Free Download

Built in Rust

Sherlock Forensic PDF Viewer + Editor A PDF investigation platform that won't execute what it finds.

Redaction Lie Detector. Tampering Signatures. Forensic Narrative Engine. 22 inspection panels. Batch folder scanning. PDF-to-PDF diff. Zero JavaScript execution. Ever. Pure Rust parser first. Visual rendering only when you click Render.

Free to view, inspect and investigate. Pro at $29/year unlocks annotation, page management and stamps.

Sherlock Forensic PDF Viewer + Editor is a PDF investigation platform with a Redaction Lie Detector that recovers text from under failed redactions, Tampering Signatures that run 14 forensic tells to detect document alteration, a Forensic Narrative Engine that auto-generates plain-English case-note summaries, 22 forensic inspection panels, batch folder scanning and PDF-to-PDF structural diff. Pure Rust parser opens files without executing JavaScript, URLs or launch actions. Zero telemetry. Single .exe. Free with Pro at $29/year.

No install required· No signup· Sandboxed viewer· Since 2006

New in v1.2.0

Redaction Lie Detector

The court-document-leak feature nobody else owns. Finds text that is recoverable from underneath "redaction" rectangles or dark highlight annotations.

  • Detects when someone drew a black rectangle over text instead of properly redacting it
  • Recovers the hidden text and shows it in a framed monospace block
  • Displays cover rectangle coordinates so you can locate the failed redaction on the page
  • Critical for court documents, leaked contracts and any case where someone tried to hide information
  • No other PDF tool surfaces this automatically on open
Someone drew a black box over the text and called it redacted. Sherlock reads what is underneath.
Sherlock Forensic PDF Viewer showing Redaction Lie Detector recovering text hidden under black rectangles in a court document

Redaction Lie Detector recovering text from underneath redaction rectangles

New in v1.2.0

Tampering Signatures

Runs 14 forensic tells in parallel to detect document tampering. Each finding includes a severity chip, headline, plain-English explanation and raw evidence.

Date Manipulation

ModDate not advanced after save. CreateDate mismatch between XMP and /Info dictionary.

Producer Mismatch

Producer field claims one tool but XMP edit history records a different application chain.

Signature Anomalies

Digital signature timestamp predating document creation. Annotation dates set before the file existed.

Structural Tells

Hidden OCG layers, unused embedded fonts, JBIG2 presence, duplicate xref offsets and more.

Sherlock Forensic PDF Viewer showing Tampering Signatures panel with severity chips detecting ModDate manipulation and Producer mismatch

Tampering Signatures detecting document alteration with severity-rated forensic tells

New in v1.2.0

Forensic Narrative Engine

Auto-generated plain-English paragraph summarizing the forensic state of any PDF. Copy-to-clipboard. Paste into case notes. No other tool does this.

"This document was created on 2024-03-15 by Microsoft Word 16.0, modified 4 times across 12 days. The XMP edit history records Adobe Acrobat Pro DC as last editor though Producer claims LibreOffice 7.5. It is signed by CN=John Smith using SHA-256 with RSA..."
  • Templates produce a complete forensic summary from document metadata
  • Covers creation date, producer, modification count, edit-tool history, signature details and discrepancies
  • Copy-to-clipboard button for instant paste into reports and case notes
  • Investigators save hours of manual metadata correlation

Security First

The Safest PDF Viewer You Can Run

Most PDF readers parse and render in one step. That single step is where every PDF exploit lives. Sherlock is a safe PDF viewer that splits the pipeline in two, giving you a secure way to open suspicious PDFs without the attack surface.

Step 1: Safe Parse (automatic)
The file is parsed by lopdf, a pure Rust PDF library. No JavaScript engine. No URL handler. No action executor. Text, structure and metadata are extracted. Nothing runs.
Step 2: Visual Render (explicit click only)
When you decide the file is safe, click Render. Pdfium (Chrome's PDF engine) handles visual layout in an isolated context. This step never happens automatically.
Zero Outbound Traffic
The application makes no network connections. No telemetry, no update checks, no license validation, no DNS queries. Your PDFs stay on your machine. Verify with Wireshark if you do not believe us.
Open any PDF, however malicious. Read its scripts in the JavaScript Inspector panel. Inspect every URL it would have called. The script body is just text in our UI. Nothing fires.

What Sherlock Does NOT Do (Ever)

  • Execute JavaScript - no JS interpreter is wired up. Pdfium's JS event API is never called from our code
  • Navigate URLs - URLs are extracted and listed in the Threat panel. Clicking them in the UI scrolls to where they live in the document. Never opens a browser
  • Run /Launch actions - detected, labeled Critical with the target shown. The shell command never gets handed to the OS
  • Process /OpenAction - parsed for the Threat/JavaScript Inspector but never fired
  • Run annotation actions on click - action dicts are inspected, not invoked
  • Make network calls of any kind - no URL reputation lookup, no telemetry, no update checks. None of it

What Adobe Reader Does Differently

  • Adobe ships a full JavaScript engine wired into its document model. When it parses /OpenAction or any /JS action, the engine immediately executes the script
  • Adobe processes /URI actions on click (with a prompt). Fake login URLs get opened in the user's browser
  • Adobe processes /Launch actions (with a prompt) which can spawn shell scripts and executables

Two-Layer Defense

Layer 1: lopdf (pure Rust parser)
Reads bytes and gives you a structured object tree. No JS engine. No action dispatcher. No process spawn primitives. Rust's borrow checker prevents memory corruption by design.
Layer 2: pdfium (isolated renderer)
When engaged, only asked for page.render_with_config() which rasterizes the page to a bitmap. Never calls FORM_DoDocOpen, FORM_OnAfterLoadPage or any handler that would trigger /OpenAction or /AA events.
Plus: the render gate
When threats are detected on document open, pdfium is not even engaged for rendering until you click Render Pages. Until then it is lopdf-only: structure inspection without ever rasterizing pixels through Google's C++ engine.
Sherlock Forensic PDF Viewer Threat Inspector catching CRITICAL phishing URL with Microsoft impersonation on a .tk domain

Threat Inspector catching a phishing PDF with Microsoft impersonation on a .tk domain

Threat Inspector

See What the PDF Wants to Do

Before you render a single pixel, the Threat Inspector extracts and classifies every suspicious element in the file.

URL Extraction

Every URL in the document is extracted and displayed. External links, form submission targets and URI actions are all surfaced.

JavaScript Detection

Embedded JavaScript is extracted and shown as source code. JS exploit primitives (heap sprays, shellcode patterns) are flagged.

Launch Actions

PDF /Launch, /GoTo, /GoToR, /SubmitForm and /ImportData actions are enumerated. You see every action the PDF would execute on open.

Embedded Files

Attached executables, scripts and secondary PDFs are listed with file type, size and hash. Nothing auto-extracts.

Sherlock Forensic PDF Viewer JavaScript Inspector showing extracted exploit code with syntax highlighting and beautified formatting

JavaScript Inspector extracting and beautifying exploit code from a malicious PDF

Sherlock Forensic PDF Viewer detecting embedded payload hidden inside a PDF file with hash and file type identification

Embedded payload detection with file type and hash identification

Forensic Inspector

22 Inspection Panels. Every Angle of a PDF.

The Forensic Inspector opens 22 analysis panels on every PDF. Each panel has a hover tooltip explaining what the data means and why it matters. Every panel is free.

Document Identity

PDF version, encryption history, byte size and trailer /ID array with halves-match interpretation

File Hashes + Blocklist

SHA-256 + MD5 + automatic match against local IR-curated blocklist file

Permissions

/Encrypt /P analysis (print, copy, modify, annotate, fill-forms) captured before decryption

PDF/A and PDF/X Validation

Baseline conformance check for archival and print production standards

/Info Dictionary

Title, Author, Subject, Producer, Creator, dates and Trapped flag

XMP Metadata

Full XMP stream with edit-tool history showing which software touched the file

Incremental Save Timeline

Every %%EOF with byte offset showing the edit history of the document

Fonts Inspector

Every font resource: PostScript name, subtype, embedded yes/no, system available yes/no

Embedded Files

All /EmbeddedFiles with name, size, MIME type and hash

JavaScript (with Beautifier)

All /JS entries beautified for readability and syntax-highlighted

Actions Chain

/OpenAction, /AA, page /AA, annotation /A with /Next traversal

URLs Extracted

Every /URI with phishing analysis (6-layer detection)

Hidden Text

Text render mode 3 (invisible) detection for text present but not rendered

Layers (OCGs)

Optional Content Groups tree showing hidden layer-based content

Structure Tree

PDF/UA accessibility tree inspection

Cross-Reference Table

xref/startxref analysis for structural integrity

Leaked Paths

Filesystem paths in Producer/Creator/metadata revealing the authoring environment

Steganography Report

LSB and suspicious-stream heuristics for hidden data detection

Binary Scan Report

Entropy + 25 magic-byte signatures + post-%%EOF payload detection

Image Streams + EXIF

Every /XObject /Image with EXIF: Make, Model, Software, DateTime, GPS coordinates

Text Runs Report

Per-text-run position, font, size, color and render mode data

Click Trace Report

Every action chain: URI, NavigateLocal and form-submit anchors traced

Sherlock Forensic PDF Viewer showing incremental save timeline with every %%EOF byte offset revealing document edit history

Incremental save timeline showing the complete edit history of a document

Sherlock Forensic PDF Viewer detecting hidden Optional Content Group layers concealing content in a PDF

Hidden layers (OCGs) detection revealing concealed content

Sherlock Forensic PDF Viewer detecting leaked filesystem paths in PDF metadata revealing Windows username and directory structure

Leaked filesystem paths revealing the authoring environment

Batch Scanning

Scan an Entire Folder of PDFs

Open a folder. Scan every PDF. Get a summary table of findings sorted by severity.

  • Point at a folder of seized PDFs and get an instant threat overview
  • Summary table shows threat count, severity and file details for every PDF in the folder
  • Sort by severity to prioritize the most dangerous files first
  • Click any row to open the individual file with the full Forensic Inspector
  • For IR triage: scan a folder of attachments from a compromised mailbox in seconds

PDF-to-PDF Diff

Compare Two PDFs Side by Side

Load two PDFs and see exactly what changed. Structural differences are surfaced at the object level.

  • Shows added, removed and modified objects between two PDF versions
  • For working "modified version" cases: prove a document was altered
  • Compares metadata, structure and content stream differences
  • Useful for contract disputes, evidence tampering analysis and version control
Sherlock Forensic PDF Viewer showing PDF-to-PDF comparison with structural object-level diff highlighting added and modified elements

PDF-to-PDF diff showing structural changes between two document versions

Sherlock Forensic PDF Viewer Object Explorer showing raw PDF object tree with stream view and dictionary pretty-printing

Object Explorer with raw stream view and dictionary pretty-printing

Phishing Detection

Six Layers of URL Analysis

The Threat Inspector does not just list URLs. It classifies them.

Detection LayerWhat It Catches
Fake Login PagesURLs containing /login, /signin, /verify, /account, /secure combined with non-matching domains
Homograph DomainsIDN homograph attacks using Cyrillic, Greek or other Unicode lookalikes (e.g. paypa1.com vs paypal.com)
URL Shortenersbit.ly, t.co, tinyurl.com, goo.gl, is.gd, rebrand.ly and other redirect services that hide the real destination
IP-Only URLsLinks pointing to raw IP addresses instead of domain names, a common indicator of throwaway infrastructure
Low-Reputation TLDsDomains on .tk, .ml, .ga, .cf, .gq, .xyz, .top, .buzz and other TLDs heavily abused in phishing campaigns
JS Exploit PrimitivesJavaScript patterns associated with heap sprays, shellcode delivery, buffer manipulation and obfuscated eval chains

Features

Free vs Pro

FeatureFreePro ($29/year)
Safe Rust parser (lopdf)YesYes
Pdfium visual rendering (click to render)YesYes
Redaction Lie DetectorYesYes
Tampering Signatures (14 tells)YesYes
Forensic Narrative EngineYesYes
Forensic Inspector (22 panels)YesYes
Threat Inspector (URLs, JS, actions, files)YesYes
Phishing detection (6 layers)YesYes
JavaScript beautifierYesYes
XMP metadata analysisYesYes
Incremental save timelineYesYes
Hash blocklist matchingYesYes
Hidden text detectionYesYes
Leaked path analysisYesYes
Batch folder scanningYesYes
PDF-to-PDF diffYesYes
Object ExplorerYesYes
Steganography report (LSB heuristics)YesYes
Binary scan (entropy + magic-byte signatures)YesYes
Image streams + EXIF (Make, Model, GPS)YesYes
Click trace report (action chain walkthrough)YesYes
Copy forensic JSON reportYesYes
Digital signature verification (forensic-grade)YesYes
Certificate chain verification (Windows trust store)YesYes
Encrypted PDF support (AES-256)YesYes
Zero telemetry / zero networkYesYes
Text selection and copyYesYes
Search within PDFYesYes
Highlight annotationNoYes
Text annotation / sticky notesNoYes
Real text editing (double-click to edit in place)NoYes
AcroForm fill (click field to edit value)NoYes
Undo / Redo (50-deep stack)NoYes
Stamp tools (Confidential, Approved, Draft)NoYes
Page extraction / reorder / deleteNoYes
Merge multiple PDFsNoYes
Save all images to folder (with EXIF)NoYes
Digital signature signing (ECDSA-P256)NoYes
DocMDP lock levels (1/2/3)NoYes
PFX/PKCS#12 certificate importNoYes
Save revision as standalone PDFNoYes
Form field drag-to-moveNoYes
Flatten annotations for sharingNoYes

Compare

vs Adobe Acrobat Reader (Free)

CapabilityAdobe Reader (Free)Sherlock PDF Editor (Free)
Executes JavaScript on openYes (dangerous)No, never
Launches URLs automaticallyYes (with prompt)No, displays only
Redaction Lie DetectorNoRecovers text from failed redactions
Tampering SignaturesNo14 forensic tells for document alteration
Forensic Narrative EngineNoAuto-generated case-note summary
Forensic inspection panelsNo22 panels (identity, hashes, XMP, fonts, layers, hidden text, more)
Threat InspectorNoURLs, JS, actions, files, phishing
Phishing detectionNo6-layer analysis
Batch folder scanningNoScan entire folder, sort by severity
PDF-to-PDF diffNoStructural object-level comparison
JavaScript beautifierNoSyntax-highlighted, indented
Steganography detectionNoLSB + suspicious-stream heuristics
Image EXIF extraction (GPS)NoMake, Model, DateTime, GPS coordinates
Digital signature verificationDisplay onlyForensic-grade: digest + crypto + cert chain to Windows roots
Digital signature signingNoECDSA-P256, Adobe Reader verified (Pro)
Encrypted PDF supportNo (requires password)AES-256 decrypt + security strip
Telemetry / network trafficYes, extensiveZero
Installer requiredYes (300MB+)No, single 17 MB .exe (17.2 MB)
Safe parse/render splitNoRust parse first, pdfium render on click
Cloud account requiredPrompted repeatedlyNo account, ever
CostFreeFree

Compare

vs Adobe Acrobat Pro ($240/year)

CapabilityAdobe Acrobat ProSherlock PDF Editor Pro
Annotation and highlightingYesYes
Page managementYesYes
Merge PDFsYesYes
Stamp toolsYesYes
Redaction Lie DetectorNoRecovers text from failed redactions
Tampering SignaturesNo14 forensic tells
Forensic Narrative EngineNoAuto-generated case-note summary
Forensic inspection panelsNo22 panels
Threat InspectorNoFull threat analysis
Phishing detectionNo6-layer analysis
Batch folder scanningNoScan and triage entire folders
PDF-to-PDF diffNoStructural comparison
JavaScript beautifierNoSyntax-highlighted
XMP metadata analysisNoFull edit-tool history
Hash blocklist matchingNoLocal IR-curated blocklist
Steganography detectionNoLSB + suspicious-stream heuristics
Image EXIF extraction (GPS)NoMake, Model, GPS from embedded images
Click trace (action chain map)NoFull execution trace
Undo / Redo (50-deep)YesYes (byte-snapshot stack)
Real text editingYesYes (double-click to edit)
Digital signature verificationYes (display only)Forensic-grade: digest + crypto + cert chain to Windows roots
Digital signature signingYes (CA certs)Yes (ECDSA-P256, PFX import, Adobe verified)
DocMDP lock levelsYesYes (Level 1/2/3)
Safe-by-default parsingNoRust parser, no code execution
Zero telemetryNoYes
OCRYesNo
Real redactionYesNo (overlay only)
Convert to Word/ExcelYesNo
Form creationYes (all types)Text fields (Pro)
Annual cost$240/year$29/year (save $211)

Adobe Acrobat Pro for $240/year, or this for $29/year. If you need OCR and real redaction, pay the $240. If you need security-first viewing with annotation, save the $211.

Under the Hood

Tech Stack

ComponentTechnologyWhy
LanguageRustMemory safety without garbage collection. No buffer overflows, no use-after-free
PDF parserlopdfPure Rust. Extracts structure, text and metadata without executing anything
Visual rendererpdfiumChrome's PDF engine. Used only on explicit render click, isolated from the parser
DistributionSingle .exeNo installer, no DLLs, no runtime dependencies. Copy and run
NetworkNoneZero outbound connections. No telemetry, no update checks, no license calls

Changelog

What's New in v1.5.0

v1.5.0 - May 2026

  • Certificate chain verification - Walks cert chain against Windows ROOT trust store. Green chip when chain validates to a trusted root. Crypto-verifies every hop with depth cap 8 and cycle guard. Shows chain status, root subject and root SHA-256 fingerprint
  • DocMDP lock levels - Sign with Level 1 (no changes), Level 2 (form-fill + annotations only) or Level 3 (form-fill only). Adobe Reader actively warns when a Level-1-signed PDF is modified. Sign modal has 4-option radio with plain-English descriptions
  • PFX/PKCS#12 certificate import - Import DigiCert, Sectigo, Entrust and internal-CA certificates. Supports PBES2 (PBKDF2 + AES) and legacy 3DES-CBC encryption. ECDSA-P256 certs in v1.5.0, RSA in v1.5.1
  • Mode rail hover-expand - Rail defaults to 52px icon-only, hover-expands to 188px showing icon + label. Chevron toggle at bottom pins expanded state (persisted)
  • RFC 3161 timestamp client - Standalone timestamp token fetcher built and tested (wire-up to signer in v1.5.1). Supports DigiCert, FreeTSA and Entrust TSA endpoints
  • 161 tests passing - 13 new tests across verifier, signer, identity and RFC 3161 modules

v1.4.1 - May 2026

  • Adobe Reader compatibility fixes - Signature field now Widget annotation so Adobe discovers it via page /Annots. Added KeyUsage extension (digitalSignature + nonRepudiation). Adobe Reader now correctly shows "Document has not been modified since this signature was applied"

v1.4.0 - May 2026

  • Digital signature SIGNING - Chain-of-custody as a primitive. Full PDF incremental-save signing pipeline with PKCS#7/CMS SignedData and SHA-256 digest per RFC 5652
  • Self-signed ECDSA-P256 identity generation - Generate signing identities with CN, persisted to %APPDATA%. 5-year validity window
  • Sign toolbar button (Pro) - Identity picker, generate self-signed, reason/location fields, sign and save as. Auto-opens signed PDF to show verifier verdict
  • Adobe Reader verified - Signed PDFs pass Adobe Reader crypto verification. Shows "Document has not been modified since this signature was applied"

v1.3.0 - May 2026

  • Digital signature VERIFICATION - Forensic-grade verifier replacing the metadata-only display. Parses PKCS#7/CMS SignedData, computes digest of ByteRange-covered region, compares against messageDigest signed attribute
  • Signature value verification - RSA-PKCS#1v1.5 and ECDSA P-256/P-384 verification against signer cert public key. Pure Rust crypto stack
  • Signer certificate analysis - Subject, issuer, serial, SHA-256 fingerprint, validity window, key algorithm. Self-signed detection
  • ByteRange coverage check - Detects WHOLE_FILE vs EDITS_AFTER_SIGNATURE with tail byte count. Proves whether a signed document was modified
  • Verdict chips - VALID / VALID (SELF-SIGNED) / VALID BUT EDITED AFTER SIGNING / INVALID / UNVERIFIABLE with severity-tiered findings

v1.2.1 - May 2026

  • Minor bugfix release

v1.2.0 - May 2026

  • 22 forensic inspection panels - Expanded from 17 to 22 panels with steganography report, binary scan, image streams with EXIF/GPS extraction, text runs report and click trace report
  • Steganography report - LSB and suspicious-stream heuristics for detecting hidden data in PDF streams
  • Binary scan report - Entropy analysis and 25 magic-byte signature detection including post-%%EOF payloads
  • Image EXIF extraction - Every image stream analyzed for Make, Model, Software, DateTimeOriginal and GPS coordinates
  • Click trace report - Symbolic walk of every action chain: URI, NavigateLocal and form-submit anchors mapped across the document
  • Copy forensic JSON - One-click export of the entire forensic report as structured JSON for case files or LLM ingestion
  • Encrypted PDF support - Empty-password auto-decrypt plus AES-256/R6 strip via pdfium for government and enterprise forms
  • Save all images - Pro feature: extract every image from a PDF to a folder with correct .jpg/.jp2/.bin extensions
  • Save revision as PDF - Pro feature: PDFResurrect-style extraction of any historical revision from the incremental save timeline
  • Real text editing details - Double-click any text run to edit in place. lopdf content-stream surgery with Helvetica weight matching. Handles Office-converted PDFs and rotated pages correctly
  • AcroForm fill improvements - Cyan outlines on fillable fields, /Parent chain traversal for inherited values, drag-to-move fields in Select mode
  • Undo/Redo 50-deep - Byte-snapshot stack with Ctrl+Z, Ctrl+Y, Ctrl+Shift+Z

v1.1.0 - May 2026

  • Auto-update mechanism - Built-in update checker using bundled curl.exe. Downloads new binary, batch-script replaces the running exe, relaunches automatically
  • License and Updates modal - Check for updates, download and install, replace token, sign out from within the app
  • Version endpoint - Free-tier checks pages/version/sherlock-pdf-editor.txt, licensed checks heartbeat API for revocation and expiry

v1.0.1 - May 2026

  • Redaction Lie Detector - Finds text recoverable from underneath redaction rectangles or dark highlight annotations. Shows recovered text with cover rect coordinates. The court-document-leak feature nobody else owns
  • Tampering Signatures - Runs 14 forensic tells in parallel: ModDate not advanced after save, CreateDate mismatch between XMP and /Info, Producer mismatch, signature timestamp predating creation, annotation back-dating, hidden OCG layers, unused embedded fonts, JBIG2 presence, duplicate xref offsets and more. Each finding has severity chip + plain-English explanation + raw evidence
  • Forensic Narrative Engine - Auto-generated plain-English paragraph summarizing the document. Copy-to-clipboard for case notes. No other tool generates this automatically
  • Dark + Light theme - Persistent theme toggle via sun/moon icon in status bar. Sherlock-green accent throughout
  • 9-mode rail UI - New navigation rail replacing the toolbar. Phosphor monochrome icons
  • 3-zone chrome - Mode rail / mode-specific sub-toolbar / status bar (page count + SHA-256 + theme toggle + license chip)
  • Drag-and-drop PDF open - Drop any .pdf onto the window to open it. Green overlay while dragging
  • Panel polish - Every inspector rebuilt with severity chips (CLEAN / FOUND / LEAKS / ALLOWED / DENIED / BLOCKLISTED), framed monospace blocks and card-style layouts
  • Batch results table - Severity chip per row, hover tint, Export CSV button
  • PDF Diff polish - ADDED / REMOVED / MODIFIED chips with framed monospace diff blocks
  • Built-in update checker - Check for updates, download and auto-install from within the app
  • Custom window icon - SF green-on-navy mark in taskbar and title bar
  • Bundled fonts - Inter Variable + JetBrains Mono Variable for consistent rendering

v0.2.0 - May 2026

  • Forensic Inspector with 22 panels - Document Identity, File Hashes + Blocklist, Permissions, PDF/A and PDF/X Validation, /Info Dictionary, XMP Metadata, Incremental Save Timeline, Fonts Inspector, Embedded Files, JavaScript (with Beautifier), Actions Chain, URLs Extracted, Hidden Text, Layers (OCGs), Structure Tree, Cross-Reference Table and Leaked Paths
  • Batch folder scanning - Open a folder, scan every PDF, get a summary table sorted by severity
  • PDF-to-PDF diff - Compare two PDFs side by side with structural object-level differences
  • JavaScript beautifier - All /JS entries beautified with syntax highlighting for readability
  • XMP metadata analysis - Full XMP stream with edit-tool history showing which software touched the file
  • Incremental save timeline - Every %%EOF with byte offset revealing the edit history of the document
  • Hash blocklist matching - SHA-256 + MD5 with automatic match against local IR-curated blocklist
  • Hidden text detection - Text render mode 3 (invisible) detection for text present but not rendered
  • Leaked path analysis - Filesystem paths in Producer/Creator/metadata revealing the authoring environment
  • Layers (OCGs) inspector - Optional Content Groups tree showing hidden layer-based content
  • Cross-reference table analysis - xref/startxref analysis for structural integrity
  • Structure tree inspection - PDF/UA accessibility tree analysis
  • Permissions analysis - /Encrypt /P analysis captured before decryption
  • Educational tooltips - Every panel has a hover tooltip explaining what the data means and why it matters

v0.1.0 - May 2026

  • Initial release - Safe-by-default PDF viewer and editor with pure Rust parser
  • Threat Inspector - URL extraction, JavaScript detection, launch actions, embedded files
  • Phishing detection - 6-layer URL analysis
  • Two-layer defense - lopdf parser + pdfium isolated renderer
  • Pro edition - Annotations, stamps, page management, merge PDFs

Pricing

$29/Year. Not $240.

Pro Edition

$29 USD/year
Annual subscription. All forensic inspection panels and security features are free forever. Pro unlocks editing tools.
  • All free features (17 forensic panels, batch scan, diff, Threat Inspector)
  • Highlight and text annotations
  • Sticky notes
  • Stamp tools (Confidential, Approved, Draft, custom)
  • Page extraction, reorder and deletion
  • Merge multiple PDFs
  • Flatten annotations for sharing
  • 30-day money-back guarantee

5+ machines? Contact us for volume pricing.

Who It's For

Built for People Who Handle Suspect Files

For DFIR Responders

You receive PDFs from compromised mailboxes and seized drives. You need to see what is in them without triggering payloads. Threat Inspector shows URLs, JS, launch actions and embedded files before any rendering happens.

For IT Security Teams

Users forward suspicious attachments to your team every day. Open them in Sherlock instead of spinning up a VM. The Rust parser cannot execute the payload. Phishing detection catches the fake login pages your users almost clicked.

For Lawyers

Discovery produces thousands of PDFs from unknown sources. You need to review them without risking your firm's network. Sherlock opens them safely, and Pro lets you annotate and stamp without paying Adobe $240/year per seat.

For Sysadmins

Someone emails a PDF that "looks weird." You need to check it before telling the user whether to worry. Open it in Sherlock, check the Threat Inspector, give the answer. Takes 30 seconds instead of booting a sandbox.

Guide

How to Safely Open a Suspicious PDF

  1. Download Sherlock Forensic PDF Viewer + EditorDownload the free editor from this page. Single .exe, no installer, no dependencies. Launch and go.
  2. Open the Suspicious PDFDrag the file onto Sherlock or use File > Open. The pure Rust parser (lopdf) extracts text, structure and metadata. No JavaScript or actions execute.
  3. Review the Threat InspectorCheck the Threat Inspector panel. It shows extracted URLs, embedded JavaScript, launch actions, embedded files and phishing indicators. Every threat is surfaced before a pixel renders.
  4. Render if SafeIf the Threat Inspector shows no concerns, click Render to display the visual layout via pdfium. This step is always opt-in.
  5. Annotate or ExtractPro users can highlight, annotate, stamp and extract pages. Zero data leaves your machine at any point.

Honest Limitations

What This Tool Does Not Do

We would rather you know the boundaries before downloading than find out after.

  • No OCR. Scanned-image PDFs display as images. Text extraction works only on PDFs with actual text layers.
  • No redaction tool. The Redaction Lie Detector finds failed redactions in other people's PDFs, but Sherlock does not create redactions itself. Annotations and text replacement leave the underlying content in the PDF structure. For court-grade redaction, use a dedicated tool like Adobe Acrobat Pro or Foxit.
  • No Word/Excel conversion. This is a PDF viewer and editor. It does not convert PDFs to .docx or .xlsx.
  • Form-field creation is text-only (Pro). Drag a rectangle to add a fillable text field. Checkboxes, radio buttons, dropdowns and signature fields are not supported yet.
  • Signature signing is ECDSA-P256 only (v1.5.0). RSA certificate import is coming in v1.5.1. RFC 3161 timestamp authority integration (cryptographically-bound signing time) is also coming in v1.5.1.
  • Windows only. macOS and Linux builds are planned but not available yet.
  • SmartScreen warning. New executables without established reputation trigger a Windows SmartScreen warning. This is normal. Verify the SHA-256 hash.

Coming Soon

Built and Tested. Shipping Next.

This module is built with full unit tests. It will surface in the UI in an upcoming release.

ModuleWhat It Does
Revision DiffPer-page text-run diff between two document revisions. Visual scrubber UI for stepping through incremental saves.

Questions

Trust and Safety FAQ

Can opening a PDF get me hacked?
Yes. Standard PDF readers like Adobe Reader execute JavaScript, launch URLs and run embedded actions automatically when you open a file. A malicious PDF can exploit these features to download malware, steal credentials or redirect you to phishing pages. Sherlock Forensic PDF Viewer + Editor parses PDFs with a pure Rust parser that does not execute any embedded code. Visual rendering via pdfium only happens when you explicitly click Render after reviewing the Threat Inspector.
Why is this called a forensic PDF editor?
Because it treats every PDF as potentially hostile evidence. The safe-by-default architecture (Rust parser first, pdfium render only on click) mirrors how a forensic examiner handles suspect files: inspect metadata and structure before ever executing content. The Threat Inspector extracts URLs, JavaScript, launch actions, embedded files and phishing indicators so you see what the PDF wants to do before it can do it.
Do you collect any data or telemetry?
No. Sherlock Forensic PDF Viewer + Editor makes zero outbound network connections. No telemetry, no analytics, no license-phone-home, no update checks. The application is a single .exe that runs entirely offline. Your PDFs never leave your machine. Verify with Wireshark or any network monitor.
How is this different from opening a PDF in a sandbox?
A sandbox lets the malicious code run and tries to contain the damage after the fact. Sherlock never runs the code in the first place. The Rust parser extracts text, structure and metadata without executing JavaScript, launch actions or embedded scripts. You see the threats listed in the Threat Inspector before any rendering occurs. It is prevention vs containment.
What happens if I open a malicious PDF in Sherlock?
Nothing fires. The file is parsed by lopdf (pure Rust) which extracts structure without executing anything. The Threat Inspector scans every URL, JavaScript action, /Launch action, /OpenAction, embedded file and XFA form. Critical threats trigger a red banner and rendering is blocked. You can read every script in the JavaScript Inspector panel and inspect every URL it would have called. The script body is just text in the UI. No JS interpreter runs. No URLs are fetched. No shell commands are handed to the OS. No annotation actions fire on click. Two layers of defense: lopdf has no action dispatcher and pdfium (when engaged) only rasterizes bitmaps without calling FORM_DoDocOpen or any event handler.
Can Sherlock detect hidden text in a PDF?
Yes. The Hidden Text panel in the Forensic Inspector detects text rendered with mode 3 (invisible). This is text that exists in the content stream but is not displayed on the page. It is commonly used to hide keywords for search engine manipulation, embed tracking strings or conceal watermarks. Sherlock surfaces every instance with its position and content so you can see what the document is hiding.
How do I scan a folder of PDFs for threats?
Open Sherlock Forensic PDF Viewer + Editor and use the Batch Scan feature. Select a folder and every PDF inside it is scanned automatically. The results appear in a summary table showing threat count, severity and file details for each PDF. Sort by severity to prioritize the most dangerous files. Click any row to open the full Forensic Inspector for that file. This is designed for IR triage: point at a folder of seized PDFs or email attachments and get an instant threat overview.
What forensic metadata can Sherlock extract from a PDF?
The Forensic Inspector has 22 panels that extract: document identity (PDF version, encryption, trailer /ID), file hashes (SHA-256, MD5) with blocklist matching, permissions (/Encrypt /P analysis), PDF/A and PDF/X conformance, /Info dictionary (author, producer, creator, dates), XMP metadata with full edit-tool history, incremental save timeline (every %%EOF with byte offset), fonts (PostScript name, subtype, embedded status), embedded files (name, size, MIME, hash), JavaScript (beautified and syntax-highlighted), actions chain (/OpenAction, /AA, annotation /A), URLs with phishing analysis, hidden text (render mode 3), layers (OCGs), structure tree, cross-reference table and leaked filesystem paths.
Can Sherlock detect failed redactions in a PDF?
Yes. The Redaction Lie Detector finds text that is recoverable from underneath redaction rectangles or dark highlight annotations. When someone tries to redact a PDF by drawing a black rectangle over text, the text remains in the content stream. Sherlock recovers it and shows the hidden text alongside the cover rectangle coordinates. This is critical for court documents, leaked contracts and any case where someone attempted to hide information but failed.
How does Sherlock detect if a PDF was tampered with?
The Tampering Signatures feature runs 14 forensic tells in parallel: ModDate not advanced after save, CreateDate mismatch between XMP and /Info, Producer mismatch, signature timestamp predating creation, annotation back-dating, hidden OCG layers, unused embedded fonts, JBIG2 presence, duplicate xref offsets and more. Each finding includes a severity rating, plain-English explanation and raw evidence. This proves document alteration in cases where integrity matters.
What is the Forensic Narrative Engine?
The Forensic Narrative Engine auto-generates a plain-English paragraph summarizing the forensic state of a PDF. It produces output like: "This document was created on 2024-03-15 by Microsoft Word 16.0, modified 4 times across 12 days, the XMP edit history records Adobe Acrobat Pro DC as last editor though Producer claims LibreOffice 7.5." A copy-to-clipboard button lets investigators paste directly into case notes. No other PDF tool generates this automatically.
What is the safest PDF viewer for Windows?
Sherlock Forensic PDF Viewer + Editor opens PDFs in a pure Rust parser that cannot execute JavaScript, navigate URLs or launch processes. The rendering engine (pdfium) only activates when you click Render Pages. No other PDF viewer separates parsing from rendering this way. The Threat Inspector scans for malicious URLs, JavaScript, launch actions, embedded files and phishing indicators before a single pixel renders. Zero network traffic. Single .exe. Free download.
Is there a secure PDF viewer that scans for malware?
Yes. Sherlock Forensic PDF Viewer + Editor scans every PDF for malicious URLs, JavaScript, launch actions, embedded files and phishing indicators before rendering a single pixel. The Threat Inspector shows you what the PDF wants to do. Nothing executes. Unlike antivirus which scans for known signatures after download, Sherlock performs structural analysis that catches zero-day exploits. Free for Windows.
Why does Windows SmartScreen warn about this app?
SmartScreen flags executables that have not accumulated enough download volume to build a reputation score with Microsoft. This is normal for new independent software and has nothing to do with the safety of the application itself. Sherlock Forensic PDF Viewer + Editor is a single Rust binary with no network access, no installer and no system modifications. You can verify the SHA-256 hash on the download page and inspect network traffic with Wireshark to confirm zero outbound connections.

Get Started

Download Sherlock Forensic PDF Viewer + Editor

Free for Redaction Lie Detector, Tampering Signatures, Forensic Narrative Engine, 17 forensic panels, batch scanning, PDF diff and phishing detection. Pro at $29/year for annotation, stamps and page management. Built by CISSP, ISSAP and ISSMP certified examiners with 20 years of courtroom experience. See our full forensic tool suite and expert witness services.

Since 2006CISSP, ISSAP, ISSMP certified604.229.1994

Used for: Forensic PDF examination, contract review, legal discovery, malware triage, redaction and evidence preservation

30-day money back guarantee on the Pro Edition. If it does not meet your needs, contact us for a full refund.

507cbb318e107d570dbcd197cdf8f3488ac2b6c767bf3e8aff5be46611873ef1

How to verify:
1. Open PowerShell (right-click Start menu, click Terminal)
2. Run: Get-FileHash .\sherlock-pdf-editor.exe
3. Compare the output with the hash above. If they match, the file has not been tampered with.

Sherlock Forensic PDF Viewer + Editor is provided for lawful use. Terms of Service

Download

Enter your details to download. We will send you update notifications for new versions.

Checkout - PDF Editor Pro

$29.00 USD/year. Annual subscription. License key delivered to your email.

Secure via Stripe 30-day money back $29/year subscription