For the last few years we have successfully extracted data from various mobile device, such as cell phones, smartphones, tablets, etc. Among devices to be examined, we came across defective mobile devices (damaged mechanically, by fire or due to being stored in harsh or hostile environmental conditions) from which digital evidence should also be extracted. We have developed several approaches to examining damaged mobile devices which we would like to share with our colleagues.
Fig. 1. A phone with a broken display.
Fig. 2. Nokia C1 that has been exposed to high temperatures.
Fig. 3. A phone that has been stored in harsh environmental conditions. The red indicator shows that the phone has water inside or has been stored in high humidity conditions.
Fig. 4. A phone with mechanical damage (© Aleksey Yakovlev).
Before examining a damaged mobile device, a forensic investigator must determine what exactly is damaged in the device. It is not necessary at all to desolder a memory chip at once and perform any further manipulations on it. Experience has proven that there are usually simpler solutions for extracting data from damaged mobile devices.
Let’s take a look at them.
The most common defect in mobile devices received for forensic examination is a broken display. That is, a mobile device is operational but, because of a broken display, doesn’t show any data. The examination of such mobile devices presents no problems. To examine mobile devices with a broken display, we use UFED (Cellebrite Mobile Synchronization LTD) and .XRY (Micro Systemation). We create a physical memory dump of a mobile device and extract data (a phone book, calls, SMS messages, graphic files, videos, etc.) from it. Sometimes, when available equipment doesn’t support creating a physical memory dump of a mobile device, we perform a logical extraction of data. In this case, a lot of forensic programs for mobile device analysis can be used. For example, Oxygen Forensic Suite (Oxygen Software Company). Moreover, you can always replace a damaged display with a new one. This makes the examination more expensive and time-consuming, but it is often the only possible solution (for example, when examining an Android device with USB Debugging system option disabled).
In some cases, to extract data, we use specialized flasher tools (RIFF Box, Medusa Box, etc.) designed for repairing mobile devices. Such flasher tools use JTAG interface for their work. Using specialized flasher tools, you can extract data from mobile devices which have damaged system software or information protected with a PIN.
Chip swapping. The method consists in extracting a memory chip from a damaged mobile device and installing it into an identical good device. In doing so, you solve several complex problems which would have to be faced should you decide to use a “Chip-Off” technique: there is no need to know the type of a controller used by the device to process memory chip data, the format of memory pages on the chip, the type and features of a file system used by the device, the format in which data is stored (Oh, as soon as you have to manually decode a physical memory dump, you’ll see what we mean!), etc. The drawbacks of the method include the need for a device (preferably two devices) which is identical to the one received for examination. Desoldering a chip is a very complex and laborious task. There is a risk of destroying data due to heat or mechanical damage to the chip. You may also need equipment for reballing. For example, JOVY SYSTEMS JV-RKC – a kit for reballing BGA chips.
When using this method, you cannot rule out the possibility that, after the chip is swapped in the device, all the data on the memory chip will be erased. This often happens when a memory chip controller is installed on the system board as a separate chip. As a rule, structurally it looks like a sandwich: on the one side of the system board there is a memory chip, on the other – a memory controller chip.
Therefore, if you have two identical devices which you can use as “donors”, try to swap their memory chips and look at the device behaviour before examining the device.
In cases where memory chip swapping results in data loss, you should place both the memory chip and the memory chip controller from the damaged device into the donor device.
When examining a damaged device, you should pay attention to the construction of its system board. We examined a Motorola V3 phone which had spent two years in the ground. The phone looked awful. Various oxides had damaged its housing and system board. It was out of order. However, after the phone had been disassembled, it was found that the system board consisted of several parts. A part of the system board, with a memory chip on it, had suffered from environmental exposure the least. To extract the data from this phone, we bought an identical one at an online auction. We swapped a part of the system board with a memory chip in the purchased phone for the part extracted from the damaged phone and read the data.
If none of the above described methods has helped, you’ll have to use a Chip-Off technique.
An investigator who wants to extract data from a mobile device memory chip must follow four main steps:
1) Chip extraction.
2) Extracting data from the memory chip.
3) Flash translation layer (FTL) reconstruction.
4) Dump decoding.
Let’s take a closer look at these steps:
Step 1. Chip extraction.
Chip extraction is a rather simple task: it is sufficient to heat the chip with a hot air stream from a soldering station and separate the chip from the system board. On this step, it is very important not to overheat the chip (this will result in data erasure) and damage it mechanically. Gradually rise the temperature of the hot air.
Step 2. Extracting data from the memory chip.
Our colleagues sometimes ask us, “What flasher tool should be used to extract data from a memory chip of a <mobile device model>?” The question is incorrect. Mobile phone manufacturers can change a chipset of mobile devices even when producing a single batch. That is, when we have two mobile devices from the same batch, we cannot say with confidence that they use identical memory chips. That is why, not knowing what particular chip is used in the mobile device to be examined, you cannot answer the question about the flasher tool, even if you are aware of the phone model. Another piece of bad news is that a mobile device can have several memory chips. You must find all of them.
This step is not difficult provided that you have a flasher tool with an adapter for a necessary type of BGA chip form factor. However, to find such a flasher tool is a great problem. We’ve had a lot of discussions with colleagues about what flasher tool to buy for a Chip-Off technique. A good flasher tool with a large number of adapters for various form factors of BGA chips can cost a fortune. It is unprofitable to spend so much on a device which you will not often use. As a result, we have reached a consensus that, if necessary, we’ll rent such equipment from huge service centres that specialize in electronics repair.
We’d also like to draw colleagues’ attention to the products EPOS FlashExtractor, from the Ukrainian company EPOS, and PC-3000 Flash, from the Russian company ACE Lab. These equipment kits contain adapters for connecting memory chips of various form factors. But you’ll have to solder chips in adapters provided by EPOS and ACE Lab. It is a very complex and laborious task.
Step 3. Flash translation layer (FTL) reconstruction.
FTL reconstruction consists in excluding service areas from memory pages and joining these pages correctly. The above mentioned products, EPOS FlashExtractor (EPOS) and PC-3000 Flash (ACE Lab), help a lot in solving tasks on this step. They have large knowledge bases about data storage structure in various types of memory chips and about various controllers used to manage data stored on chips. Using them, you can also perform FTL reconstruction manually.
We use the following test to assess the dump received at this stage. Any mobile device contains graphics files. These can be files created by users or files used by programs. We think FTL reconstruction has failed if we cannot recover graphics files (or image fragments) larger than 2 KB from the dump.
Step 4. Dump decoding.
Dump decoding is a complex task. Basics of dump decoding are taught at training courses (for example, provided by Cellebrite Mobile Synchronization LTD). However, you shouldn’t think that you’ll handle a physical dump of the phone to be examined as easily as you do a training dump. If XRY (Micro Systemation) or UFED Physical Analyzer (Cellebrite Mobile Synchronization LTD) supports decoding a physical dump for the device you are examining, then you can try to decode the extracted dump using these programs. It is easier to use UFED Physical Analyzer (Cellebrite Mobile Synchronization LTD), as it allows to customize action sequence when processing a physical dump and to write custom modules in Python for physical dump analysis. In addition, investigator’s work on this step is made much easier by the following programs: RevEnge (Sanderson Forensics), Phone Image Carver (GetData Pty Ltd), Cell Phone Analyzer (BKForensics).
With this, we finish the summary of methods and tools used to extract data from damaged phones. We hope this article has been useful for you.
|About the Author:||Igor Mikhaylov|
Independent law enforcement professional from Russian FederationInterests:Computer, Cell Phone & Chip-Off ForensicsContacting the Author:http://linkedin.com/in/igormikhaylovcfSite: http://www.weare4n6.com/