±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35770
New Yesterday: 2 Visitors: 90

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

NVMe - filling it up with random data (ISO 17025)

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

redrabbit
Newbie
 

NVMe - filling it up with random data (ISO 17025)

Post Posted: May 15, 19 10:48

We are an ISO17025 accredited lab. Recently during a review it was identified that we had an issue with NVMe storage drives - in that we didn't really have good policies around them.

We'd like to create a way of testing these with test devices, and also have a way of filling them up with random data.

I have heard of other standard SATA drives reading from the CMOS and filling up a defined proporation of each sector. Does this make sense?

Does anyone have any advice on this, is there a script that can achieve this or a better method?

Thanks  
 
  

watcher
Senior Member
 

Re: NVMe - filling it up with random data (ISO 17025)

Post Posted: May 15, 19 14:28

A vanilla dd will write the drives with zeroes or random data. dc3dd can also write selected patterns.  
 
  

AmNe5iA
Senior Member
 

Re: NVMe - filling it up with random data (ISO 17025)

Post Posted: May 15, 19 19:43

Code:
sudo dd if=/dev/random of=/dev/sdb

Where sdb is meant to be the NVMe (I'm not sure how NVMe is listed in /dev in linux distros).

Should do the trick...  
 
  

Passmark
Senior Member
 

Re: NVMe - filling it up with random data (ISO 17025)

Post Posted: May 15, 19 23:34

The above tests the ability to write to the drive (and does a good job of wiping the drive as well).

But it doesn't test that you can read the data back without error. So better to use pseudo random number stream with a known seed that can be later read back and verified. For this usage you don't need genuinely random numbers, just some that follow a uniform distribution. Also check the SMART data before and after the test to look for a increase in bad sectors. If you need more details let me know.  
 
  

athulin
Senior Member
 

Re: NVMe - filling it up with random data (ISO 17025)

Post Posted: May 16, 19 06:02

- redrabbit
We'd like to create a way of testing these with test devices, and also have a way of filling them up with random data.


How do you show or verify that you filled a drive with random data? The only way seems to be to refer to your source of random data to write, prove that you have implemented the 'filling' correctly (so that you're not random for just 255 of 512 bytes, say), or by doing some fairly extensive tests of randomness of the entire written data set.

Basically, you want to ensure that any third party can take a disk + a description of your method, and verify that the disk does not show any discrepancies from the method. Using all-zeroes or all-ones makes this easy (though see below): if you insist on all-random ... you're at the mercy of issues of interpretation of randomness or bugs in the validation code. You probably don't want that -- if you do, you basically have to specify what pseudo-random number generator you used, and how you set it up.

Though if you're a stickler for correctness, that third party may not be able to say, for an all-zero disk that *you* created it. If your methods specify that *you* do the job, and not someone else, how do you show that you wrote this particular all-zero disk?

In such case, I think it may be desirable to show that a particular sector of all-zeroes or all-ones or all-random does indeed come from your script or other code, and not has been placed there by any other means. So I would suggest initializing the sector, then overwriting some part of it by your own 'stamp' identifying you, the date/time the write took place, as well as the sector address that this content is intended for. (I'd probably also add a special byte at the last byte of the sector just in case there's may be a sector size issue somewhere. But that's probably paranoia speaking.)

Easiest way to avoid: don't get into too much checkable details in your method ...


I have heard of other standard SATA drives reading from the CMOS and filling up a defined proporation of each sector. Does this make sense?


Not really. You probably need to explain exactly what CMOS you are referring to, and the circumstance the drives do what you say
A reference to a manufacturer's HDD specification where this is documented is enough.  
 
  

jaclaz
Senior Member
 

Re: NVMe - filling it up with random data (ISO 17025)

Post Posted: May 16, 19 07:11

Well, you should verify that the NVME device (the specific drives involved) do support the SECURE_ERASE (or a similar function, like ATA devices) in the firmware (they should) and then initiate that.

Whenever available (and provided that they are correctly implemented in the specific device make/model) the internal firmware commands are to be preferred because:
1) they are faster than external commands
2) (generally speaking) they cannot be (accidentally) interrupted
3) they can usually "reach" areas of the device that are not otherwise normally accessible from the (higher level) OS commands such as dd.

Specifically for SSD's (NVME or not) I believe that dd or similar are not anymore up to the task (think of just the overprovisioning area).

Parted magic provides a GUI tool for doing that:
partedmagic.com/nvme-secure-erase/
but *any* Linux distro should have the possibility to use the nvme-cli tools that allow to wipe the device (-s1 option):
blog.pythonaro.com/201...drive.html
github.com/linux-nvme/...format.txt
or:
www.naraeon.net/en/oth...ure-erase/

The above are just examples, never actually tested any of those programs.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

raydenvm
Member
 

Re: NVMe - filling it up with random data (ISO 17025)

Post Posted: May 17, 19 08:41

Alas, dd with /dev/random has two downsides.

1. It's a time-taker to wipe a drive completely.

2. More importantly, modern QLC drives will wear-out due to low endurance. Some low-end models can even die after less than 100 full rewrites.

Therefore the most ecologic method is using Format NVM command with Cryptographic Erase enabled. It is also what's recommended in NVM Express Base Specification.

One of the simplest ways would be using nvme CLI tool in Linux. Here is the nice guide:
tinyapps.org/docs/nvme...erase.html
_________________
Vitaliy Mokosiy
CTO
Atola Technology 
 

Page 1 of 2
Page 1, 2  Next