AccessData User Summit 2016 April 5 th – 7 th, 2016 Lake Mary, FL The Pros and Cons of JTAG and Chip Off Extractions.

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

Threats to privacy in the forensic analysis of database systems Patrick Stahlberg, Gerome Miklau, and Brian Neil Levine Department of Computer Science.
Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Programmable Logic Devices
How the heck do they know that? The state of Computer and Cell Phone Forensics Ralph Gorgal, G-C Partners, LLC David Cowen, G-C Partners, LLC Ralph Gorgal,
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition
Installing Windows 7 Lesson 2.
Computer & Network Forensics
Week:#14 Windows Recovery
SM3121 Software Technology Mark Green School of Creative Media.
Modern Remote Control Copyright
CPU Describe the purpose of the CPU
Backup Concepts. Introduction Backup and recovery procedures protect your database against data loss and reconstruct the data, should loss occur. The.
Instructions Slides 3,4,5 are general questions that you should be able to answer. Use slides 6-27 to answer the questions. Write your answers in a separate.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics
November 2009 Network Disaster Recovery October 2014.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
By Alessandro Disfano, Gianluigi Me, Francesco Pace 11/08/2013 Fri. Daun Jeong.
17-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein COMPUTER FORENSICS.
MPE+ Access Data Evasi0n iPhone 4s/5 Nexus 4 Market Share Information.
Your Interactive Guide to the Digital World Discovering Computers 2012.
Day 10 Hardware Fault Tolerance RAID. High availability All servers should be on UPSs –2 Types Smart UPS –Serial cable connects from UPS to computer.
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
Computer Fundamentals
Computing Hardware Starter.
Computers in the real world Objectives Understand what is meant by memory Difference between RAM and ROM Look at how memory affects the performance of.
GDT V5 Web Services. GDT V5 Web Services Doug Evans and Detlef Lexut GDT 2008 International User Conference August 10 – 13  Lake Las Vegas, Nevada GDT.
Digital Crime Scene Investigative Process
Software.
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
CS526: Information Security Chris Clifton December 4, 2003 Forensics.
Your Interactive Guide to the Digital World Discovering Computers 2012.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
OCR GCSE Computing © Hodder Education 2013 Slide 1 OCR GCSE Computing Chapter 2: Memory.
CPU Inside Maria Gabriela Yobal de Anda L#32 9B. CPU Called also the processor Performs the transformation of input into output Executes the instructions.
Discovering Computers Fundamentals, 2010 Edition Living in a Digital World Chapter Five SOFTWARE.
SMARTPHONE FORENSICS 101 General Overview of Smartphone Investigations.
Storage of Data Instructions and data are held in main memory which is divided into millions of addressable storage.
© GCSE Computing Computing Hardware Starter. Creating a spreadsheet to demonstrate the size of memory. 1 byte = 1 character or about 1 pixel of information.
Lesson 18: Configuring Security for Mobile Devices MOAC : Configuring Windows 8.1.
Your Interactive Guide to the Digital World Discovering Computers 2012.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
AccessData User Summit 2016 April 5 th – 7 th, 2016 Lake Mary, FL iOS 9 and Android 6.
1 AQA ICT AS Level © Nelson Thornes 2008 Operating Systems What are they and why do we need them?
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Triage and Analysing Large Numbers of Files Michael Jones.
1 Lesson 1 Computers and Computer Systems Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
Introduction To Computer Programming – 1A Computer Parts, Words, and Definition Herriman High School.
How to Sync Android Phone to Computer (PC/Mac)? Are you a person that always has your Android phone in your hands? Nowadays, a cell phone is not just for.
JTAG Tool Testing Jenise Reyes-Rodriguez National Institue of Standards and Technology AAFS – February 25 th, 2016.
Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.
WELCOME Mobile Applications Testing
Discovering Computers 2012: Chapter 8
Memory Miss Elliott.
I/O Resource Management: Software
Windows XP File Systems
Introduction to Computers
Dayton Metro Library Computer Basics September 19, 2018
Dayton Metro Library Place photo here Computer Basics December 8, 2018.
COMP1321 Digital Infrastructures
2.C Memory GCSE Computing Langley Park School for Boys.
1.2 Types of information storage media
Chapter 4: Hardware for Educators
Hardware Main memory 26/04/2019.
Little Man Computer There’s a little man in the mailroom that follows each instruction to the letter but he can only follow one instruction at a time.
Chapter 17 COMPUTER FORENSICS.
Presentation transcript:

AccessData User Summit 2016 April 5 th – 7 th, 2016 Lake Mary, FL The Pros and Cons of JTAG and Chip Off Extractions

Mobile Extraction Classifications 2 NIST Publication Page 18

Manual Extraction 3  Interacting with the phone “as the user would”  Pros!  Always supported if the device is unlocked  Minimal training  Great for demonstrative purposes in court. Show the content as it appears  “Low cost” of equipment  Cons!  …you’re interacting with the device…  Time consuming  Limited in the amount of information recovered.

Logical Extractions 4 Our Terms…. start to get a little loose…  Two main types of Logical extractions:  Logical  Filesystem  Logical Pros!  Wide support  Typically the output is human readable “almost ready for delivery”  Because of the above points, minimal training required. “Push button forensics”  Logical Cons!  Only allocated records (SQLite Queries)  Results are typically limited to “known applications”  Relies on App Injection: Space requirements (Android), “changing” the contents of storage, etc.

Logical Extraction – File System 5  Pulls WHOLE files and directories… except when it doesn’t  Many tools refers to device backups (iTunes/iCloud, ADB Android) as a File System extraction. (backups may not be full file systems, limited extraction)  Pros!  Full database extraction means a chance for deleted content.  Chance to find “unknown” applications and data  Cons!  Still no unallocated data  Root/Jailbreak often required (more intrusive)  More training required for parsing meta data and new applications.

Software “Physical” 6  A bridge between Logical and JTAG/Chip Off  Pros!  Bit for bit copy of user partitions  Unallocated data (if not encrypted) may be accessible.  Full directory and file listings typically returned  Cons!  Support is limited and getting more rare  Intrusive (rooting and bootloader bypass/replacements)  More advanced training required for both extraction and analysis.  Encryption if present may prevent analysis of unallocated data.

Physical Extraction (JTAG) 7  Joint Test Access Group (JTAG)  We Exploit JTAG methods/features for forensics. Storage Chip Processor OS/Security USB cmd TAPs Storage Chip cmd

JTAG - Continued 8  Pros!  Bypasses non-encryption based security (passcodes, PINs, pattern)  Full bit for bit extraction of either full chip, partitions, or byte range.  A lot of non-iOS devices are JTAG compatible  Non-destructive  Doesn’t require any software modifications to the phone  Cons!  Output is a raw binary file. File system/output support may be limited within forensic tools  Higher level of skill and training both in connection of JTAG and analysis of the resulting binary file.  If done incorrect may result in damage to the device, data, beyond recovery.

Not JTAG…but Similar, Direct eMMC 9  Is System Programming (ISP) includes Direct eMMC reads.  Similar to JTAG: Non destructive, soldered wires, similar boxes/software and output.  …different ->  Pros!  Faster than JTAG  Not Destructive  Cons!  Requires knowledge of the processor pinout (often difficult to find)  May be difficult to find where the circuit surfaces on the PCB  MUCH smaller contact points to solder to. (Increased solder skill)  May require an increased monetary investment (test devices) Storage Chip PCB Surface Contacts

Direct eMMC 10

Direct eMMC 11 Courtesy: Joann Gibb (Ohio BCI)

Chip Off 12  Accurately named… the method refers to the removal of the physical chip from the motherboard of the device, then reading the contents of the chip through specialized equipment called programmers.  Also not natively a forensic process. The programmers used are “smaller” versions of what chip manufacturers use to configure, format and test their chips. …we simply do it in reverse.

Chip Off Continued 13  Pros!  Captures a bit for bit image of the chip (includes system and spare areas)  “Most forensically sound” method. Closest to dead box computer forensics. “Just as it was”  Can be used on severely damaged devices.  Device doesn’t need to powered or booted (JTAG often requires power/boot)  Cons!  Device (not the chip) is destroyed in the process. No going back!  Significant monetary investment into equipment (continuing)  Requires a high level of training and practice (an art!)  Risk of damage to the chip due to high heat.  Encryption still an issue.

Chip Off - Example 14

Chip Off - Example 15

Chip Off Continued 16

Micro Read 17  Use of an Electron Microscope to read the state of each gate individually to reconstruct the contents of the chip.  Pros!  Accurate bit for bit (and in this case, bit by bit) copy of the storage chip.  Can compensate for EXTREME damage to the device, and even some damage to the storage chip.  Cons!  Well… it’s still theoretical. No known agencies doing it  Extremely expensive  Extreme high level of training and proprietary knowledge needed  Time consuming (understatement)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.