Week 10 - Physical Acquisition & Chip Off Flashcards
What is a physical acquisition?
Physical Acquisition is obtaining a bit for bit copy of the flash memory
Various considerations:
- make / model / OS and network carrier restrictions
- may require more than one technique to obtain maximum data
- may require jailbreak or root access
- open source and commercial options for tools
- disassembly may be required
- varying cost
- encryption will negate a physical acquisition
Types of Physical Acquisition Tools / methods
- Flasher tools
- Boot loaders
- JTAG
- In system programming / direct eMMC
- chip off technique
Flasher tools
- these are not designed forensically - they are commercially developed from a non forensic perspective
- low cost
-usually a mixture of hardware and software and drivers and cables - cables are often propriety to each tool - need lots of cables
- some are vendor specific, some support lots of devices
- various user interfaces and technology / terminology with varying support levels
- often come and go from market quickly
- output is a binary file of the flash memory for loading into a forensic tool
Because they are not developed from a forenisc view point they may not obatin spare space and will not have functionality for verification / hashing / validation / audit trail (can be overcome by the examiners own work practices). Also unlikely to be write blocked!
However the advantages are that they have a large worldwide market driving innovation, can have additional addons or acquisition support, missing SIM or battery may not prevent acquisition, device support is often quicker than commercial forensic tools. Can also bypass or read user enabled codes.
Flasher tool usually connects to the engineering port, can sometimes connect to a data port if engineering data is allowed to run through data port.
Boot loaders
Boot loaders allow a method of unlocking and obtaining the device’s memory - for SOME devices.
Is vendor / carrier / OS specific - some devices are supplied with the boot loader unlocked - if locked then a mthod must be found to unlock before doing this. Easy to wipe data when doing this so need to use a test device.
It does this by putting the device into a custom recovery mode which replaces the standard android recovery partition.
Using a boot loader involves loading a small piece of code into the device RAM to replace the normal boot loader.
Does not require root privilages in advance as this is usually supplied during the process.
It does require the android device to be in FAST BOOT MODE before it can be run
need to install android developers kit on a computer in order to communicate with the device.
Slow porcess limitedd by the port speed of the device and the computer it is connected to.
Some commercial forensic tools developed their own bootloaders
Boot loading in certain android devices (certain Qualcom chips)
A special boot mode can be enabled to allow direct memory access.
Qualcomm EDL Mode
* Engineering / emergency Download (EDL) mode
* Also called Deep Flash mode
* Also called 9008 mode
* Unique to certain Qualcomm chips
* Sahara and Firehose protocols to interact with the Qualcom chips
* Various techniques to enable EDL mode:
- Button sequence (simplest)
- EDL Cable
- PCB pins short
- ADB reboot
- Device Manager
What is JTAG (Joint Test Action Group)?
JTAG is a standard for testing and debugging electronic devices, and it can be used to access the device’s hardware directly through a set of pins or connectors on the device’s circuit board. It was originally designed for testing and debugging circuit boards during manufacturing, but in mobile forensics, it can be used to access the raw memory of a device even if the operating system or the software is inaccessible or damaged.
Why is JTAG useful forensically?
- It gives direct access to the raw data in the flash memory - by passing the device OS and interfacing with the device’s hardware directly.
- It can sometimes bypass security features like locks
- May be able to dump entire memory included secure / encrypted storage.
- Can be used when the device is damaged and cannot be powered on normally
Output is a binary file of full bit for bit memory.
What is In system programming (ISP) / direct eMMC?
ISP involves interfacing directly with the memory chip, involves soldering direct (like JTAG). Like JTAG the output is a binary file containing the full memory data.
It involves acquiring the flash chip data using the same pin outs as if the chip had been removed but without removing the chip from the PCB.
What is the Chip Off technique?
- Removal of Flash Memory
- Clean / repair solder balls / pads
- Place in secure reader
- Read flash contents (binary file)
- Import binary file into tool/s
Can be difficult to gain access to the chip - various tools can be used for chip removal
Risk of destruction of the chip either as part of the removal or as part of the data acquisition process.
Some considerations before conducting chip off - because it can be destruction:
* Processes
* People
* Training / acreditation
* Equipment
* Environment
* Chip Support
