Forensic Imaging and Write Blocking on NVM Express Drives

As discussed in the Tip of the Night for February 12, 2021, NVM Express allows a computer to communicate with non-volatile memory devices (or solid state drives) which are connected via a PCI express bus ( - a bus being a communication system to transfer data between computers.) Tonight's review of a paper focusing on NVMe technology, Bruce J. Nikkel, NVM Express Drives and Digital Forensics (2016), available at goes into greater detail about this technology.

The NVMe standard is a joint project which includes participants from Cisco, Facebook, Dell, Microsoft, Samsung, Seagate, Western Digital, and other tech companies.

NVMe works with solid state drives that have PCI express slots like this:

Newer SSD drives may have M2 interfaces:

. . . or U2 interfaces.

SSD drives can have these interfaces and not be NVMe based. SSD drives can also use Serial ATA - an older interface. Working with a SATA SSD will slow things down.

Windows and Linux both provide drivers for NVMe.

Some write blockers may not detect NVMe commands, which are not used for SATA or SCSI drives. Since NVME attaches to a PCI express bus, a write blocker designed to act as a bridge between devices can't be used to intercept commands. Write blocking software may be used to modify the NVMe driver. Write blocking software must account for the 64,000 command queues used by NVMe. Older Serial ATA drives only use one command queue.

Forensic imaging of NVMe devices must check for the existence of multiple namespaces. A namespace identifier is used by software to find a device. Removing a namespace can delete evidence sorted on the NVMe drive.

The NVMEe 'Format NVM' command can erase all namespaces on a drive. Entering this simple command for a NVMe drive:

# nvme format /dev/nvme1n1

. . . with the open source NVMe Management Utility ( ) will remove the data that has been written to a NVMe drive.

Access to data on a NVMe drive can also be removed by wiping the encryption keys.