Shadow and Shield / Migration and Cloning

Migration, cloning, and conversion.

Shadow and Shield separates image conversion, disk cloning, and drive migration so evaluators can understand the movement of evidence data and operational drive contents.

Under construction · work in progress

This page will continue to change as the hardware, software, and release materials are finalized.

At a Glance

Image conversion, disk cloning, and drive migration.

This page separates three movement capabilities: evidence-container conversion, bit-for-bit disk cloning, and partition-aware migration to destination media.

01 / Conversion

Image conversion.

Image conversion changes the evidence container format while preserving the underlying evidence byte stream where the conversion represents the same source data. Conversion records should make the source, destination, hash behavior, and verification status reviewable.

  • Supported paths include E01 to DD/RAW, DD/RAW to E01, E01 to AFF4, AFF4 to E01, and E01 to synthetic E01 where supported
  • Format detection and streaming conversion pipeline
  • Configurable compression and acquisition hash modes where supported
  • Evidence-content hash behavior recorded across conversion
  • Standalone Image Verify can be run against conversion outputs where the selected format and workflow support verification

02 / Synthetic

Synthetic E01.

Synthetic conversion is for cases where the output is analysis-ready derived evidence, not a bit-for-bit match to the original encrypted or transformed source. That distinction should be explicit in customer-facing material.

  • Synthetic E01 can represent decrypted or transformed content where credentials or an unlocked source are available
  • Synthetic output is not expected to hash-match the original encrypted source
  • Transformation provenance and synthetic-identification metadata should be retained where supported
  • Sidecar provenance can carry additional transformation detail

03 / Cloning

Disk cloning.

Disk cloning performs whole-disk, bit-for-bit duplication from a physical source to physical destination media. Shadow and Shield validates destinations before cloning to prevent obvious destructive mistakes.

  • Whole-disk cloning from physical source to physical destination
  • One-to-many clone targets where supported
  • Destination validation prevents source reuse, duplicate destinations, partition-only targets, and too-small media
  • Optional full hash comparison or sampled verification
  • Checkpointing, bad-sector handling, progress, pause, and cancellation behavior where supported

04 / Migration

Drive migration.

Drive migration recreates or adjusts a partition layout for operational use on another drive. It is different from bit-for-bit cloning because it can plan layout changes, expansion, and selected filesystem-specific operations.

  • Same-size or larger destination drive targets where supported
  • Partition layout, filesystem, boot type, expandable partition, and warning detection
  • Selected partition expansion where supported
  • Selected LUKS and LVM workflows depend on credentials and detected layout
  • Boot preservation and repair planning for common BIOS/MBR and UEFI/GPT layouts

05 / Records

Operation history.

Each workflow should retain source, destination, selected settings, progress, warnings, operator, case context, and execution history where those records are created. Verification status should be described only for workflows that actually perform verification.

  • Source and destination identifiers
  • Selected conversion, clone, or migration settings
  • Warnings and validation failures
  • Verification outcomes
  • Execution status and operator context

Keep copy specific to supported source, destination, image format, filesystem, and boot conditions. Do not imply universal migration or boot repair.