NIST Tests Forensic Methods For Getting Data From Damaged Mobile Phones

by Richard Press

Criminals sometimes damage their mobile phones in an attempt to destroy evidence. They might smash, shoot, submerge or cook their phones, but forensics experts can often retrieve the evidence anyway. Now, researchers at the National Institute of Standards and Technology (NIST) have tested how well these forensic methods work.

A damaged phone might not power on, and the data port might not work, so experts use hardware and software tools to directly access the phone’s memory chips. These include hacking tools, albeit ones that may be lawfully used as part of a criminal investigation. Because these methods produce data that might be presented as evidence in court, it’s important to know if they can be trusted.

“Our goal was to test the validity of these methods,” said Rick Ayers, the NIST digital forensics expert who led the study. “Do they reliably produce accurate results?”

The results of the NIST study will also help labs choose the right tools for the job. Some methods work better than others, depending on the type of phone, the type of data and the extent of the damage.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The study addresses methods that work with Android phones. Also, the study covered only methods for accessing data, not decrypting it. However, they can still be useful with encrypted phones because investigators often manage to get the passcode during their investigation.

To conduct the study, NIST researchers loaded data onto 10 popular models of phones. They then extracted the data or had outside experts extract the data for them. The question was: Would the extracted data exactly match the original data, without any changes?

For the study to be accurate, the researchers couldn’t just zap a bunch of data onto the phones. They had to add the data the way a person normally would. They took photos, sent messages and used Facebook, LinkedIn and other social media apps. They entered contacts with multiple middle names and oddly formatted addresses to see if any parts would be chopped off or lost when the data was retrieved. They added GPS data by driving around town with all the phones on the dashboard.

Credit: R. Press/NIST
NIST computer scientist Jenise Reyes-Rodriguez uses the JTAG method to acquire data from a damaged mobile phone.

After the researchers had loaded data onto the phones, they used two methods to extract it. The first method takes advantage of the fact that many circuit boards have small metal taps that provide access to data on the chips. Manufacturers use those taps to test their circuit boards, but by soldering wires onto them, forensic investigators can extract data from the chips. This is called the JTAG method, for the Joint Task Action Group, the manufacturing industry association that codified this testing feature.

Chips connect to the circuit board via tiny metal pins, and the second method, called “chip-off,” involves connecting to those pins directly. Experts used to do this by gently plucking the chips off the board and seating them into chip readers, but the pins are delicate. If you damage them, getting the data can be difficult or impossible. A few years ago, experts found that instead of pulling the chips off the circuit board, they could grind down the opposite side of the board on a lathe until the pins were exposed. This is like stripping insulation off a wire, and it allows access to the pins.

“It seems so obvious,” said Ayers. “But it’s one of those things where everyone just did it one way until someone came up with an easier way.”

The chip-off extractions were conducted by the Fort Worth Police Department Digital Forensics Lab and a private forensics company in Colorado called VTO Labs, who sent the extracted data back to NIST. NIST computer scientist Jenise Reyes-Rodriguez did the JTAG extractions.

Credit: R. Press/NIST
Digital forensics experts can often extract data from damaged mobile phones using the JTAG method.

After the data extractions were complete, Ayers and Reyes-Rodriguez used eight different forensic software tools to interpret the raw data, generating contacts, locations, texts, photos, social media data, and so on. They then compared those to the data originally loaded onto each phone.

The comparison showed that both JTAG and chip-off extracted the data without altering it, but that some of the software tools were better at interpreting the data than others, especially for data from social media apps. Those apps are constantly changing, making it difficult for the toolmakers to keep up.

The results are published in a series of freely available online reports. This study, and the resulting reports, are part of NIST’s Computer Forensics Tool Testing project. Called CFTT, this project has subjected a wide array of digital forensics tools to rigorous and systematic evaluation. Forensics labs around the country use CFTT reports to ensure the quality of their work.

“Many labs have an overwhelming workload, and some of these tools are very expensive,” Ayers said. “To be able to look at a report and say, this tool will work better than that one for a particular case — that can be big advantage.”

This research was funded by NIST and the Department of Homeland Security’s Cyber Forensics Project. Background information is available on the CFTT website, and the JTAG and chip-off reports are available on the DHS website.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Desi and Si discuss different online programming courses and what they think about the popular platform, Udemy. They also talk about Flipper, Dev boards, and Raspberry Pi, and delve into the fascinating phenomenon of running the classic game Doom on unlikely devices.

Throughout the episode, Desi and Si share their digital forensics expertise, referencing some of the cases they have been working on and highlighting particular methodologies and technologies that have an impact on cybersecurity.

Show Notes:

100 Days of Code: The Complete Python Pro Bootcamp for 2023 - https://www.udemy.com/course/100-days-of-code/

Domestika - https://www.domestika.org/en

MIT OpenCourseWare - https://www.youtube.com/@mitocw 

MasterClass - https://www.masterclass.com/

Raspberry Pi 400 Complete Kit - https://core-electronics.com.au/raspberry-pi-400-kit.html

Flipper Discord - https://discord.com/invite/flipper

Flipper Zero - https://flipperzero.one/

This Programmer Figured Out How to Play Doom on a Pregnancy Test - https://www.popularmechanics.com/science/a33957256/this-programmer-figured-out-how-to-play-doom-on-a-pregnancy-test/

Here’s a dude playing Doom Eternal on his fridge - https://www.polygon.com/2020/10/13/21514933/doom-eternal-refrigerator-door-samsung-smart-refrigerator-xbox-game-pass-richard-mallard

Doom hacker gets Doom running in Doom - https://www.pcgamer.com/doom-hacker-gets-doom-running-in-doom/

Doom Running On A Calculator Powered By Old Potatoes - https://kotaku.com/doom-running-on-a-calculator-powered-by-old-potatoes-1845374069

GoldenEra - https://www.imdb.com/title/tt11753760/

Racing the Beam - https://en.wikipedia.org/wiki/Racing_the_Beam

High Score (TV series) - https://en.wikipedia.org/wiki/High_Score_(TV_series)

Microcontroller Courses (Udemy) - https://www.udemy.com/topic/microcontroller/

The story of Final Fantasy XIV’s renegade do-good modders - https://www.pcgamesn.com/final-fantasy-xiv/ffxiv-modders-renegade-do-gooders

Logical fallacies - https://yourlogicalfallacyis.com/

In this episode of the Forensic Focus podcast, Desi and Si discuss different online programming courses and what they think about the popular platform, Udemy. They also talk about Flipper, Dev boards, and Raspberry Pi, and delve into the fascinating phenomenon of running the classic game Doom on unlikely devices.

Throughout the episode, Desi and Si share their digital forensics expertise, referencing some of the cases they have been working on and highlighting particular methodologies and technologies that have an impact on cybersecurity.

Show Notes:

100 Days of Code: The Complete Python Pro Bootcamp for 2023 - https://www.udemy.com/course/100-days-of-code/

Domestika - https://www.domestika.org/en

MIT OpenCourseWare - https://www.youtube.com/@mitocw

MasterClass - https://www.masterclass.com/

Raspberry Pi 400 Complete Kit - https://core-electronics.com.au/raspberry-pi-400-kit.html

Flipper Discord - https://discord.com/invite/flipper

Flipper Zero - https://flipperzero.one/

This Programmer Figured Out How to Play Doom on a Pregnancy Test - https://www.popularmechanics.com/science/a33957256/this-programmer-figured-out-how-to-play-doom-on-a-pregnancy-test/

Here’s a dude playing Doom Eternal on his fridge - https://www.polygon.com/2020/10/13/21514933/doom-eternal-refrigerator-door-samsung-smart-refrigerator-xbox-game-pass-richard-mallard

Doom hacker gets Doom running in Doom - https://www.pcgamer.com/doom-hacker-gets-doom-running-in-doom/

Doom Running On A Calculator Powered By Old Potatoes - https://kotaku.com/doom-running-on-a-calculator-powered-by-old-potatoes-1845374069

GoldenEra - https://www.imdb.com/title/tt11753760/

Racing the Beam - https://en.wikipedia.org/wiki/Racing_the_Beam

High Score (TV series) - https://en.wikipedia.org/wiki/High_Score_(TV_series)

Microcontroller Courses (Udemy) - https://www.udemy.com/topic/microcontroller/

The story of Final Fantasy XIV’s renegade do-good modders - https://www.pcgamesn.com/final-fantasy-xiv/ffxiv-modders-renegade-do-gooders

Logical fallacies - https://yourlogicalfallacyis.com/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_5f72B6DD5wk

Programming Languages, Flipper And Gaming

Forensic Focus 24th May 2023 11:43 am

In this episode of the Forensic Focus podcast, Si and Desi talk to Mackenzie Jackson, Developer Advocate at Git Guardian. 

Mackenzie discusses the problem of hard-coded and leaked credentials in Git repositories, the task of scanning Git repositories for leaked credentials, and how that’s helped by the setup of GitHub and Git. 

He also looks at some public and private cases of security breaches through Git repositories and recommends tools you can use to combat attackers on Git. 

Show Notes:

Toyota Suffered a Data Breach by Accidentally Exposing A Secret Key Publicly On GitHub (GitGuardian) - https://blog.gitguardian.com/toyota-accidently-exposed-a-secret-key-publicly-on-github-for-five-years/

GitHub.com rotates its exposed private SSH key (Bleeping Computer) - https://www.bleepingcomputer.com/news/security/githubcom-rotates-its-exposed-private-ssh-key/

Conpago - https://www.conpago.com.au/

Source Code as a Vulnerability - A Deep Dive into the Real Security Threats From the Twitch Leak (GitGuardian) - https://blog.gitguardian.com/security-threats-from-the-twitch-leak/

Teenagers Leveraging Insider Threats: Lapsus$ Hacker Group (Forbes) - https://www.forbes.com/sites/emilsayegh/2023/03/15/teenagers-leveraging-insider-threats-lapsus-hacker-group

Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal (BBC) - https://www.bbc.co.uk/news/technology-60864283

Dynamic Secrets (HashiCorp) - https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets

Crappy code, crappy Copilot. GitHub Copilot is writing vulnerable code and it could be your fault (GitGuardian) - https://blog.gitguardian.com/crappy-code-crappy-copilot/

trufflesecurity/trufflehog (GitHub) - https://github.com/trufflesecurity/trufflehog

gitleaks/gitleaks (GitHub) - https://github.com/gitleaks/gitleaks

Git (Wikipedia) - https://en.wikipedia.org/wiki/Git

awslabs/git-secrets (GitHub) - https://github.com/awslabs/git-secrets

In this episode of the Forensic Focus podcast, Si and Desi talk to Mackenzie Jackson, Developer Advocate at Git Guardian.

Mackenzie discusses the problem of hard-coded and leaked credentials in Git repositories, the task of scanning Git repositories for leaked credentials, and how that’s helped by the setup of GitHub and Git.

He also looks at some public and private cases of security breaches through Git repositories and recommends tools you can use to combat attackers on Git.

Show Notes:

Toyota Suffered a Data Breach by Accidentally Exposing A Secret Key Publicly On GitHub (GitGuardian) - https://blog.gitguardian.com/toyota-accidently-exposed-a-secret-key-publicly-on-github-for-five-years/

GitHub.com rotates its exposed private SSH key (Bleeping Computer) - https://www.bleepingcomputer.com/news/security/githubcom-rotates-its-exposed-private-ssh-key/

Conpago - https://www.conpago.com.au/

Source Code as a Vulnerability - A Deep Dive into the Real Security Threats From the Twitch Leak (GitGuardian) - https://blog.gitguardian.com/security-threats-from-the-twitch-leak/

Teenagers Leveraging Insider Threats: Lapsus$ Hacker Group (Forbes) - https://www.forbes.com/sites/emilsayegh/2023/03/15/teenagers-leveraging-insider-threats-lapsus-hacker-group

Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal (BBC) - https://www.bbc.co.uk/news/technology-60864283

Dynamic Secrets (HashiCorp) - https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets

Crappy code, crappy Copilot. GitHub Copilot is writing vulnerable code and it could be your fault (GitGuardian) - https://blog.gitguardian.com/crappy-code-crappy-copilot/

trufflesecurity/trufflehog (GitHub) - https://github.com/trufflesecurity/trufflehog

gitleaks/gitleaks (GitHub) - https://github.com/gitleaks/gitleaks

Git (Wikipedia) - https://en.wikipedia.org/wiki/Git

awslabs/git-secrets (GitHub) - https://github.com/awslabs/git-secrets

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_BX15Z_xF8mA

Preventing Data Leaks With Git Guardian

Forensic Focus 3rd May 2023 11:07 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...