Free Download

Image Disks Without FTK Bloat. Free.

FTK Imager doesn't resume. We do. E01 and raw dd output, three-pass SHA-256 verification, chain of custody fields built in. Single 4.4 MB executable. No installer. Built by CISSP, ISSAP and ISSMP certified forensic examiners.

Sherlock Forensics Disk Imager is a free Windows forensic imaging tool that creates E01 and raw dd disk images with three-pass SHA-256 verification. It resumes interrupted acquisitions automatically by matching drive serial numbers. The 4.4 MB standalone executable requires no installation and embeds chain of custody metadata into every image manifest. Free alternative to FTK Imager that resumes where FTK gives up.

Compare to FTK Imager

Capabilities

Key Features

Output Formats

Sherlock Forensics Disk Imager supports two acquisition formats used by every major forensic analysis platform. Raw .dd images can be written as a single monolithic file or segmented at 2 GB, 4 GB or 10 GB boundaries to accommodate FAT32 and exFAT destination volumes. EWF format produces .E01/.E02 segmented images compatible with EnCase, FTK, Autopsy and X-Ways. Both formats capture a bit-for-bit copy of the source drive including slack space, unallocated clusters and hidden host-protected areas where supported by the drive controller.

Three-Pass SHA-256 Verification

Verification is not optional and it is not a single pass. Sherlock Forensics Disk Imager reads the source drive and computes a SHA-256 hash. It then re-reads the source drive from the first sector to the last and computes a second SHA-256 hash. Finally it reads the completed image file and computes a third SHA-256 hash. All three hashes must match. If the source drive returns inconsistent data between the first and second reads, the imager flags the discrepancy. If the image hash diverges from the source hashes, the acquisition fails verification. This three-pass approach detects failing drives, intermittent read errors and write corruption on the destination media. Standards from NIST CFTT require demonstrable hash verification of forensic images.

Multi-Hash Computation

SHA-256 is the default hash algorithm. SHA-1 and MD5 are also available. All selected algorithms are computed simultaneously during a single read pass so enabling multiple hashes does not increase acquisition time. Many agencies and courts still require MD5 alongside SHA-256 for backward compatibility with older case management systems. Sherlock Forensics Disk Imager records all computed hashes in the text manifest and in the EWF header fields when using E01 format.

Resumable Imaging

FTK Imager does not resume. If your acquisition fails at 90% due to a power outage, a USB cable disconnect or a system crash, you start over. Sherlock Forensics Disk Imager resumes. When the imager launches, it checks for incomplete imaging sessions. It identifies the source drive by querying the drive serial number through Windows IOCTL calls. If a matching incomplete session exists, the imager picks up from the last verified sector boundary. No data is re-acquired unnecessarily. For large drives that take 8 to 12 hours to image, resumable acquisition is not a convenience feature. It is a necessity.

Chain of Custody Metadata

Every acquisition requires the examiner to enter case number, evidence number and examiner name before imaging begins. Agency and notes fields are optional but recommended. This metadata is written into both the plain-text manifest file and the EWF header fields when producing E01 images. The manifest includes drive serial number, drive model, drive capacity, sector size, acquisition start time, acquisition end time and all computed hash values. This provides a complete chain of custody record that accompanies the image file. Defense counsel and opposing experts can verify every detail without accessing the original evidence. Guidelines from SWGDE require documented chain of custody for all digital evidence acquisitions. Learn more about our chain of custody software and procedures.

Safety Controls

Sherlock Forensics Disk Imager refuses to write an image to the same physical drive it is reading from. The imager queries the physical drive number through IOCTL_STORAGE_GET_DEVICE_NUMBER for both source and destination and blocks the operation if they match. This prevents the most catastrophic operator error in forensic imaging: overwriting evidence with its own image. The application runs elevated through an embedded manifest that requests administrator privileges at launch. No separate UAC prompt is required after initial consent.

Bad Sector Handling

Damaged media is common in forensic casework. When the imager encounters an unreadable sector, it retries the read on a per-sector basis. If the sector remains unreadable after retries, the imager fills the corresponding bytes in the image with 0xBA (a non-standard fill byte that is easily identifiable in hex analysis). The offset and length of every bad sector are logged to a CSV file alongside the image. Examiners can review the CSV to determine whether unreadable regions overlap with areas of evidentiary interest. Imaging continues to completion regardless of bad sector count.

USB Write Blocker Integration

Sherlock Forensics Disk Imager auto-detects whether Sherlock Forensics USB Write Blocker is active on the system. If write protection is not enabled, the imager displays a warning and offers one-click launch of the write blocker. This integration ensures examiners do not accidentally image a drive without write protection in place. The two tools are designed to work together as a forensic acquisition workflow.

Single Executable

Sherlock Forensics Disk Imager is a single 4.4 MB executable. No installer. No C++ redistributable. No .NET runtime. No Java. Copy it to a USB drive or network share and run it. This makes deployment trivial in enterprise environments and eliminates dependency conflicts on forensic workstations that may run multiple tool versions. The executable is digitally signed and the SHA-256 hash is published for download integrity verification.

Acquisition Modes

Live Acquisition vs Dead Disk Imaging: When to Use Each

Live acquisition and dead disk imaging are two distinct forensic acquisition workflows. Dead disk imaging is the gold-standard discipline: the target machine is powered off, the source drive is removed and connected to the examiner workstation through a hardware writeblocker, then imaged. Dead disk imaging produces the most defensible evidence imaging output because the source is unchanging during the image read and the writeblocker enforces read-only access at the hardware layer. Sherlock Forensics Disk Imager is built for the dead disk imaging workflow as its primary use case.

Live acquisition is the incident-response forensic acquisition workflow when powering the target off would destroy volatile state, when the drive is encrypted with a key only mounted while the system is running, or when on-scene operational constraints make dead disk imaging impractical. Live acquisition trades some forensic purity for the ability to capture state that would otherwise be lost. Sherlock Disk Imager supports live acquisition forensic acquisition where the source drive is accessible as a Windows volume; the source disk is read as-is while the system runs. For live acquisition work the examiner pairs the imager with a software writeblocker to minimize the live-system write footprint. See our USB Blocker Pro for the writeblocker side of the live acquisition workflow.

Physical acquisition is the broader forensic acquisition category that covers both live acquisition and dead disk imaging: imaging the underlying physical storage rather than the logical filesystem view. Physical acquisition captures unallocated space, deleted file artifacts, slack space and recoverable b-tree pages that logical acquisition cannot reach. Sherlock Disk Imager performs physical acquisition on removable and connected drives via Windows raw device access. For comparison see Sherlock Android Acquirer which performs logical acquisition only on Android devices; the physical acquisition vs logical acquisition distinction matters because evidence imaging from a physical acquisition source is what defense experts expect for unallocated-space and deleted-artifact recovery.

Compare

Forensic Disk Imager Comparison

FeatureSherlock Forensics Disk ImagerFTK Imagerdd (Linux)Guymager
PriceFreeFreeFree (built-in)Free (open source)
E01 supportYesYesNoYes
Raw dd supportYes (single + segmented)YesYesYes
Resumable imagingYes (auto by serial)NoNoNo
Three-pass verificationYesNo (single pass)Manual onlyNo (single pass)
Chain of custody fieldsYes (required)Yes (optional)NoYes (optional)
Bad sector handlingRetry + 0xBA fill + CSV logSkip or abortddrescue requiredSkip + log
Single executable4.4 MB, no dependenciesInstaller requiredBuilt into LinuxPackage install
PlatformWindows 10/11WindowsLinux/macOSLinux

Why Resumable Imaging Matters

A 4 TB drive takes approximately 10 hours to image over USB 3.0. If the acquisition fails at hour nine due to a loose cable, a power interruption or a system sleep event, FTK Imager requires you to restart from sector zero. That is another 10 hours. Sherlock Forensics Disk Imager detects the incomplete session by querying the drive serial number and resumes from the last verified sector boundary. For examiners imaging multiple large drives under time pressure, this capability eliminates the most frustrating failure mode in forensic acquisition.

Cost

Cost Comparison

SolutionPriceResumes?Notes
FTK Imager (Exterro)FreeNoInstaller, dependencies, no resume after failure
EnCase Forensic Imager (OpenText)Free (legacy, EOL'd)NoNo longer maintained, legacy Windows only
Guymager (open source)FreeNoLinux only, package install required
ddrescue (GNU)FreeYesCLI only, no GUI, no chain of custody fields
Sherlock Forensics Disk ImagerFreeYes (auto by serial)Single 4.4 MB exe, three-pass SHA-256, chain of custody built in

Beyond the FTK Imager alternative comparison, Sherlock fits the broader competitor landscape: as an X-Ways Forensics alternative for the disk acquisition step (X-Ways Forensics is a paid commercial all-in-one forensic suite at $1,495 per user; for the disk imaging slice alone Sherlock is the X-Ways Forensics alternative on the disk-acquisition layer at $0 with the same E01 image and DD image output formats). FTK Imager itself was historically published by AccessData; AccessData was acquired by Exterro and FTK Imager is now an Exterro property, but the AccessData heritage is what most veteran examiners associate with the FTK Imager product line. Sherlock's evidence imaging output (raw disk image plus E01 image plus DD image) interoperates with every forensic analysis tool whether Autopsy, EnCase, X-Ways Forensics or FTK; the raw disk image format is universally readable and the E01 image format is the gold-standard EWF container. For the writeblocker side of the evidence imaging workflow see Sherlock USB Blocker Pro; for the broader mid-market vs enterprise positioning context see our Cellebrite vs Magnet AXIOM 2026 comparison; for the cross-product utility-tool catalogue see our Sherlock tool index and our Port Scanner.

Use Cases

Who Uses Sherlock Forensics Disk Imager

Forensic Examiners

Digital forensic professionals who need court-admissible disk images with documented chain of custody. Three-pass verification provides stronger evidence integrity than single-pass alternatives.

Law Enforcement

Police and federal investigators acquiring evidence drives during search warrants. Resumable imaging ensures large drives complete acquisition even in field conditions with unreliable power.

Incident Responders

DFIR teams imaging compromised systems during active security incidents. The single executable deploys instantly without installation and the write blocker integration prevents evidence contamination.

IT Administrators

System administrators creating forensic images of employee drives for HR investigations or compliance audits. Free licensing with no seat limits means any team member can acquire evidence properly.

Corporate IR / Breach Response

Ransomware response, insider threat investigations and breach forensics start with imaging the affected disks before any remediation touches them. Resumable acquisition handles the 4 TB and 8 TB server drives where FTK Imager forces a full restart. Free across the whole IR team so every responder can acquire defensibly without burning a license seat.

Procedure

How to Create a Forensic Disk Image

Follow this step-by-step procedure when using Sherlock Forensics Disk Imager for forensic drive acquisition. Document each step in your case notes.

  1. Enable USB Write Blocker. Launch Sherlock Forensics USB Write Blocker and activate write protection before connecting the suspect drive. Confirm the protection status indicator shows active. Do not connect the evidence drive until write blocking is confirmed. This step is critical for maintaining evidence integrity and chain of custody.
  2. Launch Disk Imager. Open Sherlock Forensics Disk Imager. The application requests administrator privileges through its embedded manifest. If Sherlock Forensics USB Write Blocker is running, the imager confirms write protection is active. If write protection is not detected, the imager displays a warning with a one-click option to launch the write blocker.
  3. Select Source Drive. Choose the suspect drive from the detected device list. The imager displays the drive serial number, model, capacity, interface type and sector size. Verify you have selected the correct source drive. The imager will refuse to proceed if the destination path resides on the same physical drive as the source.
  4. Configure Output Format and Destination. Select your output format: Raw .dd (single file or segmented at 2 GB, 4 GB or 10 GB) or EWF .E01/.E02. Choose a destination path on a separate drive with sufficient free space. Enter the required chain of custody fields: case number, evidence number and examiner name. Optionally enter agency and notes. Select hash algorithms (SHA-256 is always enabled; optionally add SHA-1 and MD5).
  5. Start Imaging. Click Start to begin acquisition. The imager reads the source drive sector by sector, computes hashes and writes the image to the destination. When the first pass completes, the imager re-reads the source drive for the second verification pass then reads the image for the third pass. All three SHA-256 hashes must match. The text manifest and EWF headers are written with all metadata. If imaging is interrupted at any point, reconnect the drive and relaunch the imager to resume automatically.

Download

Get Sherlock Forensics Disk Imager

Version 0.1.0 for Windows 10/11 (64-bit). Single executable. No license required.

File
sherlock-disk-imager.exe
SHA256
3ef75db02b91a56d666e1291e72893194039aa63e6e89c79703d1f60ac70d498
Version
0.1.0
Size
4.4 MB
Platform
Windows 10/11 (64-bit)
Dependencies
None. No installer, no C++ redistributable, no .NET runtime.
Price
Free. No trial period. No feature restrictions.
3ef75db02b91a56d666e1291e72893194039aa63e6e89c79703d1f60ac70d498

How to verify:
1. Open PowerShell (right-click Start menu, click Terminal)
2. Run: Get-FileHash .\sherlock-disk-imager.exe
3. Compare the output with the hash above. If they match, the file has not been tampered with.

More Tools

Complete Your Forensic Toolkit

Sherlock Forensics USB Write Blocker

Free

One-click registry-level USB write protection for Windows. Essential companion for forensic disk imaging. Prevents evidence modification during acquisition.

Sherlock Forensics Android Acquirer

$399

Acquire forensic images from Android devices. Extract app data, messages, call logs and file systems for mobile forensic examinations.

Sherlock Forensics PST Viewer

$67

Open and search Outlook PST files without Microsoft Outlook. Extract emails, attachments and metadata for forensic analysis and eDiscovery.

Questions

Disk Imager FAQ

Is Sherlock Forensics Disk Imager free?
Yes. Sherlock Forensics Disk Imager is completely free with no trial period, no feature restrictions and no license required. Download the 4.4 MB executable and use it without limitations.
What image formats does Sherlock Forensics Disk Imager support?
Sherlock Forensics Disk Imager creates raw .dd images (single file or segmented at 2 GB, 4 GB or 10 GB boundaries) and EWF .E01/.E02 images. Both formats are widely supported by forensic analysis tools including EnCase, FTK, Autopsy and X-Ways.
What happens if imaging is interrupted by a crash or power loss?
Sherlock Forensics Disk Imager resumes automatically. When you reconnect the source drive and relaunch the imager, it detects the incomplete session by matching the drive serial number via IOCTL query. Imaging picks up from the last verified sector without restarting from the beginning.
How does three-pass verification work?
The imager performs three separate read operations. First it reads the source drive and computes a SHA-256 hash. Then it re-reads the source drive and computes a second SHA-256 hash. Finally it reads the completed image and computes a third SHA-256 hash. All three hashes must match to confirm the source was read consistently and the image is a faithful copy.
Can Sherlock Forensics Disk Imager replace FTK Imager?
For disk acquisition, yes. Sherlock Forensics Disk Imager produces the same E01 and raw dd formats as FTK Imager. It adds resumable imaging that FTK Imager lacks, plus three-pass verification for stronger evidence integrity. FTK Imager offers additional features like memory capture and file browsing that Sherlock Forensics Disk Imager does not include.
How does Sherlock Forensics Disk Imager handle bad sectors?
When the imager encounters an unreadable sector, it retries the read on a per-sector basis. If the sector remains unreadable after retries, it fills the corresponding bytes in the image with 0xBA and logs the offset and length to a CSV file. This ensures imaging completes even on damaged media while documenting exactly which sectors could not be read.
Are images from Sherlock Forensics Disk Imager admissible in court?
Yes when paired with proper procedure. The imager produces standard E01 and raw dd formats accepted by EnCase, FTK, Autopsy and X-Ways. Three-pass SHA-256 verification proves the image is a faithful copy of the source. Required chain of custody fields (case number, evidence number, examiner name) are embedded in the text manifest and EWF header. The tool is built by CISSP, ISSAP and ISSMP certified examiners with 20 years of Canadian courtroom experience. Admissibility ultimately depends on jurisdiction and proper handling but the imager produces every artifact courts typically require.
Does Sherlock Forensics Disk Imager run on Linux or macOS?
No. Sherlock Forensics Disk Imager is a Windows 10/11 64-bit application. For Linux, use Guymager, dcfldd or ddrescue. For macOS, the built-in dd command or commercial tools like MacQuisition. Sherlock Forensics Disk Imager focuses on the Windows acquisition workflow where FTK Imager's lack of resume capability hurts most.
Does the imager send any data to Sherlock Forensics or third parties?
No. Sherlock Forensics Disk Imager processes all data locally on your workstation. No telemetry, no cloud upload, no phone-home. The single 4.4 MB executable runs offline. Evidence drives, image files, hashes and chain of custody metadata stay on the examiner workstation.
What is the difference between live acquisition and dead disk imaging?
Dead disk imaging is the gold standard: target powered off, source drive removed and imaged through a hardware writeblocker to the examiner workstation. Dead disk imaging produces the most defensible evidence imaging output because the source is unchanging and the writeblocker enforces read-only access. Live acquisition is the incident-response workflow when powering off would destroy volatile state, when the drive is encrypted with a key only mounted while running, or when on-scene operational constraints make dead disk imaging impractical. Live acquisition trades some forensic purity for the ability to capture state that would otherwise be lost. Sherlock supports both; pair live acquisition with a software writeblocker to minimize the live-system write footprint.
Is Sherlock Disk Imager an X-Ways Forensics alternative?
For the disk acquisition step, yes. X-Ways Forensics is a paid commercial all-in-one forensic suite at $1,495 per user covering acquisition + analysis + reporting. For the disk acquisition slice alone Sherlock is the X-Ways Forensics alternative at $0 with the same raw disk image, E01 image and DD image output formats. X-Ways Forensics is the right tool for end-to-end forensic case work in one product. Sherlock as an X-Ways Forensics alternative is the right tool for the imaging step when the examiner uses different downstream tools or works in a budget-constrained shop. The output is fully interoperable.
Can Sherlock Disk Imager be used with USB write blockers?
Yes. The recommended workflow for dead disk imaging is: hardware writeblocker between source drive and examiner workstation, then Sherlock Disk Imager for the imaging pass. For situations where a hardware writeblocker is not available (field triage, incident response on the go), use Sherlock USB Blocker Pro as the software writeblocker layer plus Sherlock Disk Imager for the imaging pass. The two tools are designed to pair: writeblocker enforces read-only access, disk imager produces the evidence imaging output with three-pass SHA-256 verification and chain of custody fields.
What's the difference between raw disk image and E01 forensic image?
Raw disk image (.dd format) is a bit-for-bit copy of the source storage with no metadata wrapper; just the raw sectors. The DD image format is universally readable by every forensic tool. E01 image (Expert Witness Format, .E01/.E02) wraps the raw disk image in an EWF container with embedded SHA-256 hash, case metadata, examiner name and segmented-file structure. Both formats are accepted in court when proper acquisition procedure is documented. Choose raw disk image when downstream tools require it or when you want the simplest format; choose E01 image when you want the embedded metadata + segmented files for easier handling of large drives.

Get Started

Download Sherlock Forensics Disk Imager

Free forensic disk imager built by CISSP, ISSAP and ISSMP certified forensic professionals. Need a full forensic examination or incident response? Contact our team.

Since 2006CISSP, ISSAP, ISSMP certified604.229.1994

Sherlock Forensics Disk Imager is provided for lawful forensic use only. Ensure compliance with your jurisdiction's evidence handling requirements. Terms of Service

Download

Enter your details to download. We will send you update notifications for new versions.