For the past couple of years we’ve successfully extracted data from numerous mobile device, including mobile phones, smart phones, tablets, and so on. Among devices to be analyzed, we came across faulty cellular devices (damaged mechanically, by fire or on account of being kept in harsh or hostile environmental conditions) that electronic evidence must even be pulled. We’ve developed several strategies to analyzing damaged cellular devices which we’d like to tell our colleagues.
Before analyzing a damaged cellular device, a forensic investigator should ascertain just what is damaged within the unit. It isn’t essential whatsoever to desolder a memory chip simultaneously and execute further manipulations on it. Experience has shown there are generally simpler options for extracting data from damaged cellular devices.
The most typical flaw in cellular devices obtained for forensic evaluation is really a busted screen. In other words, a mobile system is functional but, due to a broken screen, doesn’t show any data. The assessment of said mobile devices presents no difficulties. To analyze cellular devices using a busted screen, we use UFED (Cellebrite Cellular Synchronization LTD) and.XRY (Micro Systemation). We produce a physical memory dump of the mobile device and extract data (a phonebook, calls, SMS messages, graphical files, movies, etc.) from it. At Times, when accessible products doesn’t assistance developing a physical memory dump of the mobile device, we perform a legitimate extraction of data. In this instance, lots of forensic applications for mobile system evaluation can be utilized. For instance, Oxygen Forensic Suite (Oxygen Software Company). Furthermore, You, you could usually replace a broken screen using a brand-new one. This creates the assessment more costly and timeconsuming, but it’s frequently the sole possible remedy (for example, when analyzing an Android apparatus with USB Debugging program alternative disabled).
Sometimes, to extract data, we use specific flasher tools (RIFF Box, Medusa Box, etc.) designed for fixing cellular products. Such flasher tools use JTAG interface for their work. Utilizing specific flasher tools, you can pull data from mobile devices that have broken system software or information protected with a PIN.
Processor swapping. The approach consists in extracting a memory chip from the damaged cellular device and installing it into the same great device. In the process, you solve several complicated difficulties which would need to be confronted should you choose to utilize a “Chip Off” method: there is no urgent need to understand the kind of a control employed by the unit to procedure memory chip data, the format of memory pages to the chip, the kind and characteristics of the file system employed by the unit, the format where data is saved (Oh, once you need to manually decode a physical memory dump, you’ll see that which we mean!), etc. The disadvantages of the approach contain the demand for a system (preferably two devices) that will be identical to the one obtained for assessment. Desoldering a processor is a quite complicated and laborious task. There’s a threat of destroying data because of heat or mechanical injury to the processor. You may even need gear for reballing. For instance, JOVY SYSTEMS JV-RKC – a package for reballing BGA chips.
When using this approach, it’s impossible to underestimate the possibility that, following the processor is swapped within the unit, all the data to the memory chip will probably be erased. This frequently occurs when a memory chip control is installed in the system board as a different processor. Usually, structurally it seems like a sandwich: to the one aspect of the system board there’s a memory chip, to another – a memory controller chip.
And So, if you got two identical devices that you are able to use as “donors”, attempt to swap their memory chips and examine the unit behavior before analyzing the unit.
Where memory chip swapping leads to data loss, you ought to put the memory chip as well as the memory chip control in the damaged device to the donor device.
When analyzing a broken device, you ought to focus on the building of its own system board. We analyzed a Motorola V3 cellphone which had spent two years within the earth. The phone appeared terrible. Numerous oxides had broken its casing and program board. It was out-of order. However, following the mobile was disassembled, it was discovered the program board contains several components. Part of the system board, using a memory chip on it, had endured environmental vulnerability minimal. To extract the data from this telephone, we purchased an identical one for an internet auction. We swapped part of the system board using a memory chip in the bought telephone for the component extracted from the broken telephone and read the data.
If not one of the previously described approaches has helped, you’ll need to utilize a Processor-Off method.
An investigator who would like to extract data from the mobile device memory chip must-follow four primary measures:
1. Chip extraction
Chip extraction is a fairly easy job: it is enough to warm the chip having a heat stream from the soldering station and separate the chip in the system board. With this measure, it is quite important to not overheat the processor (this can lead to data erasure) and damage it mechanically. Steadily climb the temperature of the new air.
2. Extracting data from the memory chip
Our co-workers occasionally ask us, “What flasher device ought to be utilized to extract data from the memory chip of the?” The inquiry is wrong. Mobile phone makers can alter a chipset of mobile devices even though generating just one batch. In other words, when we’ve got two mobile devices in the exact same batch, we can’t say with confidence they use similar memory chips. That’s the reason, not understanding what special processor is utilized within the mobile device to be analyzed, it’s impossible to answer the inquiry about the flasher tool, even though you’re conscious of the telephone design. Another bit of bad news is the fact that a mobile device may have many memory chips. You need to find all of these.
3. Flash translation layer (FTL) reconstruction
This measure isn’t difficult so long as you got a flasher device with the adapter for a crucial kind of BGA processor form-factor. However, to discover this kind of flasher device is a good difficulty. We’ve had lots of discussions with colleagues in what flasher device to purchase for a Processor-Off technique. A great flasher tool with a huge variety of adapters for different form factors of BGA chips can really cost a fortune. It’s unprofitable to invest as much on the system that you won’t frequently use. Consequently, we’ve achieved a consensus that, if needed, we’ll let such gear from enormous service centres that focus on electronics repair.
4. Dump decoding
Dump decoding is a complicated job. Fundamentals of dump decoding are educated at training classes (for instance, given by Cellebrite Mobile Synchronization LTD). Nevertheless, you shouldn’t believe that you simply’ll manage a physical dump of the telephone to be analyzed as readily as you execute an exercise dump. If XRY (Micro Systemation) or UFED Physical Analyzer (Cellebrite Mobile Synchronization LTD) supports decoding a physical dump for your device you’re analyzing, then you can attempt to decode the extracted dump utilizing all these programs. It is simpler to use UFED Physical Analyzer (Cellebrite Mobile Synchronization LTD), since it permits to customize motion sequence when processing a physical dump and also to create custom modules in Python for physical dump analysis.