LITIGATION SUPPORT TIP OF THE NIGHT

As discussed in the Tip of the Night for February 12, 2021, NVM Express allows a computer to communicate with non-volatile memory devices (or solid state drives) which are connected via a PCI express bus ( - a bus being a communication system to transfer data between computers.) Tonight's review of a paper focusing on NVMe technology, Bruce J. Nikkel, NVM Express Drives and Digital Forensics (2016), available at https://digitalforensics.ch/nikkel16.pdf goes into greater detail about this technology.

The NVMe standard is a joint project which includes participants from Cisco, Facebook, Dell, Microsoft, Samsung, Seagate, Western Digital, and other tech companies.

NVMe works with solid state drives that have PCI express slots like this:

Newer SSD drives may have M2 interfaces:

. . . or U2 interfaces.

SSD drives can have these interfaces and not be NVMe based. SSD drives can also use Serial ATA - an older interface. Working with a SATA SSD will slow things down.

Windows and Linux both provide drivers for NVMe.

Some write blockers may not detect NVMe commands, which are not used for SATA or SCSI drives. Since NVME attaches to a PCI express bus, a write blocker designed to act as a bridge between devices can't be used to intercept commands. Write blocking software may be used to modify the NVMe driver. Write blocking software must account for the 64,000 command queues used by NVMe. Older Serial ATA drives only use one command queue.

Forensic imaging of NVMe devices must check for the existence of multiple namespaces. A namespace identifier is used by software to find a device. Removing a namespace can delete evidence sorted on the NVMe drive.

The NVMEe 'Format NVM' command can erase all namespaces on a drive. Entering this simple command for a NVMe drive:

# nvme format /dev/nvme1n1

. . . with the open source NVMe Management Utility (https://nvmexpress.org/open-source-nvme-management-utility-nvme-command-line-interface-nvme-cli/ ) will remove the data that has been written to a NVMe drive.

Access to data on a NVMe drive can also be removed by wiping the encryption keys.

When tasked with collecting data from multiple storage drives, keep in mind that devices exist which can image multiple drives simultaneously. A forensic imaging device such as the ICS-JMR's RRoadMASSter-3 X2 Forensic Hard Drive Acquisition/Duplicator/Analysis Lab, or Media Clone's SuperImager Plus Desktop NVME Gen-3 can image multiple drives at the same time.

These devices should support the following operations:

1. Create forensic images of multiple drives saved on to one single drive used to collect data.

2. Wipe drives using protocols such as the Department of Defense's 5220.22-M standard (see the Tip of the Night for February 26, 2016), or Secure Erase standard (see the Tip of the Night for February 28, 2016).

3. Encrypt data using AES-256 encryption. See the Tip of the Night for May 13, 2017.

4. Hash collected files using the SHA-1 and MD-5 algorithms.

5. Capture cell phone data.

6. Analyze the data using common forensic software from industry leaders like Encase, NUIX, and FTK.

7. Run parallel operations on USB and SATA ports. A Serial ATA port connects a drive to the motherboard. See the Tip of the Night for January 22, 2016.

8. Operate in write block mode to allow read only access to collected data.

9. Run a keyword search of the source data.

10. Capture data from the source drive sector by sector (for a discussion of sectors see the Tip of the Night for October 31, 2015), or only capture allocated space on a drive.

NVMe (nonvolatile memory express) ports on a forensic imaging device will allow for the fastest access to solid state drives.

The NIST Guidelines for Media Sanitization, NIST Special Publication 800-88, discussed in the Tip of the Night for August 9, 2020, includes a Certificate of Sanitization that you can use to verify that data has been completely removed from a storage device.

This is a good official record that can be retained after a device is processed, that will note how data was purged, and whether or not the device was re-used.