SMARTPHONE FORENSICS – 2

Greetz to dear reader’s,

Digital Forensics (4n6)🕵️‍♂️ itself as one of the emerging domain in information security. And Smartphone forensics is one of them, It is a subset of digital forensics and refers to the investigation and acquisition of artefacts in mobile phones 📲

Screenshot_1

When we talking about mobile phone forensics then it depends on multiple aspects, like what type of data and information want to recover. Depends on the phone model, damage status and encryption. Is the data what the analyst is looking for is that persistent or deleted from the mobile storage. There are many resources available to read about the smartphone forensic. And at the end, rooting/jailbreaking the smartphone may require for admin privilege for physical acquisition.

1.png

Src: https://xkcd.com/149/

Mobile Forensics guideline📔: https://d3pakblog.wordpress.com/2016/12/27/mobile-device-forensic-sop-guideline-1/

Well, in this series focusing on some new acquisition methods like JTAG, chip-off and ISP. When commercial forensic extraction options cannot acquire a physical image or when a device is logically damaged or “bricked”. Also, these methods are used to extract data from screen-locked mobile devices.

👇Following are some snapshots which talking about the acquisition of the damaged smartphone (Samsung A3). In this case, the phone is not working, physically damaged and using JTAGing method for acquisition and analysis:

Ps: Few snapshots of following assessment received from data recovery laboratory (Codice Pin Data Recovery). 1.jpg

2

3

4

5

6

7

9

10

11

12

13

14

15

Ultimately, the goal for the mobile-device forensic examiner is to obtain a physical image of the memory chip from mobile devices. And while today such bit-by-bit acquisition support from the commercial tools is increasing, in many instances such a physical dump cannot be accomplished without direct access to the memory chip. The majority of JTAG engagements involve Android phones which are pattern locked and cannot be bypassed by other means.

Challenges in Mobile Forensics😥: https://d3pakblog.wordpress.com/2017/01/07/challenges-in-mobile-forensics/

JTAG

JTAG (Joint Test Action Group) forensics is an advanced level data acquisition method. It is an industry standard devised for testing printed circuit boards (PCBs) using boundary scan and was designed to quickly and easily test PCBs coming off a manufacturing assembly line. JTAG Forensics is a process that uses that same process and involves connecting the the Test Access Ports (TAPs) on a PCB via solder, molex or jig and then uses a supported JTAG Box (Riff, Z3X, ATF, etc.) to instruct the processor to acquire the raw data stored on the connected memory chip to get a full physical image from the device. This process is non-destructive to the phone. The JTAG method can commonly be used to extract data from video gaming systems, tablets and network devices.

Chip-Off

Chip-off Forensics is the process in which a BGA memory chip is removed from a device and prepared so that a chip reader can acquire the raw data to obtain a physical data dump. A chip reader, like the UP 828P Programmer or a SIREDA test socket, is required to perform the read and in the case of the UP 828P, a specific adapter will be required depending on the specific chip. Unlike JTAG, chip-off is a destructive process, and the device will no longer function. Many examiners start with a non-destructive technique like JTAG or ISP before submitting to a Chip-off.

ISP

In-System Programming (ISP) applied to forensics, is the practice of connecting to an eMMC or eMCP flash memory chip for the purpose of downloading a device’s complete memory contents. eMMC and eMCP memory are the standards in today’s smartphones, and the ISP practice enables examiners to directly recover a complete data dump without removing the chip or destroying the device. Identifying the taps that connect to the memory chip using a multimeter is required in in ISP technique. Thus, for each evidence phone, a second identical phone that can be destroyed will be needed.

Conclusion📌loca.jpg

👉Read the basics of the mobile technology, architecture of Android and iOS. There are many indicators to collect info. And again, if not able to access information from the phone then there are other aspects to collect info. Like backup, cloud drives, google sync etc.

Sources might helpful:

PS: Education purposes ≠ endorsement🙏

One Comment Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.