SlideShare a Scribd company logo

SOK:An overview of data extraction techniques from mobile phones

Ashish Sutar
Ashish Sutar

This document provides an overview of various techniques for extracting data from mobile phones for forensic investigations. It discusses challenges such as proprietary operating systems and encryption. Methods described include manual extraction by viewing the screen, logical extraction of accessible data through APIs, file system extraction of hidden files, and physical extraction making a bit-by-bit copy of memory. More advanced techniques require disassembling the phone, such as JTAG which communicates through test access ports to read memory. Commercial tools are available to perform different levels of extraction.

Mobile
1 of 18
Download to read offline
SOK : AN OVERVIEW OF DATA EXTRACTION TECHNIQUES FROM MOBILE PHONES Ashish Bhagawan Sutar Abstract. The digitization of the World is on rise and so the cyber crimes. Day by day cyber crimes are rising and law enforcement agencies are on their toes to solve these crimes. They are using sophisticated digital forensics techniques for analyzing and investigating the cyber crimes. However, limited skilled manpower, large number of cases, sophisticated mobile phones with OS with latest security patches are just few among the various challenges that hinder the progress on LEAs to cover the gap between rise in cyber crimes and the cases solved. The foremost hindrance in mobile phone forensic is to extract the data from the mobile phones. In this paper, I would like to provide an overview and available techniques to extract data from mobile phones. Keywords: Mobile Forensics, Physical extraction, File system extraction, Logical extractionJTAG, ISP, Chip Off, Micro Read 1.INTRODUCTION ‘The cell phone is probably the single most important piece of evidence you will find at a crime scene today…’’ -Ex FBI Director James Comey Digital forensic is one of the niche and emerging field. Any criminal activity happening across the World has some digital evidence present as per Locard’s principle and at every place of crime, some or other digital devices, may be of victim or perpetrator, is available. One of the most popular devices used by criminals to carry out such crimes are mobile phones. Therefore, Law Enforcement Agencies (LEAs) must be capable to carry out analysis of these mobile phones. However, the analysis of smart mobile phones is becoming more challenging due to frequent security updates by manufacture. However at the same time, LEAs and companies across the World providing mobile forensic tools are coming with innovative techniques and tools to overcome the hurdle of extracting data from Mobile devices. In this paper, I will describe about Mobile Forensics and its challenges being posed to LEAs. I will then review methods available to extract the data from the mobile phones. I will continue with describing the advantages, disadvantages and challenges faced while extracting the data from mobile phones and will also touch upon the commercial tools available for extraction of data 2. MOBILE FORENSICS Mobile forensics is the science of recovering digital evidence from mobile devices under forensically sound conditions. It includes the extraction, recovery and analysis of data from internal memory, SD cards and SIM cards of mobile devices. Secure forensic extraction of data from a wide variety of mobile devices such as smart phones, GPS navigations units, car infotainment units and tablets is challenging task. Mobile phones present a unique challenge to law enforcement due to rapid changes in technology. There are numerous models of mobile phones in use today. New families of mobile phones are typically manufactured every three (3) to six (6) months. Many of these phones use closed operating systems and proprietary interfaces making it difficult
for the forensic extraction of digital evidence. Extracting data safely from mobile phones is not the same as recovering information from computers. It is a specialist skill as Mobile devices do not share the same Operating systems or components. Most are proprietary embedded devices with unique configuration. The different challenges faced by Forensic professionals today across the World are as listed below:- 2.1 Use of proprietary OS. 2.2 Use of proprietary Chips. 2.3 Device level encryption of data. 2.4 Phone lock patterns, PIN and biometric locks for phones. 2.5 Encryption of application databases. 2.6 Second Space/ secure folder within the Mobile phones. The data recovery from the mobile phone is possible through gaining access to Phone’s OS through the communication port. Once the access to OS is gained, the data can be recovered. It is also possible to bypass the OS and directly communicate with the memory chip in order to take physical dump of chip and using different decoding mechanism and data carving tools to recover the required data. Now I will give an overview of mobile phone data extraction types generally adopted by Forensic Analysts to recover data. 3. TYPES OF EXTRACTION Depending on the request and the specific questions asked from the investigation Team, the type of extraction and analysis is decided. Higher levels require a more comprehensive examination, additional skills and may not be applicable or possible for every phone or situation. Each level of the Mobile Forensics has its own corresponding skill sets. The pyramid of the levels is given below :- Figure 1 : Pyramid of Mobile Data Recovery Techniques Broadly above mentioned mobile data recovery techniques used by Forensic professional can be divided in two parts:- 3.1 Methods wherein Mobile phone is not required to be disassembled, also called as non-invasive techniques, consisting of following methods :- Micro Read JTAG/ ISP Chip off Physical Extraction File System Extraction Logical Extraction Manual Extraction More Complex
3.1.1Manual Extraction. 3.1.2Logical Extraction. 3.1.3File System Extraction. 3.1.4Physical Extraction. 3.2 Methods wherein Mobile Phone is required to be disassembled, also called as invasive techniques, consisting of following methods :- 3.2.1JTAG. 3.2.2In-System-Programming. 3.2.3Chip Off. 3.2.4Micro Read 4. METHODS WHEREIN MOBILE PHONE IS NOT REQUIRED TO BE DIS-ASSEMBLED In this section, I will cover the types of extraction wherein the Cyber Forensic Analyst tries to extract data without opening the mobile phone. These techniques are also called as non-invasive techniques. Large number of commercial hardware as well as software tools are available in the market to carry out extraction of data without opening the mobile phone. The types of extraction covered under this head are as given below. 4.1 Manual Read. This is the simplest process which allows investigators to extract and view data through the device’s touchscreen or keypad to document data present in the device’s memory. At a later stage, this data is documented photographically. Whatever is seen on the screen is photographed/ recorded and it is the most time consuming and limited data extraction technique from mobile phones. Furthermore it involves a great probability of human error e.g. the data may get accidentally deleted or modified during the examination. At this level, it is not possible to recover the deleted data. There are some popular tools which have been developed to aid an investigator to easily document the extraction. They are listed as below. 4.1.1Project-A-Phone. This is also known as Project Android Phone. This helps to wirelessly project android device to the screen of the PC. It helps in display of phone screen in real time, record audio and video, and take still images individually or in a programmed sequence. 4.1.2Fernico ZRT. This camera system allows an examiner the ability to document evidence items found on mobile devices. Direct integration with the Canon EOS DSLR camera range, combined with professional grade camera equipment, enables ZRT 2 to capture very high quality images for the built-in report generator. Photos and videos are automatically resized into a customizable report template for presentation in Court. Figure 2 : Fernico ZRT
4.1.3EDEC Eclipse. This product is designed for digital forensic examiners and allows then to capture images and video of cell phone screens, documents or any other type of evidence. Figure 3 : EDEC Eclipse Set 4.2 Logical Extraction. Logical extraction is the quickest but most limited data extraction technique from mobile phones. This type of extraction does not include bit by bit copy of memory phone and it creates a copy of the user accessible files. As the name suggests, the data recovered is visible in plain in mobile device. In this type of extraction, forensic tool communicates with the OS of the device using an Application Programming Interface (API) which specifies how software components interact. The tool then requests data from the OS through API. This process allows extraction of most of the live data on the device. In this extraction process, only contacts, SMS, call logs, multimedia and application data is recovered, however, the deleted data is not recovered. Most of the forensic tools currently available such as MSAB XRY, Oxygen, MOBILedit do extract logical data from the mobile phones. Figure 4 : Snapshot of Logical Extraction by MSAB XRY
4.3 File System Extraction. This type of extraction is often seen as a type of logical extraction. It is more data rich compared to logical extraction. It is again not a bit by bit copy of entire contents of mobile phone however it includes files not directly accessible to the user via device interface. In this type of extraction, full access to the database files on a mobile device is directly obtained by the forensic tool without interacting through API. This direct access allows forensic tools to extract all files present in the internal memory including and contacts, SMS, multimedia, application data, web browsing history and hidden files. However, it does not extract data from unallocated space. Cellebrite promotes UFED’s file system extraction and is amongst the few who refer to the method. It’s ‘Advance Logical Extraction’ combines the logical and file system extractions for iOS and Android devices and is an alternative to where physical extraction is not possible. MSAB does not have a specific file system extraction. It has only XRY Logical and XRY Physical. Magnet Forensics also says that it can obtain a full file system and it has partnered with GreyKey to recover data from iOS devices as well. Unlike a logical extraction, once the file system data is obtained it requires decoding in order to read it. All the commercial vendors do not publically disclose what vulnerabilities are used to carry out a full file system extraction from an iOS device as this will give chance to manufactures a chance to patch exploits. Figure 5 : View of Cellebrite Reader showing Extracted Data including Deleted Data files numbers shown in Red Colour 4.4 Physical Extraction. This is the most extensive method of extracting data from mobile phone without disassembling the same. In physical extraction, a bit by bit copy of the entire contents of the flash memory of mobile phone is made. This is the only type of extraction wherein mobile device is not required to be disassembled and still deleted data is also recovered. It shares the same basic concept as the imaging of a computer hard drive. In physical extraction, protected data is also revealed and it can obtain service data, applications and user’s data including following deleted data:- 4.4.1 Deleted passwords. 4.4.2 Deleted files, photos and videos. 4.4.3 Deleted Snapchat pictures. 4.4.4 Deleted text messages, contacts and call logs.
4.4.5 Location tags & GPS fixes. Figure 6 : Chart showing type of data recovered 4.5 Commercial Tools available for data extraction from Mobile Phone 4.5.1 Cellibrite UFED. Cellebrite is the world leader in delivering cutting-edge mobile forensic solutions comprising of hardware, software as well as premium services for extraction of data from mobile platforms. Cellebrite provides flexible, field–proven and innovative cross–platform solutions for lab and field via its Universal Forensic Extraction Device (UFED) Series. With the support for more than 31,000 device profiles and the widest device coverage ranging from Android and apple, UFED is designed to meet the challenges of unveiling the massive amount of data stored in the modern mobile device. The UFED Series can extract, decode, analyze and report data from thousands of mobile devices, including, smartphones, legacy and feature phones, portable GPS devices, tablets, memory cards and phones manufactured with Chinese chipset. One can use UFED to bypass locks, perform advanced unlocks, perform logical/ Full file systems/ physical extractions perform selective extraction of apps data and cloud tokens and much more. UFED 4PC is a cost effective, flexible and convenient software for any user requiring access and extraction capabilities on PC/ Laptop. UFED Touch2 is hardware based solution for comprehensive extraction capabilities in the lab/ remote location/ field which extracts data quickly and securely. The UFED Ruggedized Panasonic Laptop is loaded with UFED software and comes in a purpose-built ruggedized case that can withstand drops, shocks and extreme temperatures to ensure a seamless workflow wherever the investigation takes you. Figure 7 : UFED Touch 2 Logical Extraction Calls Contacts SMS Multimedia Contents File System Extraction Calls Contacts SMS Multimedia Contents Hidden Files Physical Extraction Calls Contacts SMS Multimedia Contents Hidden Files Deleted Data
4.5.1 Magnet Axiom. Magnet AXIOM is a multiplatform tool which recovers digital evidence from the most sources, including smartphones, cloud services, computers, IoT devices and third-party images. It also uses powerful and intuitive Analytics tools to easily analyze all data in one case file. Magnet Forensics has built a global reputation for excellence, reliability, and trustworthiness. Its technology solutions have been used in a wide variety of cases and investigations from child exploitation to terrorism and intellectual property by departments and agencies all over the world. 4.5.2 MSAB XRY. MSAB XRY solutions are one of the best mobile forensic solutions available in the market. With latest XRY 9.0.2 release, MSAB is providing support for Samsung Galaxy S, A and J series with Exynos chipsets and support for newer Spreadtrum chipsets. Apart from these chipsets, it also supports extracting data from the widely used messaging app Telegram with added enhancement for extracting Signal and WhatsApp data from Android devices. 4.5.3 Oxygen Forensic. Oxygen Forensics, an US based Company, is one of the leading global digital forensics software provider, giving law enforcement, federal agencies and enterprises access to critical data and insights faster than ever before. Specializing in mobile devices, cloud, drones and IoT devices, Oxygen Forensics, an all-in-one forensic software platform, provides the most advanced digital forensic data extraction and analytical tools for criminal and corporate investigations. 4.5.4. MobilEdit. MOBILedit is a product of Compelson Labs founded in 1991. MOBILedit Forensic Express is a phone and cloud extractor, data analyzer and report generator all in one solution. A powerful 64-bit application using both the physical and logical data acquisition methods, MOBILedit is excellent for its advanced application analyzer, deleted data recovery, live updates, wide range of supported phones including most feature phones, fine-tuned reports, concurrent phone processing and easy-to-use user interface. With the password and PIN breaker one can gain access to locked ADB or iTunes backups with GPU acceleration and multi-threaded operations for maximum speed. 5. METHODS WHEREIN MOBILE PHONE IS REQUIRED TO BE DISASSEMBLED The above mentioned extraction methods are followed without opening the mob phone. However, if they are not successful in extracting the data, other methods are required to be followed wherein the mob phone is disassembled in order to get access to chip for extraction of data. These methods involve connecting to the specific ports on the device and instructing the processor or eMMC controller to transfer the data stored on the memory. These advanced data extraction methods are low-level hardware-based techniques that leverage the advantage of PCB and IC (Internal Circuit) test interfaces used for programming and quality control of the electronic devices during production. They are explained in succeeding paragraphs. 5.1 Joint Test Action Group (JTAG) JTAG is a short form of Joint Test Action Group. JTAG is an industry standard, defined by the Institute of Electrical and Electronic Engineers (IEEE) 1149.1 for verifying designs. The device manufacturers uses these standards to test Printed Circuit Boards (PCB) during the manufacturing process before launching them in the market. However, JTAG is commonly used in the market to restore dead devices by flashing the device’s memory as well as to allow for the reading of phone memory. JATG forensic is an advanced acquisition process that involves connecting the Test Access Ports (TAPs) on a PCB via solder, molex or JIG. Once the TAPs are connected then using a supported JTAG Box like Riff, Z3X and ATF, the processor is instructed to
acquire the raw data stored on the connected memory chip in order to get a full physical image from the device. JTAG acquisition is available for many Android devices as well as some feature phones having Android OS. By using specialized equipment and a matching device, one can retrieve the flash memory contents from compatible devices. However JTAG is not available for any Apple devices. JTAG acquisition process involves using existing solder points on the device circuit board generally called as TAPs that are found on the circuit board. These TAPs connect to the controller chip via a bus and allow for communication to occur between the controller and other chips on the circuit board. It is the memory chip in which we are interested in communicating with. The JTAG ports are used to send read commands through the controller to instruct it to read the content of the memory chip found on the circuit board, and output it to the PC. Figure 8 : Test Access Points Each of the Test Access Points that make up the JTAG port has a function. The location of TAPs will be different from device to device. There are various JTAG solutions available, but each will have a feature to display the TAP pin out diagram so that you will know which wire to solder to which Test Access Point. Test Access Points includes following two types of pins. 5.1.1 Required Pins 5.1.1.1 TDI (Test Data In). This signal represents the data shifted into the device’s test or programming logic. It is sampled at the rising edge of Test Clock (TCK) when the internal state machine is in the correct state. Basically it is serial data from debugger to target. 5.1.1.2 TDO (Test Data Out). This signal represents the data shifted out of the device’s test or programming logic and is valid on the falling edge of TCK when the internal state machine is in the correct state. Basically it is serial data from target to debugger. 5.1.1.3 TCK (Test Clock). It has nothing to do with the board or system clock. This signal synchronizes the internal state machine operations. It controls the timings of the test logic independently of the system clock. 5.1.1.4 TMS (Test Mode Select). This signal is sampled at the rising edge of TCK to determine the next state. 5.1.2 Optional Pins 5.1.2.1 TRST (Test Reset). This is an optional pin which, when available, can reset the TAP controller’s state machine.
5.1.2.2 RTCK (Return Test Clock). 5.1.2.3 GRN (Ground). 5.1.2.4 VCC (Power). 5.1.2.5 SRST (System Reset). A System Reset (SRST) signal is quite common, letting debuggers reset the whole system, not just the parts with JTAG support. Sometimes there are event signals used to trigger activity by the host or by the device being monitored through JTAG or perhaps additional control lines. 5.1.3 JTAG Training Special knowledge and training is required prior to undertaking the JTAG process. Proper JTAG training, at a minimum, covers the following topics:- 5.1.3.1 Overview of boundary scanning and the JTAG process. 5.1.3.2 Repairing and disassembling mobile devices. 5.1.3.3 Soldering and de-soldering techniques. 5.1.3.4 Identification of TAPs through probing. 5.1.3.5 Electrical theory, multimeter and alternate power supply usage. 5.1.3.6 Digital forensic procedures and evidence handling. 5.1.4 Hardware for JTAG The TAPs need to be connected to a box that knows how to access and interpret the data. Devices such as Riff Box 2, Medusa Pro and Easy JTAG are some common boxes that one can use. There are several JTAG solutions available in the market. Each brand has support for a variety of handsets. RIFF Box Medusa Pro Figure 9 : JTAG Boxes 5.1.5 JTAG Process In the JTAG process, the mobile device is connected to the JTAG box via wires soldered to Test Access Points (TAPs). Then the JTAG box is connected to the computer via cable. JTAG software communicates with the JTAG box, sending commands to the TAPs on the circuit board and ultimately acquires a read of the memory chip. JIGs are an alternative to soldering. A JIG is a printed circuit board (PCB) that has pins mounted on its surface. Each device will have a unique JIG since the TAPs are different from device to device. The JIG is held in place against the mobile devices circuit board so that the pins on the JIG match up to the TAPs.
Figure 8 : Example of JTAGed Phone 5.1.6 Advantages 5.1.6.1 It allows extraction of data from locked or damaged device. 5.1.6.2 It is a Non-destructive method wherein the device can be taken in use. 5.1.6.3 It does not alter data on the device. 5.1.6.4 It does physical data extraction. 5.1.6.5 It can also be used for data extraction from gaming consoles, GPS units, Car navigation sys, MODEMs, Routers and PVR etc 5.1.7 Disadvantages 5.1.7.1 Mobile device may need to dismantle and wires soldered to circuit board. 5.1.7.2 The improper use of JTAF software and hardware or improper soldering could destroy data or permanently damage the device 5.1.8 Challenges 5.1.8.1 Identification of JTAG Points is a challenging task as some of the mobile phones have hidden JTAG points. JTAG pins can be exposed on the phone´s PCB, but they can also be hidden under a coating surface, in this case tools are needed to remove the coating and leave the pins exposed for connection and testing. The following figure shows the JTAG pins that have been hidden underneath the battery and covered by the product info label and protected by the coating. However, manufacturers also tend to limit the access of external parties to the JTAG ports and either by making them inaccessible after the end of production testing or breaking them on purpose. Figure 10 : Phones with Exposed TAPs and Coated TAPs Coated TAPs Exposed TAPs
5.1.8.2 Soldering Skills are necessary otherwise it may cause collateral damage in the phone. 5.1.9 Commercial Tools Available 5.1.9.1 MD-Box. It is a JTAG reader hardware designed for JTAG extraction with MD- NEXT by HancomGMD, a worldwide leading research group of mobile and digital forensics. It is used for extracting data directly from the motherboard of a mobile device using the JTAG interface. When a mob phone has suffered external damage but the motherboard still works, an examiner can connect the motherboard to MD-BOX through JTAG interface. Then the data can be acquired with JTAG via the JTAG extraction function in MD-NEXT. 5.1.9.2 Teel Technologies. Teel Technologies provides a hardware for JTAG. However, once the data is extracted, it is required to be opened up in other extension. Extension for read will be done in UFED or XRY. 5.2 In-System Programming (ISP) In System Programming (ISP) or sometimes called as In-Circuit Serial Programming (ICSP) is again non-destructive method to retrieve the data. It is the practice of connecting to an eMMC or eMCP flash memory chip for the purpose of downloading a device’s complete memory contents. In contrast to JTAG that is used for the boundary scan of all the components sitting on the PCB, ISP is designed to test only one particular component (in our case eMMC) bypassing the processor. Communication with eMMC device is performed by sending commands to the chip and receiving responses back. Due to direct communication with the chip, the memory acquisition through ISP is much faster to perform than through the JTAG. This practice enables examiners to directly recover a complete data dump without removing the chip. Similar to JTAG extractions, the forensic examiner has to solder wires to places on the board. This technique is useful as some phones don’t have accessible TAPs and/ or the manufacturer has disabled data access through the TAPs. In this process the wires are soldered to resistors and capacitors on PCB. The difficult part in ISP is to find pinouts of the device. This method is usually a bit tougher due to the fact that the pins are usually much smaller than JTAG TAPs. The analyst requires a microscope and a much finer solder tip with a steady hand. This process also works on passcode enabled devices, but again, not on encrypted devices. The following is the list of the usual pins to solder to:-  DAT0 to DAT7= Serial Data line/ Data buses.  VCC (Voltage Collector Constant sometimes also known as Positive Supply Voltage) = 2.8 – 3.3 Volt.  VCCq = 1.8 Volt.  CLK = Clock.  CMD = Command.  GRN = Ground. The diagram given below explains the internal structure of the eMMC chip and the signals used to perform JTAG/ISP communication. The instructions/commands (in our case “read”) are sent through the CMD (command) signal to the MMC controller of the memory. The response (data output) is sent via data busses DAT0 to DAT7 synchronized with the clock signal (CLK).
Figure 11 : eMMC structure and interface Like JTAG, the pins need to be connected to a box that knows how to access and interpret the data. There are many programmer tools commercially available which offer support for different chipsets and cores (required to communicate with the eMMC via JTAG). Devices such as the OctuplusRIFF2, Z3X, Riff Box 2, Medusa Pro, and Easy JTAG are just some of the boxes one can use. 5.3 Chip-Off Chip-off acquisition is a highly advanced technique of recovering data from mobile phones. It is more of a destructive extraction technique that requires attaching wire leads to the PCB contacts or physically removing (de-soldering) the phone’s flash memory chip. Chip-off is considered more difficult compared to JTAG, however the amount of information acquired via chip-off acquisition is similar to the amount of data acquired by JTAGging the device. Since most smart phones use standard eMMC flash modules, the process is standardized and presents no surprises to the examiner. When imaging computer hard drives, one normally attempts to go as low level as possible. In the world of mobile forensic, the lowest-level access is not always the best. While reading the chips directly produces a complete raw dump of the memory chips, the investigator may be faced with an encrypted partition with no decryption keys stored anywhere around. Chip-off acquisition delivers the best result when used on unencrypted devices. The expectations on the use of chip-off for mobile devices must be also moderate as recent devices store encrypted data on their memory chip. Devices operating on Android version 7.0 onwards are encrypted by default. However, Chip-off will still remain viable for other IOT devices which usually store data in clear text. 5.3.1 Steps involved in Chip Off. The chip off process involves the following broad steps. 5.3.1.1 Detect the memory chip typology of the device. 5.3.1.2 Physical extraction of the chip (for example, by unwelding it). 5.3.1.3 Interfacing of the chip using reading/programming software. 5.3.1.4 Reading and transferring data from the chip to a PC. 5.3.1.5 Interpretation of the acquired data (using reverse engineering). 5.3.2 Advantages. Carrying out chip off activities has certain advantages. They are as follows:-
5.3.2.1 It recovers data from damaged mob phones. 5.3.2.2 It is used for eMMC/ eMCP memory chips. 5.3.2.3 Full read of memory chip. 5.3.2.4 It carries out physical extraction and recovers deleted data also. 5.3.2.5 It does not alter the user data on memory. 5.3.2.6 It is used for extraction from Android, Windows, iOS based phones, Chinex, Qualcomm, MTK generic, CDMA devices. 5.3.3 Disadvantages. The two distinctive disadvantages in chip-off activities which are that it is a destructive technique of data extraction and if encrypted data is recovered, still it requires to be decrypted. 5.3.4 Challenges 5.3.4.1 All modern device IC or Chips are often secured with protective shield i.e. epoxy, which makes the task more challenging. 5.3.4.2 The connectors on a BGA NAND chip require, in many cases, rework through a process known as “re-balling” or effectively rebuilding the connectors on the chip to be connected to the chip-reading equipment. 5.3.4.3 Solid command of skills for dismantling and chip removal is crucial. 5.3.4.4 Locate and identify memory chip to ensure de-soldering of correct chip and not the CPU or any other chip. 5.3.5 Precautions to be taken while carrying out Chip-off. Certain precautions are required to be taken while carrying out the chip off activities. Some of them are listed below 5.3.5.1 The individual performing the Chip-off techniques should always wear protective goggles where infrared heater is being used for chip off. 5.3.5.2 The individual performing the Chip-off techniques should never attempt to touch any part of the heating equipment while they are turned ON. 5.3.5.3 The individual performing the Chip-off techniques should always use the tools provided to handle the chip and boards as they may get too hot while working. 5.3.5.4 The cooling down period for items being used for Chip off will be varying in between 5 to 15 minutes before it is safe to handle them without causing them burn injuries. 5.3.5.5 There are chances of loss of data from the chip if it is over heated while removing it from the board. Though the chips can retain data beyond 2750 Celsius, higher temperature may lead to higher risk of data loss. The care must be taken not to overcook the chip. 5.3.6 Commercial Tools for Chip-off 5.3.6.1 MD-MR (Memory Removal). It is a package of forensic hardware devices for detaching the memory Chip from the motherboard of a mobile phone. When a mobile device is severely broken or submerged in liquid, MD-MR is used to attempt Chip-off Forensics. It includes standard devices like General Memory Chip Reader, Heat blowers for the general dissemble Work, BFA Re-balling kit, Hot plate for Re-balling, Microscope, Rework station (Optional), Mob phone dryer (Optional) and Mob device safety box (Optional). 5.3.6.2 MD-Reader. MD-Reader is a piece of forensic hardware for extracting data from chip-off memory. After detaching the memory chip from the board manually or with a rework machine, the examiner can mount it into the one of the memory sockets included. Then the data extraction can be done at Chip-of menu in MD-NEXT program.
5.3.6.3 Teel Technologies. Teel Technologies Chip-Off Starter Kit is the one way to go if someone looking for all of the basic tools someone need for Chip-Off forensics. This starter kit features many essential components, all bundled to help to save money. They provide a variety of UP-828P adapters that are suited for a variety of smartphones and tablets. It includes the items like TeelTech UP828P Chip Reader, UP-828P Adapters, SD Chip Reader Kit, Chip-off and JTAG Workbench Gear and T-862++ IRDA Rework Station. Figure 10 : Equipment used for Chip-Off 5.4 Micro Read This process involves interpreting and viewing data on memory chips. Generally micro chips consist primarily of silicon, which is obtained from sand. The process of making sand into silicon involves melting, cutting, polishing and grinding. The silicon is made into an ingot, or single-crystal cylinder six to eight inches wide. The cylinder is then cut into wafers that measure less than one-40th of an inch thick. These wafers are pressed into various integrated circuit parts with the aid of computers. The circuit is coated with a layer of glass by exposing the silicon to temperatures of 900 degrees Celsius for an hour or longer. Afterward, the unit is coated in a nitride layer. A number of different textures are created in the circuits during this process. The connecting pins or leads are added during a process called bonding. The pins are made of either gold or tin. These pins are used to electrically connect the chips to components they will comprise. The investigators use a high-powered electron microscope to analyze the physical gates on the chips and then convert the gate level into 1’s and 0’s to discover the resulting ASCII code. This process is very expensive and time-consuming. It also requires thorough knowledge of hardware and file systems. Due to the extreme technicalities involved in micro read, it should be only attempted for very high-profile cases equivalent to a national security crisis after all other level extraction techniques have been exhausted. The process is rarely performed and is not well documented at this time. There are currently no commercial tools available for micro read. Figure 11 : Electron Microsope of Silicon
The steps involved in the micro read are as follows:- 5.4.1 Use chemical process to remove top layer of chip. 5.4.2 Use microscope to read gates manually. 5.4.3 The next step involves the translation of binary data to hex. 5.4.4 The last step is to translate hex to data. 6. OTHER METHODS : ROOTING OR JAILBREAKING Another, less destructive, method that can be used with some mobile devices is “Rooting” or “Jail Breaking”. This process involves leveraging features of the OS to elevate the permissions and privileges of the running user (similar to the process of gaining “Root” access in a Linux computer). This process is NOT considered as a forensic technique as it involves the modification of system files and can potentially damage the device and so should be low on the list of techniques used. The notified Forensic Labs never resorts to rooting or jailbreaking of device in order to extract the data due to legal implications involved. The order of attempted extractions is important. Examiners should strive to conduct the examination method that is least destructive but yields the most data. This allows examiners to capture areas that might be damaged or overwritten at later stages. Methods of extraction such as JTAG and Chip-Off should only be considered as a last resort, especially with Chip-Off, as the process can be destructive and unrecoverable. Generally all Forensic experts start from the easier and widely accessible data recovery methods moving to more demanding ones. The Table 1 explains the different approaches of data recovery that can be implemented during data extraction from Mobile Phones, varying from the normal user interface (UI) (i.e. via the phone's Operating System) through to the most advance tactics. Table 1 also highlights the degree of destruction required to perform the extraction techniques and gives a brief description of that particular extraction tecnhiques. The level of Skills Required Type of Extraction Method Characteristics Type of Data extracted Low Manual inspection Non-invasive Manual navigation of the User Interface - Low - Medium Forensic imaging (COTS tools) Non-invasive Connecting the phone to the PC or dedicated forensic hardware via USB. Logical / File System/ Physical Medium - High JTAG/ eMMC ISP Invasive and can be destructive Connection to the TAPs ports on device motherboard Physical High Chip-off Invasive and destructive De-soldering the memory chip from the PCB. Physical Very High Micro Read Invasive and destructive Using proprietary or custom-made tools to retrieve the data from the NAND flash directly by-passing the controller. Physical Table 1: Data recovery tactics performed during testing
8. EXPERIMENTAL RESULTS The large number of devices were used in the lab and data extraction as mentioned above except JTAG, ISP, Chip off and Micro Read were tried upon them without opening the mobile phones. The results are given at Table 2. 9. CONCLUSION Data extraction from Mobile phones is a challenging task and rapid changes in the field of mobile technology are posing number of difficulties to every Forensics professional today. OEMs are coming with innovative ways of securing the data stored in the mobile phone and LEAs are trying to overcome this enormous challenge of extracting the data from these sophisticated mobile phone. As the use of mobile phone extraction proliferates, whether it is used by law enforcement or border security, the data from these devices will be used to challenge an individual whether in criminal or civil proceedings and procedures. The delivery of justice depends on the integrity and accuracy of evidence and trust that society has in it. References:- 1. www.wikipedia.com 2. www.teeltech.com 3. www.msab.com 4. www.swgdf.com 5. ‘Chip-Off and JTAG Analysis for Mobile Device Forensics’ by Detective Bob Elder. 6. ‘Basic Overview of JTAG, ISP and Chip Off Extractions’ by Jack Farley. 7. ‘NIST tests forensic methods for getting data from damaged mobile phones’ by Rich Press. 8. ‘Analysis of data remanence after factory reset, and sophisticated attacks on memory chips’ by Mariia Khramova, Sergio Martinez. 9. www.hancomGMD.com 10. www.Oxygen.com 11. www.Mobiledit.com 12. ‘A Technical look at phone extraction’ by Cellibrite.
Ser No Make and Model of Mob Phone Version Patch Level Type of Extraction Tools Used Remarks, if any Logical/ Advance Logical File System Physical 1 One Plus A 6000 Adv Logical 2 Vivo 1601 Android 6 03 May 2018 Yes 3 Vivo Z1 Pro Adv Logical UFED 4PC, XRY 4 Vivo V3 01 Apr 2020 Adv Logical File System UFED 4PC, XRY 5 Vivo V 17 (vivo1919) Android 10 04 Jan 2020 Adv Logical UFED4PC 6 Vivo V9 Android 8.1.0 Mar 2019 Adv File System UFED 4PC, XRY APK Downgrade 7 Vivo 1601 Android 6 05 Mar 2018 Yes 8 Samsung Guru 1200 Yes 9 Samsung Duos Yes UFED 4PC, XRY 10 Samsung J7 Android 6 04 Jan 2018 Yes UFED Touch2 Decrypted Boot Loader 11 Samsung A750F Android 9 9 May 2019 Yes UFED4PC 12 Samsung Galaxy S7 Edge Android 8 Nov 2019 Yes UFED 4PC 13 Samsung S7 Edge Yes UFED4PC 14 Lava Z60 Adv Logical UFED 4PC, XRY 15 Micromax X073 Yes UFED 4PC, XRY 16 Honor 9I (LLD-AL10) Adv Logical File System 17 Redmi Note 4 Android 6 05 Jan 2017 Yes UFED4PC 18 Redmi Note 6 Pro Adv Logical 19 Redmi Note 6Pro Android 8 01 Jan 2019 Yes UFED4PC 20 Redmi Note 6 Pro Android 9 04 May 2019 Yes UFED/ XRY 21 Redmi Note 6 Pro Android 8 01 Jan 2020 Yes UFED4PC 22 Redmi 6 Pro Android 9 05 May 2019 File System (APK downgrade) UFED4PC 23 Redmi ME17G Android 8 12 Jan 2018 Yes UFED 4PC 24 Redmi ME17G Android 8 05 Sep 2019 File Sys (APK Downgrade) UFED/ XRY 25 Nokia 105 File System 26 Realme-2 pro Android 8 03 Ma 2019 Adv Logical 27 iPhone 5S iOS 11.4.1 Adv Logical UFED4PC 28 JIO Mob (LYF) F220B Yes XRY 29 Realme 1801 Android 9 12 May 2019 Adv Logical UFED4PC Table 2 : Array of Mobiles used and type of data extracted.
SOK:An overview of data extraction techniques from mobile phones

Recommended

Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensicDINESH KAMBLE
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniDr Raghu Khimani
 
Shelton mobile forensics
Shelton mobile forensicsShelton mobile forensics
Shelton mobile forensicsi4box Anon
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 

Recommended

Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensicDINESH KAMBLE
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniDr Raghu Khimani
 
Shelton mobile forensics
Shelton mobile forensicsShelton mobile forensics
Shelton mobile forensicsi4box Anon
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics pptOECLIB Odisha Electronics Control Library
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Handling digital crime scene
Handling digital crime sceneHandling digital crime scene
Handling digital crime sceneSKMohamedKasim
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
The Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptxThe Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptxApplied Forensic Research Sciences
 
First Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeFirst Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeApplied Forensic Research Sciences
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video ForensicsDipika Sengupta
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail InvestigationDr Raghu Khimani
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsPrince Boonlia
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar
 
iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry ForensicsAndrey Belenko
 
Conceptual Study of Mobile Forensics
Conceptual Study of Mobile ForensicsConceptual Study of Mobile Forensics
Conceptual Study of Mobile Forensicsijtsrd
 
ContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxrichardnorman90310
 

More Related Content

What's hot

Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating proceduresSoumen Debgupta
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Handling digital crime scene
Handling digital crime sceneHandling digital crime scene
Handling digital crime sceneSKMohamedKasim
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video ForensicsDipika Sengupta
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Sagar Rahurkar
 
iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry ForensicsAndrey Belenko
 

What's hot (20)

Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Handling digital crime scene
Handling digital crime sceneHandling digital crime scene
Handling digital crime scene
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
The Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptxThe Scope of Cyber Forensic.pptx
The Scope of Cyber Forensic.pptx
 
First Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeFirst Responder Officer in Cyber Crime
First Responder Officer in Cyber Crime
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video Forensics
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...Digital Forensics best practices with the use of open source tools and admiss...
Digital Forensics best practices with the use of open source tools and admiss...
 
iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry Forensics
 

Similar to SOK:An overview of data extraction techniques from mobile phones

Conceptual Study of Mobile Forensics
Conceptual Study of Mobile ForensicsConceptual Study of Mobile Forensics
Conceptual Study of Mobile Forensicsijtsrd
 
ContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxrichardnorman90310
 
New research directions in the area of
New research directions in the area ofNew research directions in the area of
New research directions in the area ofIJCNCJournal
 
On the Availability of Anti-Forensic Tools for Smartphones
On the Availability of Anti-Forensic Tools for SmartphonesOn the Availability of Anti-Forensic Tools for Smartphones
On the Availability of Anti-Forensic Tools for SmartphonesCSCJournals
 
digital forensic examination of mobile phone data
digital forensic examination of mobile phone datadigital forensic examination of mobile phone data
digital forensic examination of mobile phone dataINFOGAIN PUBLICATION
 
IRJET - Android based Mobile Forensic and Comparison using Various Tools
IRJET - Android based Mobile Forensic and Comparison using Various ToolsIRJET - Android based Mobile Forensic and Comparison using Various Tools
IRJET - Android based Mobile Forensic and Comparison using Various ToolsIRJET Journal
 
Cell Phone Forensics Research
Cell Phone Forensics ResearchCell Phone Forensics Research
Cell Phone Forensics ResearchHouston Rickard
 
IRJET- Sniffer for Tracking Lost Mobile
IRJET- Sniffer for Tracking Lost MobileIRJET- Sniffer for Tracking Lost Mobile
IRJET- Sniffer for Tracking Lost MobileIRJET Journal
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10jpmccormack
 
IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...IRJET Journal
 
811719104102_Tamilmannavan S.pptx
811719104102_Tamilmannavan S.pptx811719104102_Tamilmannavan S.pptx
811719104102_Tamilmannavan S.pptxDEVIKAS92
 
VOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICES
VOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICESVOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICES
VOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICESijsptm
 
Lessons v on fraud awareness (digital forensics) [autosaved]
Lessons v on fraud awareness (digital forensics) [autosaved]Lessons v on fraud awareness (digital forensics) [autosaved]
Lessons v on fraud awareness (digital forensics) [autosaved]Kolluru N Rao
 
Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)CA.Kolluru Narayanarao
 

Similar to SOK:An overview of data extraction techniques from mobile phones (20)

Conceptual Study of Mobile Forensics
Conceptual Study of Mobile ForensicsConceptual Study of Mobile Forensics
Conceptual Study of Mobile Forensics
 
ContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docx
 
Ijmet 10 01_095
Ijmet 10 01_095Ijmet 10 01_095
Ijmet 10 01_095
 
AD-MPEX-BRO-09Dec2014
AD-MPEX-BRO-09Dec2014AD-MPEX-BRO-09Dec2014
AD-MPEX-BRO-09Dec2014
 
New research directions in the area of
New research directions in the area ofNew research directions in the area of
New research directions in the area of
 
On the Availability of Anti-Forensic Tools for Smartphones
On the Availability of Anti-Forensic Tools for SmartphonesOn the Availability of Anti-Forensic Tools for Smartphones
On the Availability of Anti-Forensic Tools for Smartphones
 
776 s0005
776 s0005776 s0005
776 s0005
 
digital forensic examination of mobile phone data
digital forensic examination of mobile phone datadigital forensic examination of mobile phone data
digital forensic examination of mobile phone data
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
 
IRJET - Android based Mobile Forensic and Comparison using Various Tools
IRJET - Android based Mobile Forensic and Comparison using Various ToolsIRJET - Android based Mobile Forensic and Comparison using Various Tools
IRJET - Android based Mobile Forensic and Comparison using Various Tools
 
Cell Phone Forensics Research
Cell Phone Forensics ResearchCell Phone Forensics Research
Cell Phone Forensics Research
 
IRJET- Sniffer for Tracking Lost Mobile
IRJET- Sniffer for Tracking Lost MobileIRJET- Sniffer for Tracking Lost Mobile
IRJET- Sniffer for Tracking Lost Mobile
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10
 
IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...
 
CS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptxCS_UNIT 2(P3).pptx
CS_UNIT 2(P3).pptx
 
811719104102_Tamilmannavan S.pptx
811719104102_Tamilmannavan S.pptx811719104102_Tamilmannavan S.pptx
811719104102_Tamilmannavan S.pptx
 
VOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICES
VOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICESVOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICES
VOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICES
 
Lessons v on fraud awareness (digital forensics) [autosaved]
Lessons v on fraud awareness (digital forensics) [autosaved]Lessons v on fraud awareness (digital forensics) [autosaved]
Lessons v on fraud awareness (digital forensics) [autosaved]
 
Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)
 
Irjet v7 i3811
Irjet v7 i3811Irjet v7 i3811
Irjet v7 i3811
 

Recently uploaded

Mobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsMobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsChandrakantDivate1
 
Android Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesAndroid Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesChandrakantDivate1
 
Mobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsMobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsChandrakantDivate1
 
Leading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfLeading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfCWS Technology
 
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...nishasame66
 

Recently uploaded (6)

Mobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsMobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s Tools
 
Android Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesAndroid Application Components with Implementation & Examples
Android Application Components with Implementation & Examples
 
Mobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsMobile Application Development-Components and Layouts
Mobile Application Development-Components and Layouts
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
 
Leading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfLeading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdf
 
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
 

SOK:An overview of data extraction techniques from mobile phones

  • 1. SOK : AN OVERVIEW OF DATA EXTRACTION TECHNIQUES FROM MOBILE PHONES Ashish Bhagawan Sutar Abstract. The digitization of the World is on rise and so the cyber crimes. Day by day cyber crimes are rising and law enforcement agencies are on their toes to solve these crimes. They are using sophisticated digital forensics techniques for analyzing and investigating the cyber crimes. However, limited skilled manpower, large number of cases, sophisticated mobile phones with OS with latest security patches are just few among the various challenges that hinder the progress on LEAs to cover the gap between rise in cyber crimes and the cases solved. The foremost hindrance in mobile phone forensic is to extract the data from the mobile phones. In this paper, I would like to provide an overview and available techniques to extract data from mobile phones. Keywords: Mobile Forensics, Physical extraction, File system extraction, Logical extractionJTAG, ISP, Chip Off, Micro Read 1.INTRODUCTION ‘The cell phone is probably the single most important piece of evidence you will find at a crime scene today…’’ -Ex FBI Director James Comey Digital forensic is one of the niche and emerging field. Any criminal activity happening across the World has some digital evidence present as per Locard’s principle and at every place of crime, some or other digital devices, may be of victim or perpetrator, is available. One of the most popular devices used by criminals to carry out such crimes are mobile phones. Therefore, Law Enforcement Agencies (LEAs) must be capable to carry out analysis of these mobile phones. However, the analysis of smart mobile phones is becoming more challenging due to frequent security updates by manufacture. However at the same time, LEAs and companies across the World providing mobile forensic tools are coming with innovative techniques and tools to overcome the hurdle of extracting data from Mobile devices. In this paper, I will describe about Mobile Forensics and its challenges being posed to LEAs. I will then review methods available to extract the data from the mobile phones. I will continue with describing the advantages, disadvantages and challenges faced while extracting the data from mobile phones and will also touch upon the commercial tools available for extraction of data 2. MOBILE FORENSICS Mobile forensics is the science of recovering digital evidence from mobile devices under forensically sound conditions. It includes the extraction, recovery and analysis of data from internal memory, SD cards and SIM cards of mobile devices. Secure forensic extraction of data from a wide variety of mobile devices such as smart phones, GPS navigations units, car infotainment units and tablets is challenging task. Mobile phones present a unique challenge to law enforcement due to rapid changes in technology. There are numerous models of mobile phones in use today. New families of mobile phones are typically manufactured every three (3) to six (6) months. Many of these phones use closed operating systems and proprietary interfaces making it difficult
  • 2. for the forensic extraction of digital evidence. Extracting data safely from mobile phones is not the same as recovering information from computers. It is a specialist skill as Mobile devices do not share the same Operating systems or components. Most are proprietary embedded devices with unique configuration. The different challenges faced by Forensic professionals today across the World are as listed below:- 2.1 Use of proprietary OS. 2.2 Use of proprietary Chips. 2.3 Device level encryption of data. 2.4 Phone lock patterns, PIN and biometric locks for phones. 2.5 Encryption of application databases. 2.6 Second Space/ secure folder within the Mobile phones. The data recovery from the mobile phone is possible through gaining access to Phone’s OS through the communication port. Once the access to OS is gained, the data can be recovered. It is also possible to bypass the OS and directly communicate with the memory chip in order to take physical dump of chip and using different decoding mechanism and data carving tools to recover the required data. Now I will give an overview of mobile phone data extraction types generally adopted by Forensic Analysts to recover data. 3. TYPES OF EXTRACTION Depending on the request and the specific questions asked from the investigation Team, the type of extraction and analysis is decided. Higher levels require a more comprehensive examination, additional skills and may not be applicable or possible for every phone or situation. Each level of the Mobile Forensics has its own corresponding skill sets. The pyramid of the levels is given below :- Figure 1 : Pyramid of Mobile Data Recovery Techniques Broadly above mentioned mobile data recovery techniques used by Forensic professional can be divided in two parts:- 3.1 Methods wherein Mobile phone is not required to be disassembled, also called as non-invasive techniques, consisting of following methods :- Micro Read JTAG/ ISP Chip off Physical Extraction File System Extraction Logical Extraction Manual Extraction More Complex
  • 3. 3.1.1Manual Extraction. 3.1.2Logical Extraction. 3.1.3File System Extraction. 3.1.4Physical Extraction. 3.2 Methods wherein Mobile Phone is required to be disassembled, also called as invasive techniques, consisting of following methods :- 3.2.1JTAG. 3.2.2In-System-Programming. 3.2.3Chip Off. 3.2.4Micro Read 4. METHODS WHEREIN MOBILE PHONE IS NOT REQUIRED TO BE DIS-ASSEMBLED In this section, I will cover the types of extraction wherein the Cyber Forensic Analyst tries to extract data without opening the mobile phone. These techniques are also called as non-invasive techniques. Large number of commercial hardware as well as software tools are available in the market to carry out extraction of data without opening the mobile phone. The types of extraction covered under this head are as given below. 4.1 Manual Read. This is the simplest process which allows investigators to extract and view data through the device’s touchscreen or keypad to document data present in the device’s memory. At a later stage, this data is documented photographically. Whatever is seen on the screen is photographed/ recorded and it is the most time consuming and limited data extraction technique from mobile phones. Furthermore it involves a great probability of human error e.g. the data may get accidentally deleted or modified during the examination. At this level, it is not possible to recover the deleted data. There are some popular tools which have been developed to aid an investigator to easily document the extraction. They are listed as below. 4.1.1Project-A-Phone. This is also known as Project Android Phone. This helps to wirelessly project android device to the screen of the PC. It helps in display of phone screen in real time, record audio and video, and take still images individually or in a programmed sequence. 4.1.2Fernico ZRT. This camera system allows an examiner the ability to document evidence items found on mobile devices. Direct integration with the Canon EOS DSLR camera range, combined with professional grade camera equipment, enables ZRT 2 to capture very high quality images for the built-in report generator. Photos and videos are automatically resized into a customizable report template for presentation in Court. Figure 2 : Fernico ZRT
  • 4. 4.1.3EDEC Eclipse. This product is designed for digital forensic examiners and allows then to capture images and video of cell phone screens, documents or any other type of evidence. Figure 3 : EDEC Eclipse Set 4.2 Logical Extraction. Logical extraction is the quickest but most limited data extraction technique from mobile phones. This type of extraction does not include bit by bit copy of memory phone and it creates a copy of the user accessible files. As the name suggests, the data recovered is visible in plain in mobile device. In this type of extraction, forensic tool communicates with the OS of the device using an Application Programming Interface (API) which specifies how software components interact. The tool then requests data from the OS through API. This process allows extraction of most of the live data on the device. In this extraction process, only contacts, SMS, call logs, multimedia and application data is recovered, however, the deleted data is not recovered. Most of the forensic tools currently available such as MSAB XRY, Oxygen, MOBILedit do extract logical data from the mobile phones. Figure 4 : Snapshot of Logical Extraction by MSAB XRY
  • 5. 4.3 File System Extraction. This type of extraction is often seen as a type of logical extraction. It is more data rich compared to logical extraction. It is again not a bit by bit copy of entire contents of mobile phone however it includes files not directly accessible to the user via device interface. In this type of extraction, full access to the database files on a mobile device is directly obtained by the forensic tool without interacting through API. This direct access allows forensic tools to extract all files present in the internal memory including and contacts, SMS, multimedia, application data, web browsing history and hidden files. However, it does not extract data from unallocated space. Cellebrite promotes UFED’s file system extraction and is amongst the few who refer to the method. It’s ‘Advance Logical Extraction’ combines the logical and file system extractions for iOS and Android devices and is an alternative to where physical extraction is not possible. MSAB does not have a specific file system extraction. It has only XRY Logical and XRY Physical. Magnet Forensics also says that it can obtain a full file system and it has partnered with GreyKey to recover data from iOS devices as well. Unlike a logical extraction, once the file system data is obtained it requires decoding in order to read it. All the commercial vendors do not publically disclose what vulnerabilities are used to carry out a full file system extraction from an iOS device as this will give chance to manufactures a chance to patch exploits. Figure 5 : View of Cellebrite Reader showing Extracted Data including Deleted Data files numbers shown in Red Colour 4.4 Physical Extraction. This is the most extensive method of extracting data from mobile phone without disassembling the same. In physical extraction, a bit by bit copy of the entire contents of the flash memory of mobile phone is made. This is the only type of extraction wherein mobile device is not required to be disassembled and still deleted data is also recovered. It shares the same basic concept as the imaging of a computer hard drive. In physical extraction, protected data is also revealed and it can obtain service data, applications and user’s data including following deleted data:- 4.4.1 Deleted passwords. 4.4.2 Deleted files, photos and videos. 4.4.3 Deleted Snapchat pictures. 4.4.4 Deleted text messages, contacts and call logs.
  • 6. 4.4.5 Location tags & GPS fixes. Figure 6 : Chart showing type of data recovered 4.5 Commercial Tools available for data extraction from Mobile Phone 4.5.1 Cellibrite UFED. Cellebrite is the world leader in delivering cutting-edge mobile forensic solutions comprising of hardware, software as well as premium services for extraction of data from mobile platforms. Cellebrite provides flexible, field–proven and innovative cross–platform solutions for lab and field via its Universal Forensic Extraction Device (UFED) Series. With the support for more than 31,000 device profiles and the widest device coverage ranging from Android and apple, UFED is designed to meet the challenges of unveiling the massive amount of data stored in the modern mobile device. The UFED Series can extract, decode, analyze and report data from thousands of mobile devices, including, smartphones, legacy and feature phones, portable GPS devices, tablets, memory cards and phones manufactured with Chinese chipset. One can use UFED to bypass locks, perform advanced unlocks, perform logical/ Full file systems/ physical extractions perform selective extraction of apps data and cloud tokens and much more. UFED 4PC is a cost effective, flexible and convenient software for any user requiring access and extraction capabilities on PC/ Laptop. UFED Touch2 is hardware based solution for comprehensive extraction capabilities in the lab/ remote location/ field which extracts data quickly and securely. The UFED Ruggedized Panasonic Laptop is loaded with UFED software and comes in a purpose-built ruggedized case that can withstand drops, shocks and extreme temperatures to ensure a seamless workflow wherever the investigation takes you. Figure 7 : UFED Touch 2 Logical Extraction Calls Contacts SMS Multimedia Contents File System Extraction Calls Contacts SMS Multimedia Contents Hidden Files Physical Extraction Calls Contacts SMS Multimedia Contents Hidden Files Deleted Data
  • 7. 4.5.1 Magnet Axiom. Magnet AXIOM is a multiplatform tool which recovers digital evidence from the most sources, including smartphones, cloud services, computers, IoT devices and third-party images. It also uses powerful and intuitive Analytics tools to easily analyze all data in one case file. Magnet Forensics has built a global reputation for excellence, reliability, and trustworthiness. Its technology solutions have been used in a wide variety of cases and investigations from child exploitation to terrorism and intellectual property by departments and agencies all over the world. 4.5.2 MSAB XRY. MSAB XRY solutions are one of the best mobile forensic solutions available in the market. With latest XRY 9.0.2 release, MSAB is providing support for Samsung Galaxy S, A and J series with Exynos chipsets and support for newer Spreadtrum chipsets. Apart from these chipsets, it also supports extracting data from the widely used messaging app Telegram with added enhancement for extracting Signal and WhatsApp data from Android devices. 4.5.3 Oxygen Forensic. Oxygen Forensics, an US based Company, is one of the leading global digital forensics software provider, giving law enforcement, federal agencies and enterprises access to critical data and insights faster than ever before. Specializing in mobile devices, cloud, drones and IoT devices, Oxygen Forensics, an all-in-one forensic software platform, provides the most advanced digital forensic data extraction and analytical tools for criminal and corporate investigations. 4.5.4. MobilEdit. MOBILedit is a product of Compelson Labs founded in 1991. MOBILedit Forensic Express is a phone and cloud extractor, data analyzer and report generator all in one solution. A powerful 64-bit application using both the physical and logical data acquisition methods, MOBILedit is excellent for its advanced application analyzer, deleted data recovery, live updates, wide range of supported phones including most feature phones, fine-tuned reports, concurrent phone processing and easy-to-use user interface. With the password and PIN breaker one can gain access to locked ADB or iTunes backups with GPU acceleration and multi-threaded operations for maximum speed. 5. METHODS WHEREIN MOBILE PHONE IS REQUIRED TO BE DISASSEMBLED The above mentioned extraction methods are followed without opening the mob phone. However, if they are not successful in extracting the data, other methods are required to be followed wherein the mob phone is disassembled in order to get access to chip for extraction of data. These methods involve connecting to the specific ports on the device and instructing the processor or eMMC controller to transfer the data stored on the memory. These advanced data extraction methods are low-level hardware-based techniques that leverage the advantage of PCB and IC (Internal Circuit) test interfaces used for programming and quality control of the electronic devices during production. They are explained in succeeding paragraphs. 5.1 Joint Test Action Group (JTAG) JTAG is a short form of Joint Test Action Group. JTAG is an industry standard, defined by the Institute of Electrical and Electronic Engineers (IEEE) 1149.1 for verifying designs. The device manufacturers uses these standards to test Printed Circuit Boards (PCB) during the manufacturing process before launching them in the market. However, JTAG is commonly used in the market to restore dead devices by flashing the device’s memory as well as to allow for the reading of phone memory. JATG forensic is an advanced acquisition process that involves connecting the Test Access Ports (TAPs) on a PCB via solder, molex or JIG. Once the TAPs are connected then using a supported JTAG Box like Riff, Z3X and ATF, the processor is instructed to
  • 8. acquire the raw data stored on the connected memory chip in order to get a full physical image from the device. JTAG acquisition is available for many Android devices as well as some feature phones having Android OS. By using specialized equipment and a matching device, one can retrieve the flash memory contents from compatible devices. However JTAG is not available for any Apple devices. JTAG acquisition process involves using existing solder points on the device circuit board generally called as TAPs that are found on the circuit board. These TAPs connect to the controller chip via a bus and allow for communication to occur between the controller and other chips on the circuit board. It is the memory chip in which we are interested in communicating with. The JTAG ports are used to send read commands through the controller to instruct it to read the content of the memory chip found on the circuit board, and output it to the PC. Figure 8 : Test Access Points Each of the Test Access Points that make up the JTAG port has a function. The location of TAPs will be different from device to device. There are various JTAG solutions available, but each will have a feature to display the TAP pin out diagram so that you will know which wire to solder to which Test Access Point. Test Access Points includes following two types of pins. 5.1.1 Required Pins 5.1.1.1 TDI (Test Data In). This signal represents the data shifted into the device’s test or programming logic. It is sampled at the rising edge of Test Clock (TCK) when the internal state machine is in the correct state. Basically it is serial data from debugger to target. 5.1.1.2 TDO (Test Data Out). This signal represents the data shifted out of the device’s test or programming logic and is valid on the falling edge of TCK when the internal state machine is in the correct state. Basically it is serial data from target to debugger. 5.1.1.3 TCK (Test Clock). It has nothing to do with the board or system clock. This signal synchronizes the internal state machine operations. It controls the timings of the test logic independently of the system clock. 5.1.1.4 TMS (Test Mode Select). This signal is sampled at the rising edge of TCK to determine the next state. 5.1.2 Optional Pins 5.1.2.1 TRST (Test Reset). This is an optional pin which, when available, can reset the TAP controller’s state machine.
  • 9. 5.1.2.2 RTCK (Return Test Clock). 5.1.2.3 GRN (Ground). 5.1.2.4 VCC (Power). 5.1.2.5 SRST (System Reset). A System Reset (SRST) signal is quite common, letting debuggers reset the whole system, not just the parts with JTAG support. Sometimes there are event signals used to trigger activity by the host or by the device being monitored through JTAG or perhaps additional control lines. 5.1.3 JTAG Training Special knowledge and training is required prior to undertaking the JTAG process. Proper JTAG training, at a minimum, covers the following topics:- 5.1.3.1 Overview of boundary scanning and the JTAG process. 5.1.3.2 Repairing and disassembling mobile devices. 5.1.3.3 Soldering and de-soldering techniques. 5.1.3.4 Identification of TAPs through probing. 5.1.3.5 Electrical theory, multimeter and alternate power supply usage. 5.1.3.6 Digital forensic procedures and evidence handling. 5.1.4 Hardware for JTAG The TAPs need to be connected to a box that knows how to access and interpret the data. Devices such as Riff Box 2, Medusa Pro and Easy JTAG are some common boxes that one can use. There are several JTAG solutions available in the market. Each brand has support for a variety of handsets. RIFF Box Medusa Pro Figure 9 : JTAG Boxes 5.1.5 JTAG Process In the JTAG process, the mobile device is connected to the JTAG box via wires soldered to Test Access Points (TAPs). Then the JTAG box is connected to the computer via cable. JTAG software communicates with the JTAG box, sending commands to the TAPs on the circuit board and ultimately acquires a read of the memory chip. JIGs are an alternative to soldering. A JIG is a printed circuit board (PCB) that has pins mounted on its surface. Each device will have a unique JIG since the TAPs are different from device to device. The JIG is held in place against the mobile devices circuit board so that the pins on the JIG match up to the TAPs.
  • 10. Figure 8 : Example of JTAGed Phone 5.1.6 Advantages 5.1.6.1 It allows extraction of data from locked or damaged device. 5.1.6.2 It is a Non-destructive method wherein the device can be taken in use. 5.1.6.3 It does not alter data on the device. 5.1.6.4 It does physical data extraction. 5.1.6.5 It can also be used for data extraction from gaming consoles, GPS units, Car navigation sys, MODEMs, Routers and PVR etc 5.1.7 Disadvantages 5.1.7.1 Mobile device may need to dismantle and wires soldered to circuit board. 5.1.7.2 The improper use of JTAF software and hardware or improper soldering could destroy data or permanently damage the device 5.1.8 Challenges 5.1.8.1 Identification of JTAG Points is a challenging task as some of the mobile phones have hidden JTAG points. JTAG pins can be exposed on the phone´s PCB, but they can also be hidden under a coating surface, in this case tools are needed to remove the coating and leave the pins exposed for connection and testing. The following figure shows the JTAG pins that have been hidden underneath the battery and covered by the product info label and protected by the coating. However, manufacturers also tend to limit the access of external parties to the JTAG ports and either by making them inaccessible after the end of production testing or breaking them on purpose. Figure 10 : Phones with Exposed TAPs and Coated TAPs Coated TAPs Exposed TAPs
  • 11. 5.1.8.2 Soldering Skills are necessary otherwise it may cause collateral damage in the phone. 5.1.9 Commercial Tools Available 5.1.9.1 MD-Box. It is a JTAG reader hardware designed for JTAG extraction with MD- NEXT by HancomGMD, a worldwide leading research group of mobile and digital forensics. It is used for extracting data directly from the motherboard of a mobile device using the JTAG interface. When a mob phone has suffered external damage but the motherboard still works, an examiner can connect the motherboard to MD-BOX through JTAG interface. Then the data can be acquired with JTAG via the JTAG extraction function in MD-NEXT. 5.1.9.2 Teel Technologies. Teel Technologies provides a hardware for JTAG. However, once the data is extracted, it is required to be opened up in other extension. Extension for read will be done in UFED or XRY. 5.2 In-System Programming (ISP) In System Programming (ISP) or sometimes called as In-Circuit Serial Programming (ICSP) is again non-destructive method to retrieve the data. It is the practice of connecting to an eMMC or eMCP flash memory chip for the purpose of downloading a device’s complete memory contents. In contrast to JTAG that is used for the boundary scan of all the components sitting on the PCB, ISP is designed to test only one particular component (in our case eMMC) bypassing the processor. Communication with eMMC device is performed by sending commands to the chip and receiving responses back. Due to direct communication with the chip, the memory acquisition through ISP is much faster to perform than through the JTAG. This practice enables examiners to directly recover a complete data dump without removing the chip. Similar to JTAG extractions, the forensic examiner has to solder wires to places on the board. This technique is useful as some phones don’t have accessible TAPs and/ or the manufacturer has disabled data access through the TAPs. In this process the wires are soldered to resistors and capacitors on PCB. The difficult part in ISP is to find pinouts of the device. This method is usually a bit tougher due to the fact that the pins are usually much smaller than JTAG TAPs. The analyst requires a microscope and a much finer solder tip with a steady hand. This process also works on passcode enabled devices, but again, not on encrypted devices. The following is the list of the usual pins to solder to:-  DAT0 to DAT7= Serial Data line/ Data buses.  VCC (Voltage Collector Constant sometimes also known as Positive Supply Voltage) = 2.8 – 3.3 Volt.  VCCq = 1.8 Volt.  CLK = Clock.  CMD = Command.  GRN = Ground. The diagram given below explains the internal structure of the eMMC chip and the signals used to perform JTAG/ISP communication. The instructions/commands (in our case “read”) are sent through the CMD (command) signal to the MMC controller of the memory. The response (data output) is sent via data busses DAT0 to DAT7 synchronized with the clock signal (CLK).
  • 12. Figure 11 : eMMC structure and interface Like JTAG, the pins need to be connected to a box that knows how to access and interpret the data. There are many programmer tools commercially available which offer support for different chipsets and cores (required to communicate with the eMMC via JTAG). Devices such as the OctuplusRIFF2, Z3X, Riff Box 2, Medusa Pro, and Easy JTAG are just some of the boxes one can use. 5.3 Chip-Off Chip-off acquisition is a highly advanced technique of recovering data from mobile phones. It is more of a destructive extraction technique that requires attaching wire leads to the PCB contacts or physically removing (de-soldering) the phone’s flash memory chip. Chip-off is considered more difficult compared to JTAG, however the amount of information acquired via chip-off acquisition is similar to the amount of data acquired by JTAGging the device. Since most smart phones use standard eMMC flash modules, the process is standardized and presents no surprises to the examiner. When imaging computer hard drives, one normally attempts to go as low level as possible. In the world of mobile forensic, the lowest-level access is not always the best. While reading the chips directly produces a complete raw dump of the memory chips, the investigator may be faced with an encrypted partition with no decryption keys stored anywhere around. Chip-off acquisition delivers the best result when used on unencrypted devices. The expectations on the use of chip-off for mobile devices must be also moderate as recent devices store encrypted data on their memory chip. Devices operating on Android version 7.0 onwards are encrypted by default. However, Chip-off will still remain viable for other IOT devices which usually store data in clear text. 5.3.1 Steps involved in Chip Off. The chip off process involves the following broad steps. 5.3.1.1 Detect the memory chip typology of the device. 5.3.1.2 Physical extraction of the chip (for example, by unwelding it). 5.3.1.3 Interfacing of the chip using reading/programming software. 5.3.1.4 Reading and transferring data from the chip to a PC. 5.3.1.5 Interpretation of the acquired data (using reverse engineering). 5.3.2 Advantages. Carrying out chip off activities has certain advantages. They are as follows:-
  • 13. 5.3.2.1 It recovers data from damaged mob phones. 5.3.2.2 It is used for eMMC/ eMCP memory chips. 5.3.2.3 Full read of memory chip. 5.3.2.4 It carries out physical extraction and recovers deleted data also. 5.3.2.5 It does not alter the user data on memory. 5.3.2.6 It is used for extraction from Android, Windows, iOS based phones, Chinex, Qualcomm, MTK generic, CDMA devices. 5.3.3 Disadvantages. The two distinctive disadvantages in chip-off activities which are that it is a destructive technique of data extraction and if encrypted data is recovered, still it requires to be decrypted. 5.3.4 Challenges 5.3.4.1 All modern device IC or Chips are often secured with protective shield i.e. epoxy, which makes the task more challenging. 5.3.4.2 The connectors on a BGA NAND chip require, in many cases, rework through a process known as “re-balling” or effectively rebuilding the connectors on the chip to be connected to the chip-reading equipment. 5.3.4.3 Solid command of skills for dismantling and chip removal is crucial. 5.3.4.4 Locate and identify memory chip to ensure de-soldering of correct chip and not the CPU or any other chip. 5.3.5 Precautions to be taken while carrying out Chip-off. Certain precautions are required to be taken while carrying out the chip off activities. Some of them are listed below 5.3.5.1 The individual performing the Chip-off techniques should always wear protective goggles where infrared heater is being used for chip off. 5.3.5.2 The individual performing the Chip-off techniques should never attempt to touch any part of the heating equipment while they are turned ON. 5.3.5.3 The individual performing the Chip-off techniques should always use the tools provided to handle the chip and boards as they may get too hot while working. 5.3.5.4 The cooling down period for items being used for Chip off will be varying in between 5 to 15 minutes before it is safe to handle them without causing them burn injuries. 5.3.5.5 There are chances of loss of data from the chip if it is over heated while removing it from the board. Though the chips can retain data beyond 2750 Celsius, higher temperature may lead to higher risk of data loss. The care must be taken not to overcook the chip. 5.3.6 Commercial Tools for Chip-off 5.3.6.1 MD-MR (Memory Removal). It is a package of forensic hardware devices for detaching the memory Chip from the motherboard of a mobile phone. When a mobile device is severely broken or submerged in liquid, MD-MR is used to attempt Chip-off Forensics. It includes standard devices like General Memory Chip Reader, Heat blowers for the general dissemble Work, BFA Re-balling kit, Hot plate for Re-balling, Microscope, Rework station (Optional), Mob phone dryer (Optional) and Mob device safety box (Optional). 5.3.6.2 MD-Reader. MD-Reader is a piece of forensic hardware for extracting data from chip-off memory. After detaching the memory chip from the board manually or with a rework machine, the examiner can mount it into the one of the memory sockets included. Then the data extraction can be done at Chip-of menu in MD-NEXT program.
  • 14. 5.3.6.3 Teel Technologies. Teel Technologies Chip-Off Starter Kit is the one way to go if someone looking for all of the basic tools someone need for Chip-Off forensics. This starter kit features many essential components, all bundled to help to save money. They provide a variety of UP-828P adapters that are suited for a variety of smartphones and tablets. It includes the items like TeelTech UP828P Chip Reader, UP-828P Adapters, SD Chip Reader Kit, Chip-off and JTAG Workbench Gear and T-862++ IRDA Rework Station. Figure 10 : Equipment used for Chip-Off 5.4 Micro Read This process involves interpreting and viewing data on memory chips. Generally micro chips consist primarily of silicon, which is obtained from sand. The process of making sand into silicon involves melting, cutting, polishing and grinding. The silicon is made into an ingot, or single-crystal cylinder six to eight inches wide. The cylinder is then cut into wafers that measure less than one-40th of an inch thick. These wafers are pressed into various integrated circuit parts with the aid of computers. The circuit is coated with a layer of glass by exposing the silicon to temperatures of 900 degrees Celsius for an hour or longer. Afterward, the unit is coated in a nitride layer. A number of different textures are created in the circuits during this process. The connecting pins or leads are added during a process called bonding. The pins are made of either gold or tin. These pins are used to electrically connect the chips to components they will comprise. The investigators use a high-powered electron microscope to analyze the physical gates on the chips and then convert the gate level into 1’s and 0’s to discover the resulting ASCII code. This process is very expensive and time-consuming. It also requires thorough knowledge of hardware and file systems. Due to the extreme technicalities involved in micro read, it should be only attempted for very high-profile cases equivalent to a national security crisis after all other level extraction techniques have been exhausted. The process is rarely performed and is not well documented at this time. There are currently no commercial tools available for micro read. Figure 11 : Electron Microsope of Silicon
  • 15. The steps involved in the micro read are as follows:- 5.4.1 Use chemical process to remove top layer of chip. 5.4.2 Use microscope to read gates manually. 5.4.3 The next step involves the translation of binary data to hex. 5.4.4 The last step is to translate hex to data. 6. OTHER METHODS : ROOTING OR JAILBREAKING Another, less destructive, method that can be used with some mobile devices is “Rooting” or “Jail Breaking”. This process involves leveraging features of the OS to elevate the permissions and privileges of the running user (similar to the process of gaining “Root” access in a Linux computer). This process is NOT considered as a forensic technique as it involves the modification of system files and can potentially damage the device and so should be low on the list of techniques used. The notified Forensic Labs never resorts to rooting or jailbreaking of device in order to extract the data due to legal implications involved. The order of attempted extractions is important. Examiners should strive to conduct the examination method that is least destructive but yields the most data. This allows examiners to capture areas that might be damaged or overwritten at later stages. Methods of extraction such as JTAG and Chip-Off should only be considered as a last resort, especially with Chip-Off, as the process can be destructive and unrecoverable. Generally all Forensic experts start from the easier and widely accessible data recovery methods moving to more demanding ones. The Table 1 explains the different approaches of data recovery that can be implemented during data extraction from Mobile Phones, varying from the normal user interface (UI) (i.e. via the phone's Operating System) through to the most advance tactics. Table 1 also highlights the degree of destruction required to perform the extraction techniques and gives a brief description of that particular extraction tecnhiques. The level of Skills Required Type of Extraction Method Characteristics Type of Data extracted Low Manual inspection Non-invasive Manual navigation of the User Interface - Low - Medium Forensic imaging (COTS tools) Non-invasive Connecting the phone to the PC or dedicated forensic hardware via USB. Logical / File System/ Physical Medium - High JTAG/ eMMC ISP Invasive and can be destructive Connection to the TAPs ports on device motherboard Physical High Chip-off Invasive and destructive De-soldering the memory chip from the PCB. Physical Very High Micro Read Invasive and destructive Using proprietary or custom-made tools to retrieve the data from the NAND flash directly by-passing the controller. Physical Table 1: Data recovery tactics performed during testing
  • 16. 8. EXPERIMENTAL RESULTS The large number of devices were used in the lab and data extraction as mentioned above except JTAG, ISP, Chip off and Micro Read were tried upon them without opening the mobile phones. The results are given at Table 2. 9. CONCLUSION Data extraction from Mobile phones is a challenging task and rapid changes in the field of mobile technology are posing number of difficulties to every Forensics professional today. OEMs are coming with innovative ways of securing the data stored in the mobile phone and LEAs are trying to overcome this enormous challenge of extracting the data from these sophisticated mobile phone. As the use of mobile phone extraction proliferates, whether it is used by law enforcement or border security, the data from these devices will be used to challenge an individual whether in criminal or civil proceedings and procedures. The delivery of justice depends on the integrity and accuracy of evidence and trust that society has in it. References:- 1. www.wikipedia.com 2. www.teeltech.com 3. www.msab.com 4. www.swgdf.com 5. ‘Chip-Off and JTAG Analysis for Mobile Device Forensics’ by Detective Bob Elder. 6. ‘Basic Overview of JTAG, ISP and Chip Off Extractions’ by Jack Farley. 7. ‘NIST tests forensic methods for getting data from damaged mobile phones’ by Rich Press. 8. ‘Analysis of data remanence after factory reset, and sophisticated attacks on memory chips’ by Mariia Khramova, Sergio Martinez. 9. www.hancomGMD.com 10. www.Oxygen.com 11. www.Mobiledit.com 12. ‘A Technical look at phone extraction’ by Cellibrite.
  • 17. Ser No Make and Model of Mob Phone Version Patch Level Type of Extraction Tools Used Remarks, if any Logical/ Advance Logical File System Physical 1 One Plus A 6000 Adv Logical 2 Vivo 1601 Android 6 03 May 2018 Yes 3 Vivo Z1 Pro Adv Logical UFED 4PC, XRY 4 Vivo V3 01 Apr 2020 Adv Logical File System UFED 4PC, XRY 5 Vivo V 17 (vivo1919) Android 10 04 Jan 2020 Adv Logical UFED4PC 6 Vivo V9 Android 8.1.0 Mar 2019 Adv File System UFED 4PC, XRY APK Downgrade 7 Vivo 1601 Android 6 05 Mar 2018 Yes 8 Samsung Guru 1200 Yes 9 Samsung Duos Yes UFED 4PC, XRY 10 Samsung J7 Android 6 04 Jan 2018 Yes UFED Touch2 Decrypted Boot Loader 11 Samsung A750F Android 9 9 May 2019 Yes UFED4PC 12 Samsung Galaxy S7 Edge Android 8 Nov 2019 Yes UFED 4PC 13 Samsung S7 Edge Yes UFED4PC 14 Lava Z60 Adv Logical UFED 4PC, XRY 15 Micromax X073 Yes UFED 4PC, XRY 16 Honor 9I (LLD-AL10) Adv Logical File System 17 Redmi Note 4 Android 6 05 Jan 2017 Yes UFED4PC 18 Redmi Note 6 Pro Adv Logical 19 Redmi Note 6Pro Android 8 01 Jan 2019 Yes UFED4PC 20 Redmi Note 6 Pro Android 9 04 May 2019 Yes UFED/ XRY 21 Redmi Note 6 Pro Android 8 01 Jan 2020 Yes UFED4PC 22 Redmi 6 Pro Android 9 05 May 2019 File System (APK downgrade) UFED4PC 23 Redmi ME17G Android 8 12 Jan 2018 Yes UFED 4PC 24 Redmi ME17G Android 8 05 Sep 2019 File Sys (APK Downgrade) UFED/ XRY 25 Nokia 105 File System 26 Realme-2 pro Android 8 03 Ma 2019 Adv Logical 27 iPhone 5S iOS 11.4.1 Adv Logical UFED4PC 28 JIO Mob (LYF) F220B Yes XRY 29 Realme 1801 Android 9 12 May 2019 Adv Logical UFED4PC Table 2 : Array of Mobiles used and type of data extracted.