Presentation is loading. Please wait.

Presentation is loading. Please wait.

AccessData User Summit 2016 April 5 th – 7 th, 2016 Lake Mary, FL The Pros and Cons of JTAG and Chip Off Extractions.

Published byBryan Franklin Modified over 8 years ago

Similar presentations

Presentation on theme: "AccessData User Summit 2016 April 5 th – 7 th, 2016 Lake Mary, FL The Pros and Cons of JTAG and Chip Off Extractions."— Presentation transcript:

1 AccessData User Summit 2016 April 5 th – 7 th, 2016 Lake Mary, FL The Pros and Cons of JTAG and Chip Off Extractions

2 Mobile Extraction Classifications 2 NIST Publication 800-101 Page 18

3 Manual Extraction 3  Interacting with the phone “as the user would”  Pros!  Always supported if the device is unlocked  Minimal training  Great for demonstrative purposes in court. Show the content as it appears  “Low cost” of equipment  Cons!  …you’re interacting with the device…  Time consuming  Limited in the amount of information recovered.

4 Logical Extractions 4 Our Terms…. start to get a little loose…  Two main types of Logical extractions:  Logical  Filesystem  Logical Pros!  Wide support  Typically the output is human readable “almost ready for delivery”  Because of the above points, minimal training required. “Push button forensics”  Logical Cons!  Only allocated records (SQLite Queries)  Results are typically limited to “known applications”  Relies on App Injection: Space requirements (Android), “changing” the contents of storage, etc.

5 Logical Extraction – File System 5  Pulls WHOLE files and directories… except when it doesn’t  Many tools refers to device backups (iTunes/iCloud, ADB Android) as a File System extraction. (backups may not be full file systems, limited extraction)  Pros!  Full database extraction means a chance for deleted content.  Chance to find “unknown” applications and data  Cons!  Still no unallocated data  Root/Jailbreak often required (more intrusive)  More training required for parsing meta data and new applications.

6 Software “Physical” 6  A bridge between Logical and JTAG/Chip Off  Pros!  Bit for bit copy of user partitions  Unallocated data (if not encrypted) may be accessible.  Full directory and file listings typically returned  Cons!  Support is limited and getting more rare  Intrusive (rooting and bootloader bypass/replacements)  More advanced training required for both extraction and analysis.  Encryption if present may prevent analysis of unallocated data.

7 Physical Extraction (JTAG) 7  Joint Test Access Group (JTAG)  We Exploit JTAG methods/features for forensics. Storage Chip Processor OS/Security USB cmd TAPs Storage Chip cmd

8 JTAG - Continued 8  Pros!  Bypasses non-encryption based security (passcodes, PINs, pattern)  Full bit for bit extraction of either full chip, partitions, or byte range.  A lot of non-iOS devices are JTAG compatible  Non-destructive  Doesn’t require any software modifications to the phone  Cons!  Output is a raw binary file. File system/output support may be limited within forensic tools  Higher level of skill and training both in connection of JTAG and analysis of the resulting binary file.  If done incorrect may result in damage to the device, data, beyond recovery.

9 Not JTAG…but Similar, Direct eMMC 9  Is System Programming (ISP) includes Direct eMMC reads.  Similar to JTAG: Non destructive, soldered wires, similar boxes/software and output.  …different ->  Pros!  Faster than JTAG  Not Destructive  Cons!  Requires knowledge of the processor pinout (often difficult to find)  May be difficult to find where the circuit surfaces on the PCB  MUCH smaller contact points to solder to. (Increased solder skill)  May require an increased monetary investment (test devices) Storage Chip PCB Surface Contacts

10 Direct eMMC 10

11 Direct eMMC 11 Courtesy: Joann Gibb (Ohio BCI)

12 Chip Off 12  Accurately named… the method refers to the removal of the physical chip from the motherboard of the device, then reading the contents of the chip through specialized equipment called programmers.  Also not natively a forensic process. The programmers used are “smaller” versions of what chip manufacturers use to configure, format and test their chips. …we simply do it in reverse.

13 Chip Off Continued 13  Pros!  Captures a bit for bit image of the chip (includes system and spare areas)  “Most forensically sound” method. Closest to dead box computer forensics. “Just as it was”  Can be used on severely damaged devices.  Device doesn’t need to powered or booted (JTAG often requires power/boot)  Cons!  Device (not the chip) is destroyed in the process. No going back!  Significant monetary investment into equipment (continuing)  Requires a high level of training and practice (an art!)  Risk of damage to the chip due to high heat.  Encryption still an issue.

14 Chip Off - Example 14

15 Chip Off - Example 15

16 Chip Off Continued 16

17 Micro Read 17  Use of an Electron Microscope to read the state of each gate individually to reconstruct the contents of the chip.  Pros!  Accurate bit for bit (and in this case, bit by bit) copy of the storage chip.  Can compensate for EXTREME damage to the device, and even some damage to the storage chip.  Cons!  Well… it’s still theoretical. No known agencies doing it  Extremely expensive  Extreme high level of training and proprietary knowledge needed  Time consuming (understatement)

Download ppt "AccessData User Summit 2016 April 5 th – 7 th, 2016 Lake Mary, FL The Pros and Cons of JTAG and Chip Off Extractions."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.

Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.
Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.

Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Programmable Logic Devices

Programmable Logic Devices
How the heck do they know that? The state of Computer and Cell Phone Forensics Ralph Gorgal, G-C Partners, LLC David Cowen, G-C Partners, LLC Ralph Gorgal,

How the heck do they know that? The state of Computer and Cell Phone Forensics Ralph Gorgal, G-C Partners, LLC David Cowen, G-C Partners, LLC Ralph Gorgal,
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Installing Windows 7 Lesson 2.

Installing Windows 7 Lesson 2.
Computer & Network Forensics

Computer & Network Forensics
Week:#14 Windows Recovery

Week:#14 Windows Recovery
SM3121 Software Technology Mark Green School of Creative Media.

SM3121 Software Technology Mark Green School of Creative Media.
Modern Remote Control Copyright

Modern Remote Control Copyright
CPU Describe the purpose of the CPU

CPU Describe the purpose of the CPU
Backup Concepts. Introduction Backup and recovery procedures protect your database against data loss and reconstruct the data, should loss occur. The.

Backup Concepts. Introduction Backup and recovery procedures protect your database against data loss and reconstruct the data, should loss occur. The.
Instructions Slides 3,4,5 are general questions that you should be able to answer. Use slides 6-27 to answer the questions. Write your answers in a separate.

Instructions Slides 3,4,5 are general questions that you should be able to answer. Use slides 6-27 to answer the questions. Write your answers in a separate.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.

COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
November 2009 Network Disaster Recovery October 2014.

November 2009 Network Disaster Recovery October 2014.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

Similar presentations

Ads by Google