Shadow and Shield / Drive Sanitization

Drive wiping and sanitization.

Shadow and Shield provides destination-drive wiping with single-pass or multi-pass overwrite, selectable wipe patterns, partition-scope wiping, SSD discard support, and device sanitization paths where available. It also includes progress tracking, cancellation handling, wipe verification, post-wipe formatting dependencies, and reviewable wipe results.

Under construction · work in progress

This page will continue to change as the hardware, software, and release materials are finalized.

At a Glance

What this capability includes.

This page covers the wipe tools, SSD handling, method options, verification outputs, and review data available in the sanitization capability.

Wipe/Overwriter Native pattern-based wiping with single-pass, multi-pass, whole-drive, and partition-scope options.
SSD handling TRIM/UNMAP and sanitize paths are used where the drive and connection expose usable support.
Method options Shadow and Shield presents wipe methods that fit the connected drive and suppresses unsafe or unsupported paths.
Verification outputs Sampling, full-surface checks, signature checks, and method-specific verification data can be retained for review.
Capability Boundaries

01 / Safety Gate

Destination drives only.

Drive wiping is destructive, so Shadow and Shield only performs sanitization against destination drives. Source drives remain write-protected and are not eligible for wipe operations.

  • Target drive must be set as a destination drive
  • Source drives are excluded from sanitization workflows
  • Explicit operator confirmation is required before execution
  • The operation record includes selected method and target drive information
Primary Wipe Tools

02 / Native Tool

Native pattern wiping.

Wipe/Overwriter is built into the platform for destination-drive wiping when a direct overwrite is the right method or when device-assisted erase paths are not available. It writes selected patterns across the target drive or selected wipe scope and reports progress as data is written.

  • Single-pass overwrite
  • Multi-pass overwrite
  • Zero fill, one fill, cryptographic random data, and deterministic pseudo-random patterns
  • Whole-drive overwrite across the detected addressable device size
  • Partition-scope wiping for sector-level methods while leaving other partitions and the partition table unchanged

03 / SSD Handling

SSD discard and sanitize paths.

Solid-state media is handled differently from spinning media. For supported SSD paths, Shadow and Shield can issue TRIM/UNMAP through native discard operations and can use device sanitize paths when exposed as usable through the connection.

  • TRIM/UNMAP across target drive or selected wipe scope where supported
  • Bridge profiles can enable required provisioning-mode workarounds
  • Bridge profiles can suppress TRIM when support is reported incorrectly or behaves unsafely
  • USB SCSI SANITIZE can be used when exposed as usable through the bridge
  • Software overwrite remains the fallback path when device-assisted methods are not available

04 / Device Sanitize

Device-assisted sanitization.

Some drives and bridges expose device-level sanitize paths. Shadow and Shield evaluates what is actually usable through the connected path instead of assuming the underlying media can receive every command.

  • Known unreliable bridge and command combinations can be suppressed
  • Documented bridge workarounds can be applied where supported
  • ATA Secure Erase is not treated as a normal USB sanitization method
  • NVMe sanitize is only used when the detected path exposes usable support
  • USB SCSI SANITIZE, verified TRIM/UNMAP, or software overwrite can be recommended as safer paths

05 / Method Options

Eligible wipe options.

Shadow and Shield evaluates the target drive, media type, reported capabilities, USB bus path, and bridge behavior before presenting wipe options. The operator selects from the methods considered usable for that drive and connection path.

  • Rotational versus solid-state media checks
  • TRIM/UNMAP, ATA security, NVMe sanitize, USB bus, and bridge behavior evaluation
  • Recommended method returned from available methods
  • Unsafe or unsupported methods are suppressed or fail with an explanatory error
Run Control

06 / Progress

Progress and cancellation.

Sanitization operations report progress during execution and can be cancelled by the operator. Cancelled operations are recorded as cancelled and are not reported as complete.

  • Bytes written or sectors processed
  • Percentage complete
  • Current pass or phase where available
  • Verification phase and progress when post-wipe verification is running
  • Cancellation status retained in the operation record
Verification + Review

07 / Verification

Wipe verification.

When verification is enabled, Shadow and Shield records the verification result with the wipe operation. Verification can include statistical sampling, full-surface verification, filesystem signature checks, and method-specific TRIM/UNMAP logical-erasure checks.

  • Statistical sampling reads randomly selected 4 KiB blocks with a minimum of 1,000 samples
  • Default sampling targets detection of a 0.1% unwiped-block rate with 99.9% confidence
  • Full-surface verification reads the entire target sequentially for supported methods
  • Filesystem and partition signature checks look for remaining recognizable structures
  • TRIM/UNMAP verification can compare pre-wipe and post-wipe sample hashes through the normal block-device interface

08 / Errors

Read and write errors.

If overwrite encounters unwritable regions or verification encounters unreadable regions, the condition is recorded as an operation error or verification failure. The current verification record does not provide a per-sector bad-sector map.

  • Verification read failures are reported as failed samples or failed verification blocks
  • Overwrite write failures are recorded as operation errors
  • Verification status, samples checked, failed sample count, and method-specific details can be reviewed later
  • Per-sector observed values and sampled block positions are not currently persisted

09 / Formatting

Post-wipe formatting.

Drive formatting is separate from sanitization. When formatting is queued against the same drive as a preceding wipe, the platform records the dependency and will not start formatting unless sanitization completes successfully.

  • Supported target filesystems include NTFS, exFAT, FAT32, EXT4, EXT3, XFS, Btrfs, F2FS, and HFS+ where utilities are available
  • Dependent formatting is cancelled if the wipe fails or is cancelled
  • Formatting records include filesystem, volume label, partition scheme, quick or full format setting, operator, case number, evidence tag, status, timing, and tool execution ID
  • Limited post-wipe device reinitialization may occur for USB-NVMe bridge readiness and should not be treated as a separate formatting record

10 / Records

Sanitization run records.

The examiner should be able to review what tool ran, who ran it, what drive was targeted, which wipe method was selected, how far it progressed, whether it completed, and what verification showed.

Target
Device path, model, serial, size, drive type, and SSD flag where available.
Method
Selected wipe method, wipe scope, pass count, and overwrite patterns.
Execution
Tool version, operator, case or session association, timestamps, status, errors, bytes processed, and final progress.
Verification
Mode, outcome, sample counts, failed samples, duration, confidence fields, filesystem signature checks, and TRIM/UNMAP pre/post sample hashes where applicable.
Review
Records are available through the network dashboard and touchscreen interfaces.

Sanitization is destructive and destination-only. Avoid broad certification language unless the exact method, device path, and verification claim are supported by the target release and connected hardware.