±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35896
New Yesterday: 1 Visitors: 171

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

NVMe - filling it up with random data (ISO 17025)

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

trewmte
Senior Member
 

Re: NVMe - filling it up with random data (ISO 17025)

Post Posted: May 17, 19 21:01

Great range of views in this post.

This thread did make me wonder about NVM wiping and reminded me of comments by Bruce Nikkel in his book 'Practical Forensic Imaging - Securing Digital Evidence with Linux Tools (2016)'. Under Chapter 7 'Secure Wipe a Storage Device', Bruce records

"When you’re wiping drives, ensure the DCO and HPA have been removed. With NVME drives, make sure each individual namespace has been wiped (most consumer NVME drives have only a single namespace)." Page 226.


- raydenvm
Therefore the most ecologic method is using Format NVM command with Cryptographic Erase enabled. It is also what's recommended in NVM Express Base Specification.



NVM Express Base Specification - NVM Express Revision 1.3d March 20, 2019 (Ratified) states

"The Format NVM command shall fail if the controller is in an invalid security state (refer to the appropriate security specification, e.g., TCG Storage Interface Interactions Specification). The Format NVM command may fail if there are outstanding I/O commands to the namespace specified to be formatted. I/O commands for a namespace that has a Format NVM command in progress may be aborted and if aborted, the controller should return a status code of Format in Progress." Page 175


- raydenvm
One of the simplest ways would be using nvme CLI tool in Linux. Here is the nice guide:
tinyapps.org/docs/nvme...erase.html


raydenvm seeking clarification. Is the namespace issue (above) overcome by using the process adopted for nvme CLI tool?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

raydenvm
Member
 

Re: NVMe - filling it up with random data (ISO 17025)

Post Posted: May 18, 19 06:00

- trewmte

This thread did make me wonder about NVM wiping and reminded me of comments by Bruce Nikkel in his book 'Practical Forensic Imaging - Securing Digital Evidence with Linux Tools (2016)'. Under Chapter 7 'Secure Wipe a Storage Device', Bruce records

"When you’re wiping drives, ensure the DCO and HPA have been removed. With NVME drives, make sure each individual namespace has been wiped (most consumer NVME drives have only a single namespace)." Page 226.


No problem. nvme CLI runs format command with the default that erases all namespaces in the NVM subsystem. It just works.
manpages.ubuntu.com/ma...mat.1.html


- trewmte

NVM Express Base Specification - NVM Express Revision 1.3d March 20, 2019 (Ratified) states

"The Format NVM command shall fail if the controller is in an invalid security state (refer to the appropriate security specification, e.g., TCG Storage Interface Interactions Specification). The Format NVM command may fail if there are outstanding I/O commands to the namespace specified to be formatted. I/O commands for a namespace that has a Format NVM command in progress may be aborted and if aborted, the controller should return a status code of Format in Progress." Page 175

raydenvm seeking clarification. Is the namespace issue (above) overcome by using the process adopted for nvme CLI tool?


If NVMe drive still has I/O commands, Format NVM fails. It's logical. And it's easy to handle with a reset.
www.mankier.com/1/nvme-reset

So it would simply be something like this:

Code:
nvme format /dev/nvme0

# if failed, run the following two commands:

nvme reset /dev/nvme0 
nvme format /dev/nvme0

_________________
Vitaliy Mokosiy
CTO
Atola Technology 
 
  

trewmte
Senior Member
 

Re: NVMe - filling it up with random data (ISO 17025)

Post Posted: May 18, 19 08:00

- raydenvm
No problem. nvme CLI runs format command with the default that erases all namespaces in the NVM subsystem. It just works. manpages.ubuntu.com/ma...mat.1.html



- raydenvm
If NVMe drive still has I/O commands, Format NVM fails. It's logical. And it's easy to handle with a reset.
www.mankier.com/1/nvme-reset

So it would simply be something like this:

Code:
nvme format /dev/nvme0

# if failed, run the following two commands:

nvme reset /dev/nvme0 
nvme format /dev/nvme0


Thank you.
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 

Page 2 of 2
Page Previous  1, 2