On 9/8/23 00:24, Richard Thornton wrote:
Say you had the guts of an x86_64 desktop running Windows on the bench and
another computer running OpenBSD right next to it, is there some mechanism
available that could allow you to integrity scan the NVMe drive (and also
the firmware but that's probably an easier problem solved with something
like SPI) of the powered-off x86_64 with the OpenBSD box, like a hardware
device that allows both OpenBSD and the laptop physical hardware level
access to the same NVMe, or would you have the NVMe in OpenBSD, scan it and
then somehow "hand over" the NVMe to Windows?
The NVMe drive can't be physically touched, not just swapped from board to
board, I'm thinking of this from a more "embedded" viewpoint.
If you think about a forensic analysis and/or integrity check of the
*contents* of the NVMe, you should draw a binary image of the disk and
analyze that. If you cannot remove the disk, but boot the system from an
external device (into whatever OS you prefer), you could create such a
copy from there (dd is your friend). You could also analyze the disk
directly from there, but there's a high probability that you will modify
it by doing so (in case you have to mount the filesystems).
If you cannot boot the system from an external device (because it is eg.
in a hibernated state that you need to preserve), I don't think there is
much you can do without removing the disk from the computer.
/m
