Chip Off/JTAG: the beginning of the end?


Service erasure
A group called www.tabernus.com/ who promote:

"Tabernus also provides erasure solutions for Mobile Phones, USB, SSD (solid state devices) & other types of Flash removable memory and may other data holding devices too!"

Software erasure
Of course, there is a comparison to mobile phone flash erasure available from www.blancco.com/us/era...artphones/

Device specific denied data access
Hardware Encryption: The iPhone 3GS and later, and all iPads, support built-in hardware encryption. All user data can be automatically encrypted in hardware at all times. This is used primarily for wiping the device rather than to stop attacks. Erasing the entire flash storage would be slow, so instead wiping works by destroying the encryption key, which instantly makes all user data inaccessible (Securosis).


More discussion - Mobile Flash Data Erasure - trewmte.blogspot.co.uk...asure.html
_________________
Institute for Digital Forensics (IDF) - LinkedIn
Mobile Telephone Examination Board (MTEB) - LinkedIn
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
ForensicMobex now MTEB Linkedin Subgroup 

Not yet, but close...

I have been trying to take apart molded USB devices that are a single piece. As in, no PCB, no chips visible, just one big chunk... horrible.

On the other hand we have had disk wiping tools for almost as long and disk imaging tools, right?  

CHIPOFF: There will always be a need for the Chipoff process, not all phones makers will deploy the on-chip encryption; the cost factor still makes using NAND/eMMC etc type chips a cost effective way to store lare amounts of data on a small space; need to get a true bit by bit image of a SSD drive?, well the regular forensic processes won't get that for you, chipoff is the only way to get that; other devices will still use flash memory like GPS units, PVR's, flash memory, gaming counsels, vehicle navigation systems, in fact, most electronics these days use NAND flash type chips for memory.

You mention wiping the encryption key, are you sure that key is totally gone? Might still be there and accessible with a Chipoff dump.......it is happening in a slightly different manner with other types of phones (-:

JTAG: Again, most items that have a mainbaord, controller chip/CPU and flash type memory will have the ability to utilize the JTAG process. The Test Access Ports are present for a reason, the makers of the device want to test them before they leave the factory to ensure they are functioning properly, the Boundary Scan/JTAG process allows that. You can use the JTAG process on many type of devices including GPS units, PVR's, flash memory, gaming counsels, vehicle navigation systems.....sound familiar (-: There is talk of the newer CPU's disabling the JTAG path to the memory but to date, I have not seen this, in the end, you can still get to the memory with the Chipoff process.

Never give up Flasher Box, never give up on JTAG and especially, don't give up on the Chipoff techniques.

Coming from a firm believer!

B  

I think you may wish to re-read my post as in it I identify in the last paragraph my current view constrained to limited application at this moment in time. My observations might change with the creeping use in ersaure/sanitisation methods/techniques that I am uncovering.

- sideshow018

CHIPOFF: There will always be a need for the Chipoff process, not all phones makers will deploy the on-chip encryption; the cost factor still makes using NAND/eMMC etc type chips a cost effective way to store lare amounts of data on a small space; need to get a true bit by bit image of a SSD drive?, well the regular forensic processes won't get that for you, chipoff is the only way to get that; other devices will still use flash memory like GPS units, PVR's, flash memory, gaming counsels, vehicle navigation systems, in fact, most electronics these days use NAND flash type chips for memory.

How does this answer where no data is recovered after Chip Off and JTAG have been actioned?

I think if I had desired to bump up the crowd the use of collated stats etc can help do that e.g. such as the number of handsets/chips approximately populated in the market place where automated deletion, erasure and/or sanitisation conventions would have limited impact due to the design, construction and implementation of chips already insitu.

There are potentionally billions of handset/smart phones out there where Chip Off and JTAG can or could work successfully. My editorial discussion didn't and doesn't deny that.

- sideshow018

You mention wiping the encryption key, are you sure that key is totally gone? Might still be there and accessible with a Chipoff dump.......it is happening in a slightly different manner with other types of phones

How does your point exclude what is already known and well documented about deleted 'keys'? My comments were adding to the various layers through which we have to slowly crawl in order to understand if revelation is possible.

You imply you have found something but do not identify which make/model or why? And this helps how?

In contrast, I have identified sources for materials, which I note you do not deny in your post that which those sources of information are stating/claiming(?).

- sideshow018

JTAG: Again, most items that have a mainbaord, controller chip/CPU and flash type memory will have the ability to utilize the JTAG process. The Test Access Ports are present for a reason, the makers of the device want to test them before they leave the factory to ensure they are functioning properly, the Boundary Scan/JTAG process allows that. You can use the JTAG process on many type of devices including GPS units, PVR's, flash memory, gaming counsels, vehicle navigation systems.....sound familiar (-: There is talk of the newer CPU's disabling the JTAG path to the memory but to date, I have not seen this, in the end, you can still get to the memory with the Chipoff process.

Given my comments above,what is your point, exactly, in cases where the erasure/sanitisation of data has been successful?

- sideshow018

Never give up Flasher Box, never give up on JTAG and especially, don't give up on the Chipoff techniques.

Wow, what a training course slogan. It just needs to be finished off though with something like: "and be the best you can possibly be." But I wouldn't go further than that with something like "Wooo, High five!" as that could come across as abit mawkish.

- sideshow018

Coming from a firm believer!

"The Bible shows the way to go to heaven, not the way the heavens go" Galileo
_________________
Institute for Digital Forensics (IDF) - LinkedIn
Mobile Telephone Examination Board (MTEB) - LinkedIn
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
ForensicMobex now MTEB Linkedin Subgroup 

Last edited by trewmte on Sat Nov 24, 2012 7:25 am; edited 1 time in total

- jhup

Not yet, but close...

I have been trying to take apart molded USB devices that are a single piece. As in, no PCB, no chips visible, just one big chunk... horrible.

Something like this?:
www.flash-extractor.co...sh_remove/
it does look "horrible", I wonder if it's effective/working (and the probabilities of actually avoiding ruining the device for good)

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

My post was more in response to the title of your post "Chip Off/JTAG: the beginning of the end?"

Very broad statement and does not really apply too much to the contents of you post. The title may give people the impression that both these processes are coming to an "end?". I am just enlightening people who may of read the title only and felt that both these processes are coming to an end when in fact they are not.

Judging by the way you responded to my post, it seems that I upset you with my response, I apologize for that, not my intention, I was only clarifying that both these processes are alive and well.

All the best,

B  

Oh crikey, it's not you who should apologise. Your post didn't inflame at all. Now being made aware how you're feeling sideshow018, it is for me to apologise. You see I didn't realise by putting direct questions to you it would provoke awkward feelings. I read your post as containing varying degrees of unclear comments about smart phones. My original post makes no mention of anyother devices, as you have, as I didn't want to get involved in using other devices that could cloud what is happening with smart phones. Your replies don't acknowledge that the techniques and methods highlighted are happening. I believed you were more likely to have come across erasure/sanitisation and other ways that prevent data revelation given your work in the 'deleted' domain that you do. My mistake was believing that you are involved with others, so I am led to believe, providing expert and examiner training, inventing techniques and identifying methods of discovery for evidence. I believed you wouldn't be offended with direct questions that would equally show approaching limitations with Chip Off and JTAG in particular cases. For this, I am so sorry I made you feel uncomfortable.

To avoid any further misunderstandings you might perceive, I withdraw my questions to you. I hope you have no hard feeling on this.

--------------------------

To anyone else who has looked into this area do remember, from my own research and tests, I could still be shown to be wrong. I have no problem with discovery through trial and error. Other motivations to understand is also driven by the increasing guidance postulated in newer evidential criteria being introduced or implemented, such as:

- ISO/IEC 27037:2012, Information technology – Security techniques – Guidelines for identification, collection, acquisition, and preservation of digital evidence;

- and ISO17025 (http://en.wikipedia.org/wiki/ISO_17025)

- etc.

My qustions are aimed at scraping off the surface of responses in order to understand a person's reply as to whether it is underpinned with fact, as opposed to particular comments which maybe based upon personal hopes and idealism.

With methods/techniques being implemented into smart phones to erase, sanitise and prevent revelation, as they are on the increase, my analysis so far is that the scales are moving against Chip Off and JTAG with respect to the laws of diminishing returns of recovering deleted content from smartphones in particular cases. Because there has been an increase in these methods/techniques above the natural question arises how does this impact on evidence and is this the beginning, the beginning of the end [(?) question mark] using Chip Off and JTAG?

For clarity and avoidance of doubt the comments are directed to smart phones. I fully accept the term mobile phone will equally be used in an inter-changeable fashion.
_________________
Institute for Digital Forensics (IDF) - LinkedIn
Mobile Telephone Examination Board (MTEB) - LinkedIn
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
ForensicMobex now MTEB Linkedin Subgroup