ISP Extraction - Wo...
 
Notifications
Clear all

ISP Extraction - Worth Training For?

10 Posts
3 Users
0 Likes
1,561 Views
(@the_grinch)
Posts: 136
Estimable Member
Topic starter
 

Saw a couple emails for classes in ISP extractions and was wondering if it's worth doing? I've been trained in chip-off and didn't know if there were any advantages to being trained in ISP (other than not destroying the device in the process of a chip-off)? Also, are people doing a lot of ISP extractions?

 
Posted : 25/02/2019 3:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Only for the record (boy do I hate unexpanded/unexplained acronyms)

What is ISP?

ISP “In-System Programming” applied to forensics, is the practice of connecting to an eMMC or eMCP flash memory chip for the purpose of downloading a device’s complete memory contents. eMMC and eMCP memory are the standard in today’s smartphones, and the ISP practice enables examiners to directly recover the complete data without removing the chip and destroying the device.

ISP benefits the examiner who faces the challenges of tightening budgets, yet wants to expand their expertise in retrieving evidence from locked smartphones. A cost-effective technique, ISP provides examiners with the same results of a chip-off at a lower price-point.

And just like with JTAG and Chip-Off, your agency can still use its current line-up of forensic analysis software to recover that ’smoking gun’ piece of evidence. No need to purchase additional analysis software.

Courtesy of teeltech
http//www.teeltech.com/mobile-device-forensics-training/in-system-programming-for-mobile-device-forensics/
which BTW offers a 5 days course (reserved to LEO only) for a mere US$ 3,950.

jaclaz

 
Posted : 25/02/2019 5:44 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Starting with Android 7.x, chip-off, JTAG and ISP won't get you other then a dump of the chip with encrypted userdata partition.

For most of the people this is a dead-end, but in reality a physical dump is very useful, even if the userdata partition is encrypted )

 
Posted : 26/02/2019 10:37 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

For most of the people this is a dead-end, but in reality a physical dump is very useful, even if the userdata partition is encrypted )

Care to share with us some examples of such usefulness? ?

jaclaz

 
Posted : 26/02/2019 2:14 pm
(@the_grinch)
Posts: 136
Estimable Member
Topic starter
 

My thought is, passcodeunlock would know best, if you get a physical of the device and can get the encryption keys from TEE you could then run a bruteforce against the image you have?

 
Posted : 26/02/2019 2:24 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

My thought is, passcodeunlock would know best, if you get a physical of the device and can get the encryption keys from TEE you could then run a bruteforce against the image you have?

Oh, noes roll .
https://en.wikipedia.org/wiki/Tee

jaclaz

 
Posted : 26/02/2019 4:34 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

the_Grinch is right, in certain situations the encryption keys can be found and used to decrypt the userdata partition.

 
Posted : 26/02/2019 5:13 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

the_Grinch is right, in certain situations the encryption keys can be found and used to decrypt the userdata partition.

Sure ) , and the issue is now swiftly shifted onto the meaning (or frequency of occurrence) of "certain situations".

jaclaz

 
Posted : 26/02/2019 5:45 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

To make it short, we got a 82% success rate over the last 5 years, out of almost 10000 devices. This is a strong base for calculating "certain situations". Please note that not all the devices we had were encrypted, but lately all are.

The success rate will decrease in time a bit, but still chip-off / JTAG / ISP is part of our life, I consider they are worth learning )

 
Posted : 26/02/2019 8:45 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

To make it short, we got a 82% success rate over the last 5 years, out of almost 10000 devices. This is a strong base for calculating "certain situations". Please note that not all the devices we had were encrypted, but lately all are.

The success rate will decrease in time a bit, but still chip-off / JTAG / ISP is part of our life, I consider they are worth learning )

Yep. )

That is actually the WHOLE point.

Vague data (particularly when aggregated) is and remains meaningless.

You provided data for a period that (roughly) covers

  • 4 years (please read as 80 %) where devices were largely[1] unencrypted and/or had anyway different access/imaging possibilities
  • 1 year (please read as 20 %) where devices were largely[2] encrypted and where no other access/imaging possibilities exist.

I am not particularly impressed by the 82% "historical" success rate, it seems to me more relevant to know (assuming the rough sustained average of 1 device per working day in the last 5 years) how many of the 20 or so devices you analyzed in the last month
1) Were encrypted
2) Were successfully unencrypted by post-processing after ISP extraction

jaclaz

[1][2] and a definition for "largely" is still needed

 
Posted : 27/02/2019 11:10 am
Share: