We are successfully doing chipoff acquisitions on Blackberry's up to the new Z10 and Z30's with no issues, even the classic, we have been doing Chipoff on Blackberry (Even JTAG in that early days) since the early 8000 series with only a few models giving us a problem.
Chipoff on Android phones has never been easier, less epoxy and less shielding present.
The only roadblocks with each of these devices is the presence of Encryption at times, we only have been seeing this with high level crime groups who are using off shore BES; Corp using in house encryption on in house BES's; OS 7+ where user has implemented on device encryption; but for the most part, regular users are not implementing these measures. For Android, we will see this a bit more with the new OS's and chips coming out with Encryption in place.
…."From the very beginning, BlackBerries were secure. BlackBerry smartphones used full-disk encryption, making chip-off acquisition fruitless."
As I mentioned earlier, this is not totally accurate, we are seeing a lot of Blackberry phones that are not encrypted. This process needs to be activated by the user and/or the Admin of the BES and is not on by default. We can do ASCII keyword searches through our physical dumps and the data is all present in plain view.
"At this time, the only vector of attack on BlackBerry smartphones is accessing a BlackBerry backup file (or making the device produce a backup via BlackBerry Link),"
Not correct again, Chipoff is still viable if all the stars are in line.
Maybe the usage of encryption is different in different countries, and as well as the diffusion of the devices.
Here the ONLY reason why anyone (private/final user) would buy a Blackberry is because of the encryption features, and the exact same reason applies to the corporate users, and the IT personnel set normally it to on, with the net effect that it is extremely rare to see a non-encrypted Blackberry (not that nowadays Blackberries are very common anyway).
jaclaz
This one hits me hard "Most would agree that the golden age of mobile forensics is over. "
Not over, just more challenging (- I believe this same statement was made when Windows 7 came out with Bit-Locker, everyone was crying the computer forensics world will end with Bit-locker, has that happen? No!
I agree with Bob and his well set out commentary.
There are so many avenues to examine under Mobile Forensics, chip off is only one of the avenues. There are simply too many handsets out there to throw in the towel merely because of the mention about encryption. Encryption still has to be proven on a case by case basis.
Moreover, with the introduction of handsets that have no USB/JTAG but large memory, chip off might be the only option available; particularly where IIoC and other criminal activity is taking place…and that is without consideration of national security needs.
Furthermore, generating a physical image (where no JTAG is possible) has the capability to identify data that might not have been captured by other well known tools.
"overprovisioned space will remain inaccessible."
In your research, have you determined if any user data is also found in this space? Is this like the bad sectors on on the older NAND flash that may of contained older dated user data that could only be obtained through Chpoff?
Or does the eMMC Controller allow user data to be stored there and one requires a process to gain access to these areas using Chipoff, ISP or JTAG?
The answer is, "it depends". Overprovisioned area is just that a number of additional storage blocks on eMMC chips that are not advertised as available storage capacity. These blocks don't have logical addresses (or physical addresses available to the OS); they cannot be addressed from the outside of an eMMC chip. In short, only the integrated eMMC controller has access to these blocks.
The content of those blocks can be either of the following
1. Bad blocks. Each and every eMMC chip, with no exceptions, comes from the factory with a number of bad blocks. These are obviously mapped out. If any particular block of NAND flash becomes unstable (or reaches the maximum allowable number of write cycles), it will be placed into the overprovisioned area, and its address will be assigned to one of the healthy blocks from the overprovisioned area.
2. Trimmed (erased) blocks. These are commonly used by the controller as quick substitutes for 'dirty' blocks (the 'dirty' block is mapped out of addressable space and placed into the overprovisioned area, while a fresh block from the overprovisioned area gets the address previously assigned to the 'dirty' block.
3. 'Dirty' blocks waiting for their turn to be cleaned (trimmed, erased). Generally, these blocks have the special "do not care" status assigned to them; eventually, they will be erased, but there is no guaranteed timeframe, and the standard does not require the controller to erase them at any particular time. If (or when) these blocks will be actually trimmed depends on the make and model of a particular eMMC chip, its controller, and current read/write load.
#3 is the only situation when overprovisioned blocks may contain user data. While we've never been able to check out a real physical dump of the flash chip (as opposed to those obtained via chip-off), my experience with SSD drives (which do contain individual chips that can be dumped one after another) tells me that there can be remnants of user data scattered around. Notably, this will be actual *user data* as opposed to system files (system files are read-only and are not normally moved or deleted, unless there was a recent OTA/firmware update).
There is no process I am aware of that can be used to access data stored in the overprovisioned area.
Thanks Vladimir, very good information, thanks for sharing….you have left us with a challenge (-
See you at FT Days?
Cheers,
B
See you at FT Days?
Yep, we'll be there!
when does it become necessary to do chip off forensics? Is it useful on iPhones?
Extracting data from a damaged iPhone via chip-off technique
http//
Hi Igor,
Can you expand on which iPhone models are supported via chip off. Is this process restricted to only certain models?
Thanks
Yes, it would be interesting to know which iPhone model you used and what iOS version it was running.
Chip off technique in mobile forensics
http//
Out of curiosity, is there any hardware/reader for UFS based memory chips available? Software wise, parsing dump and so on, i assume it doesn't differ from eMMC.