Digital Forensics In NVMe SSDs with NVMe WriteBlocker
Ashar Neyaz, Narasimha Shashidhar, Cihan Varol, Amar Rasheed
Pages - 28 - 68     |    Revised - 31-07-2022     |    Published - 31-08-2022
Volume - 13   Issue - 2    |    Publication Date - August 2022  Table of Contents
Non-Volatile Memory Express (NVMe), NVMe WriteBlocker, Flash Chips, Wear-leveling, TRIM, Autopsy, AccessData FTK, GUID Partition Table.
A non-volatile memory express (NVMe) solid-state drive (SSD) is a new computer device introduced in 2013. It is an upgrade from a standard Serial Advanced Technology Attachment (SATA) solid-state drive. Due to the newness of the NVMe SSD technology, there is a shortage of reliable documentation for forensics investigation on this solid-state storage device. Therefore, we conducted an extensive experiment in this study to see how file recovery is affected when files are deleted from NVMe SSDs that are used as primary boot devices. We’re focusing on deleted files on NVMe SSDs because data and file recovery on SSDs isn’t always guaranteed. In addition, the behavior of SSDs varies depending on the type of flash storage and controller chips. As a result, we copy and remove files using the Windows 10 operating system and execute forensics examinations using AccessData FTK, Autopsy, and WinHex. Finally, we demonstrate the impact of deletion on various regularly used user files and whether they may be successfully restored over time.
Mr. Ashar Neyaz
Department of Computer Science, Sam Houston State University Huntsville, TX,77340 - United States of America
Associate Professor Narasimha Shashidhar
Department of Computer Science, Sam Houston State University Huntsville, TX,77340 - United States of America
Dr. Cihan Varol
Department of Computer Science, Sam Houston State University Huntsville, TX,77340 - United States of America
Dr. Amar Rasheed
Department of Computer Science, Sam Houston State University Huntsville, TX,77340 - United States of America