Chip Off/JTAG: the ...
 
Notifications
Clear all

Chip Off/JTAG: the beginning of the end?

14 Posts
4 Users
0 Likes
3,462 Views
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Chip Off/JTAG the beginning of the end?

Service erasure
A group called http//www.tabernus.com/ who promote

"Tabernus also provides erasure solutions for Mobile Phones, USB, SSD (solid state devices) & other types of Flash removable memory and may other data holding devices too!"

Software erasure

Of course, there is a comparison to mobile phone flash erasure available from http//www.blancco.com/us/erase-smartphones/

Device specific denied data access
Hardware Encryption The iPhone 3GS and later, and all iPads, support built-in hardware encryption. All user data can be automatically encrypted in hardware at all times. This is used primarily for wiping the device rather than to stop attacks. Erasing the entire flash storage would be slow, so instead wiping works by destroying the encryption key, which instantly makes all user data inaccessible (Securosis).

More discussion - Mobile Flash Data Erasure - http//trewmte.blogspot.co.uk/2012/11/mobile-flash-data-erasure.html

 
Posted : 20/11/2012 11:25 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Not yet, but close…

I have been trying to take apart molded USB devices that are a single piece. As in, no PCB, no chips visible, just one big chunk… horrible.

On the other hand mrgreen we have had disk wiping tools for almost as long and disk imaging tools, right?

 
Posted : 22/11/2012 7:34 am
sideshow018
(@sideshow018)
Posts: 84
Trusted Member
 

CHIPOFF There will always be a need for the Chipoff process, not all phones makers will deploy the on-chip encryption; the cost factor still makes using NAND/eMMC etc type chips a cost effective way to store lare amounts of data on a small space; need to get a true bit by bit image of a SSD drive?, well the regular forensic processes won't get that for you, chipoff is the only way to get that; other devices will still use flash memory like GPS units, PVR's, flash memory, gaming counsels, vehicle navigation systems, in fact, most electronics these days use NAND flash type chips for memory.

You mention wiping the encryption key, are you sure that key is totally gone? Might still be there and accessible with a Chipoff dump…….it is happening in a slightly different manner with other types of phones (-

JTAG Again, most items that have a mainbaord, controller chip/CPU and flash type memory will have the ability to utilize the JTAG process. The Test Access Ports are present for a reason, the makers of the device want to test them before they leave the factory to ensure they are functioning properly, the Boundary Scan/JTAG process allows that. You can use the JTAG process on many type of devices including GPS units, PVR's, flash memory, gaming counsels, vehicle navigation systems…..sound familiar (- There is talk of the newer CPU's disabling the JTAG path to the memory but to date, I have not seen this, in the end, you can still get to the memory with the Chipoff process.

Never give up Flasher Box, never give up on JTAG and especially, don't give up on the Chipoff techniques.

Coming from a firm believer!

B

 
Posted : 24/11/2012 11:30 am
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

I think you may wish to re-read my post as in it I identify in the last paragraph my current view constrained to limited application at this moment in time. My observations might change with the creeping use in ersaure/sanitisation methods/techniques that I am uncovering.

CHIPOFF There will always be a need for the Chipoff process, not all phones makers will deploy the on-chip encryption; the cost factor still makes using NAND/eMMC etc type chips a cost effective way to store lare amounts of data on a small space; need to get a true bit by bit image of a SSD drive?, well the regular forensic processes won't get that for you, chipoff is the only way to get that; other devices will still use flash memory like GPS units, PVR's, flash memory, gaming counsels, vehicle navigation systems, in fact, most electronics these days use NAND flash type chips for memory.

How does this answer where no data is recovered after Chip Off and JTAG have been actioned?

I think if I had desired to bump up the crowd the use of collated stats etc can help do that e.g. such as the number of handsets/chips approximately populated in the market place where automated deletion, erasure and/or sanitisation conventions would have limited impact due to the design, construction and implementation of chips already insitu.

There are potentionally billions of handset/smart phones out there where Chip Off and JTAG can or could work successfully. My editorial discussion didn't and doesn't deny that.

You mention wiping the encryption key, are you sure that key is totally gone? Might still be there and accessible with a Chipoff dump…….it is happening in a slightly different manner with other types of phones

How does your point exclude what is already known and well documented about deleted 'keys'? My comments were adding to the various layers through which we have to slowly crawl in order to understand if revelation is possible.

You imply you have found something but do not identify which make/model or why? And this helps how?

In contrast, I have identified sources for materials, which I note you do not deny in your post that which those sources of information are stating/claiming(?).

JTAG Again, most items that have a mainbaord, controller chip/CPU and flash type memory will have the ability to utilize the JTAG process. The Test Access Ports are present for a reason, the makers of the device want to test them before they leave the factory to ensure they are functioning properly, the Boundary Scan/JTAG process allows that. You can use the JTAG process on many type of devices including GPS units, PVR's, flash memory, gaming counsels, vehicle navigation systems…..sound familiar (- There is talk of the newer CPU's disabling the JTAG path to the memory but to date, I have not seen this, in the end, you can still get to the memory with the Chipoff process.

Given my comments above,what is your point, exactly, in cases where the erasure/sanitisation of data has been successful?

Never give up Flasher Box, never give up on JTAG and especially, don't give up on the Chipoff techniques.

Wow, what a training course slogan. It just needs to be finished off though with something like "and be the best you can possibly be." But I wouldn't go further than that with something like "Wooo, High five!" as that could come across as abit mawkish.

Coming from a firm believer!

"The Bible shows the way to go to heaven, not the way the heavens go" Galileo

 
Posted : 24/11/2012 2:48 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Not yet, but close…

I have been trying to take apart molded USB devices that are a single piece. As in, no PCB, no chips visible, just one big chunk… horrible.

Something like this?
http//www.flash-extractor.com/manual/monolith_varnish_remove/
it does look "horrible", I wonder if it's effective/working (and the probabilities of actually avoiding ruining the device for good) ?

jaclaz

 
Posted : 24/11/2012 4:58 pm
sideshow018
(@sideshow018)
Posts: 84
Trusted Member
 

My post was more in response to the title of your post "Chip Off/JTAG the beginning of the end?"

Very broad statement and does not really apply too much to the contents of you post. The title may give people the impression that both these processes are coming to an "end?". I am just enlightening people who may of read the title only and felt that both these processes are coming to an end when in fact they are not.

Judging by the way you responded to my post, it seems that I upset you with my response, I apologize for that, not my intention, I was only clarifying that both these processes are alive and well.

All the best,

B

 
Posted : 25/11/2012 1:50 am
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Oh crikey, it's not you who should apologise. Your post didn't inflame at all. Now being made aware how you're feeling sideshow018, it is for me to apologise. You see I didn't realise by putting direct questions to you it would provoke awkward feelings. I read your post as containing varying degrees of unclear comments about smart phones. My original post makes no mention of anyother devices, as you have, as I didn't want to get involved in using other devices that could cloud what is happening with smart phones. Your replies don't acknowledge that the techniques and methods highlighted are happening. I believed you were more likely to have come across erasure/sanitisation and other ways that prevent data revelation given your work in the 'deleted' domain that you do. My mistake was believing that you are involved with others, so I am led to believe, providing expert and examiner training, inventing techniques and identifying methods of discovery for evidence. I believed you wouldn't be offended with direct questions that would equally show approaching limitations with Chip Off and JTAG in particular cases. For this, I am so sorry I made you feel uncomfortable.

To avoid any further misunderstandings you might perceive, I withdraw my questions to you. I hope you have no hard feeling on this.

————————–

To anyone else who has looked into this area do remember, from my own research and tests, I could still be shown to be wrong. I have no problem with discovery through trial and error. Other motivations to understand is also driven by the increasing guidance postulated in newer evidential criteria being introduced or implemented, such as

- ISO/IEC 270372012, Information technology – Security techniques – Guidelines for identification, collection, acquisition, and preservation of digital evidence;

- and ISO17025 (http//en.wikipedia.org/wiki/ISO_17025)

- etc.

My qustions are aimed at scraping off the surface of responses in order to understand a person's reply as to whether it is underpinned with fact, as opposed to particular comments which maybe based upon personal hopes and idealism.

With methods/techniques being implemented into smart phones to erase, sanitise and prevent revelation, as they are on the increase, my analysis so far is that the scales are moving against Chip Off and JTAG with respect to the laws of diminishing returns of recovering deleted content from smartphones in particular cases. Because there has been an increase in these methods/techniques above the natural question arises how does this impact on evidence and is this the beginning, the beginning of the end [(?) question mark] using Chip Off and JTAG?

For clarity and avoidance of doubt the comments are directed to smart phones. I fully accept the term mobile phone will equally be used in an inter-changeable fashion.

 
Posted : 25/11/2012 4:01 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

For clarity and avoidance of doubt the comments are directed to smart phones. I fully accept the term mobile phone will equally be used in an inter-changeable fashion.

It is nowadays a very thin line, but I believe it still exists.

As I see it "SmartPhones" are real "little sized" computers and the trend is to have them even more so, thus *anything* that is appearing on the market, one way or the other, tends to "mimic" what happens on "real" computers, and since the accent on security/privacy has been lately IMHO being increased, it is very likely that things such as "on the fly encryption" will be more common.
This makes sense also from a Commercial point of view, you have a device that already has a powerful processor and that you are trying to sell to customers (that largely already have a perfectly working mobile phone) by leveraging on the "added features" your product has when compared to the competitors, for some time it has been "touch screen", then it has been "touch screen with gestures", "security/encryption" while less evident to the eye, might well be next "added feature".

"Mobile phones" is IMHO a much broader definition that, while including the above, could be referred to millions or billions or much simpler (and cheaper) devices that are less likely to have this kind of feature (that has anyway a cost).

jaclaz

 
Posted : 25/11/2012 4:50 pm
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Your observation is as good as any other observation primarily because mobile/smart phone is open to interpretation. In this regard you really can't go wrong, just use the term you think is most suited to the topic.

http//www.webopedia.com/DidYouKnow/Hardware_Software/2008/smartphone_cellphone_pda.asp
A smartphone is considered to be the combination of the traditional PDA and cellular phone, with a bigger focus on the cellular phone part. These handheld devices integrates mobile phone capabilities with the more common features of a handheld computer or PDA. Smartphones allow users to store information, e-mail, install programs, along with using a mobile phone in one device. A smartphone's features is usually more oriented towards mobile phone options than the PDA-like features. There is no industry standard for what defines a smartphone, so any mobile device that has more than basic cellphone capabilities can actually be filed under the smartphone category of devices.

http//en.wikipedia.org/wiki/Smartphone
http//en.wikipedia.org/wiki/Mobile_phone

Where it would change and specifics might be required are in patent cases, intellectual property disputes and precise definition required by a court or tribunal etc.

There are cellular mobile phone standards - as you know called mobile equipment (ME) and user equipment (UE) - see GSM, ETSI, 3GPP etc standards for the avoidance of doubt. However, none of those standard are smartphone standards, although I see plenty of 3GPP articles about smartphones and in particular relation to 3G HSPA/LTE, so there could be change in the future.

The reason a cellular telephone (aka mobile phone, smart phone etc) is not a computer at first instance is because it is transmits rf emissions in licenced bands which are required to be lawfully authorised for use. A pda, laptop, PC etc without licenced RF usage do not occupy a place requiring lawful authorisation in the same context.

[As a slightly off topic point but again opens up discussion about interpretation I do remember some discussions with LE back in 2005/6 trying to decide an LE inhouse departmental political issue. If a laptop arrived with e.g. an GSM card inserted or integrated GSM chipset should the exhibit be sent for a computer lab examination or mobile phone lab examination? I think we are all still waiting for the answer as to what they settled on in the end.]

So if people want to use mobile/smart phone, whilst distinction could be made about capability of one device versus another it is not possible to deem a specific term 'must' be adhered to.

However, with relevance to the point for this thread, the later smartphones are the devices mostly referenced to erasure/sanitisation etc.

I would be interested in your observations jaclaz regarding the Tabernus/Blancco erasure/sanitisation claims?

 
Posted : 26/11/2012 12:44 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I would be interested in your observations jaclaz regarding the Tabernus/Blancco erasure/sanitisation claims?

Actually I have none (or none with some actual value/relevance).

The Tabernus looks like more like a "service company" than anything else.

The blancco seem to provide (among others) specific "smartphone" oriented data sanitizing software.

As often happens it is very difficult without analyzing the demos (if and whether those demos are actually representative of the "real" software) to distinguish between "actual performance" and "advertising jargon/themes".

What strikes me is the claim about number of "items" processable per day, like the 300 smartphones/day or the 75/100 hard disks (expecially these latter).
Besides the fact that I find "rare" that someone has to process those numbers of devices, given the time that is needed to do a single SafeErase (which to my knowledge takes hours, not minutes, and is the fastest available approach) the only possible approach, to get 75-100 disks erased in a day is having before you 100 assembled and powered computers and initiating (by booting form CD/DVD) an Erase/Wipe session every 8*60/100=4.8 or 8*60/75= 6.4 minutes, which makes this theoretically highly specialized chore a "factory production line" where a "trained monkey" inserts/ejects CD's/DVD's or USB sticks and presses a few keys as fast as it can.
😯
I think I could be faster with 100 CD's or USB sticks of a bootable Linux minidistro with hdparm or with the CMRR SafeErase DOS boodisk…. roll

Personally I find this
http//www.blancco.com/us/products/erasure-kits/tool-kit/
a good example of a nice - but completely unlike "substantial" set (looks prevail over function).

Really nice looking, mind you ) , but what is the point?
Is there a need to disassemble the hard disk from the PC? (hence the flashlight and the multi-tool) or is there a need to boot from a CD/DVD or USB stick? (and then where is the "quadruple connection" IDE/SATA/FireWire/SCSI CD/DVD portable reader?)

Nice carbon fiber case, nice, good looking contents, but is that stuff actually *needed*?

My impression is that these guys have seen too many times "Mission Impossible" or similar "spy movies", possibly "Nikita"…

You know, something like

We have some precious data that noone should be able to access anymore….
Quick, call Victor "The Cleaner"…
And someone with a long coat, sunglasses and hat (and the carbon fiber case) appears at the premises within 5 minutes….

http//25.media.tumblr.com/tumblr_m986ouQdJo1rqm0xvo1_500.jpg

jaclaz

 
Posted : 26/11/2012 4:54 pm
Page 1 / 2
Share: