Shadow and Shield / Drive Analysis

Drive analysis.

Shadow and Shield supports hashing, hash comparison, keyword search, activity review, and encryption indicators against supported drives and forensic images.

Under construction · work in progress

This page will continue to change as the hardware, software, and release materials are finalized.

At a Glance

Hashing, search, activity review, and encryption indicators.

This page covers the analysis tools available for supported drives and forensic images, including hash generation, hash-set comparison, keyword search, filesystem activity review, and encryption detection.

01 / Hashing

Hashing.

Drive analysis includes standalone hashing and hash snapshots that can be associated with later comparison work. A completed hashing operation records algorithm, scope, bytes processed, timestamps, and execution context.

  • MD5, SHA-1, SHA-256, SHA-512, and BLAKE2b-256 for standalone drive, partition, and supported image-backed hashing workflows
  • Hashing can be scoped to device, file, partition, or selected evidence source
  • Hash snapshots support later comparison
  • Hash records stay linked to tool execution context

02 / Comparison

Hash comparison.

Hash comparison jobs compare scanned file hashes against selected reference databases such as NSRL known-good sets or customer-provided sets. Results can classify files as known-good, known-bad, unknown, matched, or unmatched.

  • Reference hash database selection
  • Bloom-filter accelerated SHA-1 lookups for large sets where available
  • Per-job hash provenance snapshots
  • Phase tracking and navigable comparison results

03 / Search

Keyword search.

Keyword and regular-expression search can run across scanned evidence sources with configurable behavior, result filters, export paths, and per-file error tracking.

  • Literal keyword and regex pattern support
  • Optional case-sensitive and UTF-16 matching where configured
  • File size limits, extension filters, binary-file handling, and max matches per file
  • Result flags, context snippets, CSV/JSON/plain-text export, and matched-file extraction where supported

04 / Timeline

File activity review.

Timeline views use filesystem metadata captured during evidence scanning to help operators identify periods of file activity for follow-up analysis.

  • Created, modified, and accessed timestamps where available
  • Activity heatmap scoped to the scan or session under review
  • Useful for triage and follow-up targeting
  • Not a full reconstruction of browser, logon, app execution, registry, shellbag, or system-log activity

05 / Encryption

Encryption indicators.

Analysis can record encryption type, confidence, unlock state, metadata, and related device or session context where headers or other indicators are accessible.

  • High-confidence identification for LUKS and BitLocker where metadata is accessible
  • Optional high-entropy analysis where enabled
  • Hardware-encryption indicators are connection-dependent
  • Detected encryption state can attach to evidence records

Keep analysis claims tied to supported sources, selected scopes, enabled models, and release-validated behavior.