (Linux)Guymager
PriceFreeFreeFree (built-in)Free (open source)
E01 supportYesYesNoYes
Raw dd supportYes (single + segmented)YesYesYes
Resumable imagingYes (auto by serial)NoNoNo
Three-pass verificationYesNo (single pass)Manual onlyNo (single pass)
Chain of custody fieldsYes (required)Yes (optional)NoYes (optional)
Bad sector handlingRetry + 0xBA fill + CSV logSkip or abortddrescue requiredSkip + log
Single executable4.4 MB, no dependenciesInstaller requiredBuilt into LinuxPackage install
PlatformWindows 10/11WindowsLinux/macOSLinux

Why Resumable Imaging Matters

A 4 TB drive takes approximately 10 hours to image over USB 3.0. If the acquisition fails at hour nine due to a loose cable, a power interruption or a system sleep event, FTK Imager requires you to restart from sector zero. That is another 10 hours. Sherlock Forensics Disk Imager detects the incomplete session by querying the drive serial number and resumes from the last verified sector boundary. For examiners imaging multiple large drives under time pressure, this capability eliminates the most frustrating failure mode in forensic acquisition.

Use Cases

Who Uses Sherlock Forensics Disk Imager

Forensic Examiners

Digital forensic professionals who need court-admissible disk images with documented chain of custody. Three-pass verification provides stronger evidence integrity than single-pass alternatives.

Law Enforcement

Police and federal investigators acquiring evidence drives during search warrants. Resumable imaging ensures large drives complete acquisition even in field conditions with unreliable power.

Incident Responders

DFIR teams imaging compromised systems during active security incidents. The single executable deploys instantly without installation and the write blocker integration prevents evidence contamination.

IT Administrators

System administrators creating forensic images of employee drives for HR investigations or compliance audits. Free licensing with no seat limits means any team member can acquire evidence properly.

Procedure

How to Create a Forensic Disk Image

Follow this step-by-step procedure when using Sherlock Forensics Disk Imager for forensic drive acquisition. Document each step in your case notes.

  1. Enable USB Write Blocker. Launch Sherlock Forensics USB Write Blocker and activate write protection before connecting the suspect drive. Confirm the protection status indicator shows active. Do not connect the evidence drive until write blocking is confirmed. This step is critical for maintaining evidence integrity and chain of custody.
  2. Launch Disk Imager. Open Sherlock Forensics Disk Imager. The application requests administrator privileges through its embedded manifest. If Sherlock Forensics USB Write Blocker is running, the imager confirms write protection is active. If write protection is not detected, the imager displays a warning with a one-click option to launch the write blocker.
  3. Select Source Drive. Choose the suspect drive from the detected device list. The imager displays the drive serial number, model, capacity, interface type and sector size. Verify you have selected the correct source drive. The imager will refuse to proceed if the destination path resides on the same physical drive as the source.
  4. Configure Output Format and Destination. Select your output format: Raw .dd (single file or segmented at 2 GB, 4 GB or 10 GB) or EWF .E01/.E02. Choose a destination path on a separate drive with sufficient free space. Enter the required chain of custody fields: case number, evidence number and examiner name. Optionally enter agency and notes. Select hash algorithms (SHA-256 is always enabled; optionally add SHA-1 and MD5).
  5. Start Imaging. Click Start to begin acquisition. The imager reads the source drive sector by sector, computes hashes and writes the image to the destination. When the first pass completes, the imager re-reads the source drive for the second verification pass then reads the image for the third pass. All three SHA-256 hashes must match. The text manifest and EWF headers are written with all metadata. If imaging is interrupted at any point, reconnect the drive and relaunch the imager to resume automatically.

Download

Get Sherlock Forensics Disk Imager

Version 0.1.0 for Windows 10/11 (64-bit). Single executable. No license required.

File
sherlock-disk-imager.exe
SHA256
7d4fe464d1778880cda66402630ee37832b08e0b808bb4d4665a891079aea7de
Version
0.1.0
Size
4.4 MB
Platform
Windows 10/11 (64-bit)
Dependencies
None. No installer, no C++ redistributable, no .NET runtime.
Price
Free. No trial period. No feature restrictions.

More Tools

Complete Your Forensic Toolkit

Sherlock Forensics USB Write Blocker

Free

One-click registry-level USB write protection for Windows. Essential companion for forensic disk imaging. Prevents evidence modification during acquisition.

Sherlock Forensics Android Acquirer

$399

Acquire forensic images from Android devices. Extract app data, messages, call logs and file systems for mobile forensic examinations.

Sherlock Forensics PST Viewer

$67

Open and search Outlook PST files without Microsoft Outlook. Extract emails, attachments and metadata for forensic analysis and eDiscovery.

Questions

Disk Imager FAQ

Is Sherlock Forensics Disk Imager free?
Yes. Sherlock Forensics Disk Imager is completely free with no trial period, no feature restrictions and no license required. Download the 4.4 MB executable and use it without limitations.
What image formats does Sherlock Forensics Disk Imager support?
Sherlock Forensics Disk Imager creates raw .dd images (single file or segmented at 2 GB, 4 GB or 10 GB boundaries) and EWF .E01/.E02 images. Both formats are widely supported by forensic analysis tools including EnCase, FTK, Autopsy and X-Ways.
What happens if imaging is interrupted by a crash or power loss?
Sherlock Forensics Disk Imager resumes automatically. When you reconnect the source drive and relaunch the imager, it detects the incomplete session by matching the drive serial number via IOCTL query. Imaging picks up from the last verified sector without restarting from the beginning.
How does three-pass verification work?
The imager performs three separate read operations. First it reads the source drive and computes a SHA-256 hash. Then it re-reads the source drive and computes a second SHA-256 hash. Finally it reads the completed image and computes a third SHA-256 hash. All three hashes must match to confirm the source was read consistently and the image is a faithful copy.
Can Sherlock Forensics Disk Imager replace FTK Imager?
For disk acquisition, yes. Sherlock Forensics Disk Imager produces the same E01 and raw dd formats as FTK Imager. It adds resumable imaging that FTK Imager lacks, plus three-pass verification for stronger evidence integrity. FTK Imager offers additional features like memory capture and file browsing that Sherlock Forensics Disk Imager does not include.
How does Sherlock Forensics Disk Imager handle bad sectors?
When the imager encounters an unreadable sector, it retries the read on a per-sector basis. If the sector remains unreadable after retries, it fills the corresponding bytes in the image with 0xBA and logs the offset and length to a CSV file. This ensures imaging completes even on damaged media while documenting exactly which sectors could not be read.

Get Started

Download Sherlock Forensics Disk Imager

Free forensic disk imager built by CISSP, ISSAP and ISSMP certified forensic professionals. Need a full forensic examination or incident response? Contact our team.

Since 2006CISSP, ISSAP, ISSMP certified604.229.1994

Sherlock Forensics Disk Imager is provided for lawful forensic use only. Ensure compliance with your jurisdiction's evidence handling requirements. Terms of Service

Download

Enter your details to download. We will send you update notifications for new versions.