NVMe-Assist: A Novel Theoretical Framework for Digital Forensics A Case Study on NVMe Storage Devices and Related Artifacts on Windows 10

With ever-advancing changes in technology come implications for the digital forensics community. In this document, we use the term digital forensics to denote the scientific investigatory procedure for digital crimes and attacks. Digital forensics examiners often find it challenging when new devices are used for nefarious activities. The examiners gather evidence from these devices based on supporting literature. Multiple factors contribute to a lack of research on a particular device or technology. The most common factors are that the technology is new to the market, and there has not been much time to conduct sufficient research. It is also likely that the technology is not popular enough to garner research attention. If an examiner encounters such a device, they are often required to develop impromptu solutions to investigate such a case. Sometimes, examiners have to review their examination processes on model devices that labs are necessitated to purchase to see if existing methods suffice. This ad-hoc approach adds time and additional expense before actual analysis can commence. In this research, we investigate a new storage technology called Non-Volatile Memory Express (NVMe). This technology uses Peripheral Component Interconnect (PCIe) mechanics for its working. Since this storage technology is relatively new, it lacks a substantial digital forensics foundation to draw upon to conduct a forensics investigation.

Additionally, to the best of our knowledge, there is an insufficient body of work to conduct sound forensics research on such devices. To this end, our framework, NVMe-Assist puts forth a strong theoretical foundation thatempowers digital forensics examiners in conducting analysis onNVMedevices, including wear-leveling, TRIM, Prefetch files, Shellbag, and BootPerfDiagLogger.etl. Lastly, we have also worked on creating the NVMe-Assist tool using Python. This tool parses the partition tables in the boot sector and is the upgrade of the mmls tool of The Sleuth Kit command-line tools. Our tool currently supports E01, and RAW files of the physical acquisition of hard-disk drives (HDDs), solid-state drives (SSDs), NVMe SSDs, and USB flash drives as data source files. To add to that, the tool works on both the MBR (Master Boot Record) and GPT (GUID Partition Table) style partitions.