Home   >   CSC-OpenAccess Library   >    Manuscript Information
Digital Forensics In NVMe SSDs with NVMe WriteBlocker
Ashar Neyaz, Narasimha Shashidhar, Cihan Varol, Amar Rasheed
Pages - 28 - 68     |    Revised - 31-07-2022     |    Published - 31-08-2022
Volume - 13   Issue - 2    |    Publication Date - August 2022  Table of Contents
MORE INFORMATION
KEYWORDS
Non-Volatile Memory Express (NVMe), NVMe WriteBlocker, Flash Chips, Wear-leveling, TRIM, Autopsy, AccessData FTK, GUID Partition Table.
ABSTRACT
A non-volatile memory express (NVMe) solid-state drive (SSD) is a new computer device introduced in 2013. It is an upgrade from a standard Serial Advanced Technology Attachment (SATA) solid-state drive. Due to the newness of the NVMe SSD technology, there is a shortage of reliable documentation for forensics investigation on this solid-state storage device. Therefore, we conducted an extensive experiment in this study to see how file recovery is affected when files are deleted from NVMe SSDs that are used as primary boot devices. We’re focusing on deleted files on NVMe SSDs because data and file recovery on SSDs isn’t always guaranteed. In addition, the behavior of SSDs varies depending on the type of flash storage and controller chips. As a result, we copy and remove files using the Windows 10 operating system and execute forensics examinations using AccessData FTK, Autopsy, and WinHex. Finally, we demonstrate the impact of deletion on various regularly used user files and whether they may be successfully restored over time.
Bahgat, A. (2021). What is SSD? Everything You Need to Know About Solid-State Storage. Available at https://kinsta.com/blog/what-is-ssd/.
Battula, B. P., Rani, K., Prasad, S., and Sudha, T. (2009). Techniques in computer forensics: A recovery perspective. International Journal of Security, 3(2):27–35.
Bednar, P. and Katos, V. (2011). SSD: New Challenges for Digital Forensics. In Proceedings of the 8th Conference of the Italian Chapter of the Association for Information SystemsItAIS.
Carrier, B. (2005). File System Forensic Analysis. Addison-Wesley.
Garfinkel, S., Farrell, P., Roussev, V., and Dinolt, G. (2009). Bringing science to digital forensics with standardized forensic corpora. digital investigation, 6. Available at https://digitalcorpora.org/.
Gillis, A. (2021). Hard-Disk Drives. Available at https://www.techtarget.com/searchstorage/definition/ hard-disk-drive.
Gubanov, Y. and Afonin, O. (2014). Recovering evidence from ssd drives: understanding trim, garbage collection and exclusions. Belkasoft, Menlo Park.
King, C. and Vidas, T. (2011). Empirical analysis of solid state disk data retention when used with contemporary operating systems. Digital Investigation, 8:S111–S117. The Proceedings of the Eleventh Annual DFRWS Conference.
Kingston Technology (2017). Understanding SSD Technology: NVMe, SATA, M.2. Available at https://www.kingston.com/unitedstates/us/community/articledetail/articleid/48543.
Kranz, G. (2021). Serial ATA (serial advanced technology attachment or sata). Available at https:// searchstorage.techtarget.com/definition/Serial-ATA.
Kumar, M. (2021). Solid state drive forensics analysis—challenges and recommendations. Concurrency and Computation: Practice and Experience, 33(24):e6442.
Mellor, C. (2020). Hard Disk Drive Shipments Fell 50 percent Between 2012 and 2019. Available at https://blocksandfiles.com/2020/01/14/disk-drive-shipments-50-per-cent-fallfrom-2012-to-2019/.
Neyaz, A., Shashidhar, N., and Karabiyik, U. (2018). Forensic Analysis of Wear Leveling on Solid-State Media. In 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (Trust- Com/BigDataSE), pages 1706–1710.
Neyaz, A., Zhou, B., and Karpoor, N. (2019). Comparative Study of Wear-leveling in Solid-State Drive with NTFS File System. In 2019 IEEE International Conference on Big Data (Big Data), pages 4294– 4298.
Nikkel, B. (2016). NVM Express Drives and Digital Forensics. Digital Investigation, 16:38–45.
Nisbet, A., Lawrence, S., and Ruff, M. (2013a). A Forensic Analysis and Comparison of Solid State Drive Data Retention with TRIM Enabled File Systems.
Nisbet, A., Lawrence, S., and Ruff, M. (2013b). A forensic analysis and comparison of solid state drive data retention with trim enabled file systems.
Paul, I. (2019). Multi-Layer SSDs: What are SLC, MLC, TLC, QLC, and PLC? Available at https://www.howtogeek.com/444787/multi-layer-ssds-what-are-slc-mlc-tlc-qlc-and-mlc/.
Riadi, I. and Hadi, A. (2019). Analysis of Digital SSD NVMe Evidence on Proprietary Operating Systems Using the Static Forensics Method.
Riadi, I., Sunardi, S., and Hadi, A. (2020). Analysis of Digital Evidence Trim Enable NVME SSD Using Static Forensics Method. JUITA: Jurnal Informatika, 8(1):65–74.
Riggs, H., Tufail, S., Parvez, I., and Sarwat, A. (2020). Survey of solid state drives, characteristics, technology, and applications. In 2020 SoutheastCon, pages 1–6.
Robert, S., Kranz, G., and Raffo, D. (2021). Computer Storage. Available at https://www.techtarget.com/ searchstorage/definition/storage.
Shah, Z., Mahmood, A. N., and Slay, J. (2015). Forensic potentials of solid state drives. In Tian, J., Jing, J., and Srivatsa, M., editors, International Conference on Security and Privacy in Communication Networks, pages 113–126, Cham. Springer International Publishing.
Silwa, C. (2018). SSD TRIM. Available at https://www.techtarget.com/searchstorage/definition/TRIM.
Valette, A. (2016). Overview of ‘Wear Leveling’ with SSD controllers and what is it? Available at https://www.ontrack.com/en-us/blog/wear-leveling.
Vieyra, J., Scanlon, M., and Le-Khac, N.-A. (2018). Solid state drive forensics: Where do we stand? In Breitinger, F. and Baggili, I., editors, Digital Forensics and Cyber Crime, pages 149–164, Cham. Springer International Publishing.
Mr. Ashar Neyaz
Department of Computer Science, Sam Houston State University Huntsville, TX,77340 - United States of America
axn026@SHSU.EDU
Associate Professor Narasimha Shashidhar
Department of Computer Science, Sam Houston State University Huntsville, TX,77340 - United States of America
Dr. Cihan Varol
Department of Computer Science, Sam Houston State University Huntsville, TX,77340 - United States of America
Dr. Amar Rasheed
Department of Computer Science, Sam Houston State University Huntsville, TX,77340 - United States of America