Field Collection
Connect media, run approved profiles, and process evidence where the work starts without rebuilding configurations.
// Pre-release evaluation · v0.9
Shadow and Shield · Shield 399
A digital forensics platform built for the operator.
Shadow and Shield launches with Shield 399: a field-ready forensic toolkit, touchscreen appliance, and network dashboard for acquisition, sanitization, analysis, case work, and repeatable tool execution.
Technical users configure profiles once. Operators run approved work from the appliance. Tool execution, case activity, metrics, and results remain reviewable from the dashboard.
Shield 399
Pre-release evaluation unit
- FormatsE01 / Ex01 / AFF4 / DD / Synthetic E01
- User ControlsProfiles, teams, roles, tool config
- RecordTool execution, operator history, hashes, keywords, file listings
- ChassisASUS 15 Pro Ultra 7 255H, 96 GB RAM, 1TB NVMe
excuses
Find a way.
The motto came from the resilience that has been required to keep moving this project forward.
When something is hard, unknown, or frustrating; find a way. Reset, approach differently, persist, and figure it out.
"I don't know the first thing about touch screens and microcontrollers." Find a way. "I don't know how to have a case manufactured or edit 3D models." Find a way. "I can't figure out why the screen is locking up." Find a way. "I have tried for weeks and it's not working..." Find a way.
Why It Exists
Built to keep forensic tools organized, accessible, accountable, and synchronized.
Shield 399 came from deployed work where data collection and processing outpaced operator capacity and every tool added another setup burden.
- Useful forensic tools already existed, but each carried its own install, dependencies, and configuration.
- Tool runs, drive context, notes, and collection priorities were difficult to track across disparate environments.
- Technical users needed a way to configure a tool profile once.
- Operators needed to connect media, run the saved profile, and hand off results without exhaustive retraining.
Built For
Built for real evidence work.
Designed for teams that collect, process, review, and hand off digital evidence across field and lab environments.
Law Enforcement + Digital Forensics
Military / SOF Field Teams
Intel + Government Programs
Forensic Labs + Technical Examiners
Lab Review
Review tool execution, hashes, file listings, keyword results, reports, and exports from the dashboard with case context attached.
Team Coordination
Manage users, roles, organizations, cases, selected metadata sync, and repeatable tool access across controlled teams and deployments.
Platform Overview
A platform for tools, operators, cases, and results.
Technical users configure tool profiles, set up cases, and review execution history through the network dashboard. Operators run the configured work from the Shield 399 touchscreen. Case context flows between both surfaces so activity, results, and review stay connected.
Tool profiles
A technical expert configures a forensic tool once. The saved profile becomes repeatable work that any approved operator can run from the appliance.
Touchscreen operation
Field operators run saved tool profiles directly from the touchscreen. Same configuration, same outputs, every operator.
Dashboard review
A network dashboard surfaces queue state, execution history, case activity, and metrics. Accessible from a laptop, tablet, or phone on the approved network — or paired directly to the appliance.
Case and team context
Cases, evidence records, users, organizations, and selected operational metadata can be synced across configured deployments.
Core Capabilities
Core capabilities for evidence handling and tool execution.
Eight capability areas operators actually use — configured by a technical user, executed from the appliance, and reviewable with case context. Each one has a deeper page when you need the scope, caveats, and outputs.
01 / Acquire
Acquire Evidence
Image connected media to E01, Ex01, AFF4, DD/RAW, or Synthetic E01 with hashing, verification, destination spillover, and one-to-many cloning.
02 / SanitizeSanitize Media
Use Wipe/Overwriter for drive wiping, verification, SSD-aware erase options, and sanitization records where the drive path supports it.
03 / AnalyzeAnalyze Drives
Use keyword, regex, hash comparison, encryption indicators, filesystem context, and drive-health signals where exposed.
04 / ConvertClone, Migrate, Convert
Handle disk cloning, drive migration, and selected image-conversion capabilities from the same operating surface.
05 / ManageManage Cases & Reports
Keep cases, evidence records, assignments, reports, and exports tied to tool execution and operator activity.
06 / ExecuteExecute Tools
Save tool profiles, queue jobs, track dependencies, use Quick Add, and review execution history where supported.
07 / SyncSync Teams & Deployments
Manage users, organizations, roles, permissions, and selected operational metadata across configured deployments.
08 / OperateOperate Hardware
Use the touchscreen, network or paired-device access, configured port roles, and hardware-aware system services.
Workflow
From connected media to case-attached operational history.
- Phase I
Connect
Attach source, destination, and utility media through configured port roles.
- Phase II
Authenticate
Select the user, case, organization, and saved workflow profile.
- Phase III
Execute
Queue acquisition, analysis, sanitization, cloning, migration, or export jobs.
- Phase IV
Verify
Record hashes, verification outcomes, errors, warnings, and execution state.
- Phase V
Review
Use dashboard views, exports, and reports with per-case operational context.
Operations Log
Tool activity, captured as it runs.
Demonstrative sample entries show how actions, hashes, verification outcomes, and operator context can become reportable case history.
- 14:42:07ZInfoSource media attached on PORT.SRC.01 - read-only enforced
- 14:42:11ZOKOperator authenticated against case profile
- 14:42:18ZInfoAcquisition queued: format E01, hash SHA-256, verify on
- 14:51:44ZOKImage complete - 482.6 GB / 0 errors / SHA-256 verified
- 14:51:46ZInfoKeyword and hash comparison set queued against case index
- 15:14:02ZOKCase record updated - operator, hashes, and execution details retained
Operations Dashboard
Hardware-paired software for case-aware review.
Authorized review on an approved local network. Case context, queue state, execution history, and exportable records are paired with the field unit.
01 / 21
Native Tooling
Ground-up Go tools, not wrappers.
These are first-party Go engines, not wrappers around open-source command-line tools. That gives Shield 399 direct control over long-running forensic work: progress, checkpointing, verification, error handling, and structured records are built into the workflow instead of inferred from command output.
Drive Imager
Native Go E01/RAW/AFF4Ex01 via ewfacquireDAASHSpillover
- Drive-swap resume when destination media fills
- Multi-destination spillover for one acquisition across selected destinations
- Native E01 writer with EWF-compatible segments, compression, checksums, and Shadow & Shield DAASH hashes
Disk Cloner
Native Godd legacy1-to-many nativeVerify
One-to-one and one-to-many block cloning with checkpoint-backed resume, verification options, bad-sector tracking, and read-only handling for cloned destinations.
Wipe / Overwriter
Native overwriteHardware-assisted when verifiedTRIM/UNMAPshred/dd legacy
- Hardware-assisted wipe paths when verified available from the connected device or bridge
- Native software overwrite with deterministic patterns
- Verification, progress, and wipe-operation records
Image Verify
Native E01/AFF4Ex01 via ewfverifyDAASH/BLAKE3
- Reads Shadow & Shield advanced hash metadata (DAASH) where present
- Validates MD5, SHA-1, SHA-256, and BLAKE3 hash material
- Keeps E01 compatibility while adding stronger native verification
E01 Info
Native E01 infoDAASH-awareewfinfo-style
- Inspects E01 segment layout, acquisition metadata, and media geometry
- Shows compression and embedded legacy hash fields
- Reads Shadow & Shield DAASH advanced hashes where present
Image Converter
Native streamingE01/DD/AFF4Synthetic decrypted E01Optional verify
Conversion workflows for E01, DD, AFF4, and decrypted synthetic E01 outputs where supported.
How the native E01 writer is constructed
- The native Go imaging engine applies to E01 output; Ex01 uses
ewfacquire. - Writes EWF-compatible segment files with standard file headers and
.E01to.E99, then.EAArollover. - Builds EWF-style sections across segments, including
header2, legacy header, volume/data, sectors, chunk data,table,table2,digest,hash,daash,next, anddone. - Uses 4 MB E01 chunks during acquisition, with table offsets marking compressed chunks.
- Supports compression modes and stores chunks uncompressed when compression would increase size, preserving compatibility.
- Uses Adler32 checksums for section descriptors and section/hash/table payload structures; uncompressed chunks include a trailing 4-byte Adler32 checksum.
- Compressed chunks are stored as zlib streams and marked through the table offset high bit.
- Writes legacy
digestandhashsections plus Shadow & Shield DAASH hashes: MD5, SHA-1, SHA-256, and BLAKE3. - DAASH does not affect industry-tool compatibility; tools that do not understand
daashcan ignore it, while Shadow & Shield Image Info and Image Verify can read it.
Full Tool Listing
What Shield 399 includes.
* Pre-release inventory. Minor names, defaults, and workflow details may change before launch.
The tool inventory includes native Go tools plus coordinated system and AI-assisted workflows. Each tool is surfaced through Shield 399's queue, records, permissions, and review model.
Forensic Drive Imager
Native Go E01/RAW/AFF4Ex01 via ewfacquireDAASHSpillover
- Drive-swap resume when destination media fills
- Multi-destination spillover for one acquisition across selected destinations
- Synthetic imaging, hashes, metadata, and execution history
Image Verify
Native E01/AFF4Ex01 via ewfverifyDAASH/BLAKE3
- Reads Shadow & Shield advanced hash metadata (DAASH) where present
- Recomputes MD5, SHA-1, SHA-256, and BLAKE3 hash material
- Records verification outcomes for supported image workflows
Image Converter
Native streamingE01/DD/AFF4Synthetic decrypted E01Optional verify
Converts supported forensic image formats and handles selected synthetic-image workflows for decrypted output paths.
The Overwriter
Native overwriteHardware-assisted when verifiedTRIM/UNMAPshred/dd legacy
- Hardware-assisted wipe paths when verified available from the connected device or bridge
- Native overwrite with deterministic patterns
- Verification, method-selection records, and wipe-to-format workflow support
Drive Formatter
GPT / MBRNTFSexFATFAT32ext4XFSBtrfsF2FSHFS+
Creates partition tables and filesystems on destination media for post-wipe preparation or standalone formatting workflows.
Drive Encryption Manager
LUKS1 / LUKS2Destination driveNTFS / exFAT / FAT32ext4 / XFSHeader backupKey slots
- Provisions destination drives as LUKS-encrypted volumes
- Creates the partition, LUKS container, mapped filesystem, and optional header backup
- Records encryption operations and supports selected key-management workflows
Disk Cloner
Native Godd legacy1-to-many nativeVerify
Copies a source drive to one or more destinations with checkpoint-backed resume, verification, bad-sector tracking, and read-only handling for cloned destinations.
Drive Migrator
Partition-levelPreview planCopy + growGPT / MBRLUKS unlock
- Copies source partitions into a recreated destination layout
- Shows a migration preview with the planned layout
- Supports unlocked LUKS migration
Logical File Extractor
Copies selected files from a source drive or mounted forensic image to destination media as loose files or logical evidence output.
Drive Hasher
Source driveMounted imageMD5 / SHA-1SHA-256 / SHA-512BLAKE2b
- Hashes source drives or mounted forensic images
- Stores one hash record per selected algorithm
Partition Hasher
Computes hashes over a selected partition path and records partition-scoped digest results in the platform hash tables.
File Hash Analyzer
Hashes enumerated files and compares them against registered reference sets for known-file classification workflows.
Keyword Search
Searches enumerated filesystem records for literal keywords and optional regular-expression patterns, with exportable results.
Encryption Detector
Scans source-device partitions for encryption indicators and records structured detections and unlock attempts where configured.
Translate Filenames
Detects non-English filenames from existing scan results and writes translated names back to review surfaces without modifying evidence.
NTFS Fix Tool
Runs selected NTFS repair and verification workflows against a partition when filesystem repair is appropriate.
Smart Card Reader
Reads connected smart-card reader and card metadata, including PKCS#15-accessible details exposed through supported tooling.
Bluetooth Scanner
Discovers nearby Bluetooth devices through the host adapter and records scan sessions with per-device metadata.
Technical Snapshot
Platform operating model.
A concise view of how Shield 399 organizes tools, profiles, operators, case context, and review surfaces for pre-release evaluation.
Platform
- Hardware unit
- ASUS NUC 15 Pro Ultra 7 255H with 96GB of RAM and 1TB of NVMe
- Software model
- First-party tool execution tied to queue state, operational records, and dashboard review
- Operator surface
- Touchscreen operation or network dashboard when paired with a laptop, phone, or tablet
- Origin
- Built by daarc, Inc. from field, deployed forensics, and cyber experience
Execution
- Tool profiles
- Technical users save configurations for repeatable operator execution
- Queue and status
- Tool work can be queued, tracked, reviewed, and tied back to case context
- Source controls
- Automatic read-only source handling during acquisition, scanning, and analysis paths
- Operational history
- Tool execution and operator history remain available for review and reporting
Control and Review
- Case management
- Cases, evidence records, drive sessions, tool executions, exports, reports, and operators
- Access control
- PIN users, organizations, permissions, tool availability, and saved profiles
- Dashboard access
- Review from an approved network or directly paired laptop, tablet, or phone where configured
- Sync model
- Selected cases, users, organizations, and operational metadata can synchronize across configured deployments
Compatibility
Compatibility snapshot.
Representative formats, inputs, interfaces, and outputs for pre-release evaluation. Support varies by workflow, configuration, and detected device path.
Evidence Formats
E01Ex01AFF4RAW / DDSynthetic E01Individual file extraction
Hashing
MD5SHA-1SHA-256SHA-512BLAKE2b-256BLAKE3
Drive Interfaces + Signals
USB 3.xSATANVMeSMARTHPA / DCO indicators
Filesystems
NTFSexFATFAT32EXT4XFSBtrfsF2FSHFS+
Wipe + Verification
Single / multi-pass overwriteTRIM / UNMAPUSB-safe sanitize pathsNVMe sanitize where exposedSample-based verificationFull-drive verification
Encryption
LUKSLUKS1 / LUKS2BitLocker
Smart Cards
PIV / CACPKCS15USB CCIDATR captureCertificate metadata
Search + Reference Sets
Keyword listsRegex patternsNSRLCustom hash sets
Exports
CSVJSONTXTHTMLFile listings + metadataKeyword resultsHash outputs
Field Dossier
Details that separate Shadow and Shield from a tool collection.
The platform is not just a launcher for forensic utilities. These clauses highlight first-party capabilities, workflow records, and team features built into Shadow and Shield.
Native Go forensic imager optimized for modern CPU architecture
LUKS and BitLocker credential handling for encrypted evidence workflows
Source-drive detection, review, and read-only handling controls
Filename translation into English for supported export outputs
Tool execution history, results, hashes, and operator records
Team, organization, and case metadata sync with metrics and reporting
Independent Engineering
Built from field, deployed forensics, and cyber experience.
Shield 399 came out of a deployed forensics environment where I was processing more data than one operator could realistically manage. I had hardware sitting unused, tools scattered across installs, and scripts I’d written to glue them together. The platform became the product — built so the next operator wouldn’t need my training to run my profile. AI-assisted engineering keeps the team small and the iteration tight; the product direction is shaped by lived operational practice.
Engineered With AI
Forensic hardware engineered by one operator and AI.
Shield 399 is being built by a single founder with field forensics experience, using AI-assisted engineering from concept to working product.
Field experience sets the requirements. AI helps turn them into appliance, software, and integration work that would normally require a larger engineering team.
Public build log
Follow the build → @jaredringenberg.labs
26k+ followers
Following the development process.
Solo founder build
Designed and engineered by one operator with AI.
Pre-release evaluation
Shield 399 is not yet in public sale.
Designed and assembled in the U.S.
By daarc, Inc. — a United States company.
About daarc
A Florida company building forensic tools for operational environments.
Shadow and Shield is developed by daarc, Inc., a United States company based in St. Petersburg, Florida.
daarc, Inc. St. Petersburg, FloridaPre-release Access
Join release updates.
Shadow and Shield is in active development and pre-release testing. Get product progress, launch details, and availability updates from daarc.