Forensics

- Feb 16

Forensic Imaging and Write Blocking on NVM Express Drives

As discussed in the Tip of the Night for February 12, 2021, NVM Express allows a computer to communicate with non-volatile memory devices (or solid state drives) which are connected via a PCI express bus ( - a bus being a communication system to transfer data between computers.) Tonight's review of a paper focusing on NVMe technology, Bruce J. Nikkel, NVM Express Drives and Digital Forensics (2016), available at https://digitalforensics.ch/nikkel16.pdf goes into greater detail about this technology.

The NVMe standard is a joint project which includes participants from Cisco, Facebook, Dell, Microsoft, Samsung, Seagate, Western Digital, and other tech companies.

NVMe works with solid state drives that have PCI express slots like this:

Newer SSD drives may have M2 interfaces:

. . . or U2 interfaces.

SSD drives can have these interfaces and not be NVMe based. SSD drives can also use Serial ATA - an older interface. Working with a SATA SSD will slow things down.

Windows and Linux both provide drivers for NVMe.

Some write blockers may not detect NVMe commands, which are not used for SATA or SCSI drives. Since NVME attaches to a PCI express bus, a write blocker designed to act as a bridge between devices can't be used to intercept commands. Write blocking software may be used to modify the NVMe driver. Write blocking software must account for the 64,000 command queues used by NVMe. Older Serial ATA drives only use one command queue.

Forensic imaging of NVMe devices must check for the existence of multiple namespaces. A namespace identifier is used by software to find a device. Removing a namespace can delete evidence sorted on the NVMe drive.

The NVMEe 'Format NVM' command can erase all namespaces on a drive. Entering this simple command for a NVMe drive:

# nvme format /dev/nvme1n1

. . . with the open source NVMe Management Utility (https://nvmexpress.org/open-source-nvme-management-utility-nvme-command-line-interface-nvme-cli/ ) will remove the data that has been written to a NVMe drive.

Access to data on a NVMe drive can also be removed by wiping the encryption keys.

- Feb 15

Forensic Imaging Devices - Capture Data from Multiple Drives Simultaneously

When tasked with collecting data from multiple storage drives, keep in mind that devices exist which can image multiple drives simultaneously. A forensic imaging device such as the ICS-JMR's RRoadMASSter-3 X2 Forensic Hard Drive Acquisition/Duplicator/Analysis Lab, or Media Clone's SuperImager Plus Desktop NVME Gen-3 can image multiple drives at the same time.

These devices should support the following operations:

Create forensic images of multiple drives saved on to one single drive used to collect data.
Wipe drives using protocols such as the Department of Defense's 5220.22-M standard (see the Tip of the Night for February 26, 2016), or Secure Erase standard (see the Tip of the Night for February 28, 2016).
Encrypt data using AES-256 encryption. See the Tip of the Night for May 13, 2017.
Hash collected files using the SHA-1 and MD-5 algorithms.
Capture cell phone data.
Analyze the data using common forensic software from industry leaders like Encase, NUIX, and FTK.
Run parallel operations on USB and SATA ports. A Serial ATA port connects a drive to the motherboard. See the Tip of the Night for January 22, 2016.
Operate in write block mode to allow read only access to collected data.
Run a keyword search of the source data.
Capture data from the source drive sector by sector (for a discussion of sectors see the Tip of the Night for October 31, 2015), or only capture allocated space on a drive.

NVMe (nonvolatile memory express) ports on a forensic imaging device will allow for the fastest access to solid state drives.

- Dec 4, 2020

Certificate for Destruction

The NIST Guidelines for Media Sanitization, NIST Special Publication 800-88, discussed in the Tip of the Night for August 9, 2020, includes a Certificate of Sanitization that you can use to verify that data has been completely removed from a storage device.

This is a good official record that can be retained after a device is processed, that will note how data was purged, and whether or not the device was re-used.

Forensics

Sean O'Shea has more than 15 years of experience in the litigation support field with major law firms in New York and San Francisco. He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

This policy is subject to change at any time.

LITIGATION SUPPORT TIP OF THE NIGHT

New tips for paralegals and litigation support profesionals are posted to this site each night. Click on the blog headings for better detail.

See How-To Videos on my YouTube channel.

Forensic Imaging and Write Blocking on NVM Express Drives

Forensic Imaging Devices - Capture Data from Multiple Drives Simultaneously

Certificate for Destruction

The NIST Guidelines for Media Sanitization, NIST Special Publication 800-88, discussed in the Tip of the Night for August 9, 2020, includes a Certificate of Sanitization that you can use to verify that data has been completely removed from a storage device.

This is a good official record that can be retained after a device is processed, that will note how data was purged, and whether or not the device was re-used.