Hi. This is my first post. I'm fairly new to working as an examiner (approx. 6 months now). I'm currently working a case where I received an Asus C201 Chromebook. The primary user account on the device is locked. Once I took the Chromebook apart, I was unfamiliar with the storage media.
After doing a little research, I think I found that the storage media used in the Chromebook is eMMC. My initial plan was to use a tool like Helix, boot into that, and image the drive from there. I haven't been able to boot into Helix at all. I've hit a wall. Several other forums I've looked at, people have said they were just not able to make an image with these kinds of devices. Another colleague I spoke with said there may be some type of adapter I can use.
I'd appreciate any help or recommendations. Please let me know if I can provide any more information.
Thank you! D D
Have not tried it on a Chromebook, but PALADIN forensic suite from https://sumuri.com/software/paladin/ have helped me a few times to image computers with drives that i dont have adapter for.
It seems to have support for many new chipsets and devices that CAINE and other distros i have tried dont manage to see.
Good Luck )
I am not sure to understand the question. ?
You have an emmc that you need to image?
Then sure you need an adapter for it.
Or are you going chip-off?
My initial plan was to use a tool like Helix, boot into that, and image the drive from there. I haven't been able to boot into Helix at all. I've hit a wall.
The basic thing to establish would be if the particular distribution you are planning to use can be booted on the target platform. Most distributions are for boot sequences that follow BIOS conventions, mainly 'read boot block into a fix position in memory and execute'. So question like 'is the boot block in the right place', and 'does it contain code that can execute at that predefined location'? And then, 'does the boot code need additional services (such as read block from device), and does it invoke them in the right way'?
Simplified, do you have BIOS or don't you?
In some situations we need add further questions what CPU is used? Does the distribution run on that CPU or not? For example, you mentioned Helix, which (still) seems to be 'A bootable forensically sound environment to boot any x86 system'. So next question is do you have a x86 system here or not?
Trusting to the 'net isn't always the best thing to do however, if I do, I find that the Chromebook you mentioned seems to runs on a Rockchip RK3288 CPU. Additional searches indicate that this is not a x86-compatible CPU at all, but rather an ARM CPU.
That means a different instruction set, so boot code need to use ARM instructions.
That might be an explanation why you couldn't boot Helix.
So basically, you need to start looking for a bootable environment that runs at least on ARM, but may very well need to be tailored for ARM Chromebook in particular (I hedge here, as I don't know ARM Chromebook from a boot-sequence point of view).
It's a bit of complication that Chromebooks are built on both x86 platforms AND on ARM platforms. Many instructions for running Linux just assume x86, so you need to be aware of that.
It seems a number of Linux distributions do run on the Chromebook ARM platform, but I leave the question if you can boot a live Linux on a Chromebook to others to answer it will depend on support chips, connectors, booting possibilities and more. It's likely to be technically possible, but I can't say if it is practical in the situation you are.
But then, eMMC usually means some kind of chip-off approach, which isn't eactly a walk in the park either, particularly not if you're not familar with hardware issues.
If this was a professional engagement, I would personally say "no, I can't handle this. Why not take it to someone who can chip-off the eMMC – that's probably more cost-effective. If you still need *me* to do it, I need to buy a second Acer C201 for tests and experiments, and I probably need something on the order of two weeks of such tests. Or I need training in chip-offing as well as the equipment necessary to do that. Anyway, I won't promise anything except best-effort."
I think your problem is with the Chromebook, not the eMMC. Chromebooks are very problematic if you don't have the password.
- You can't boot into any other environment without enabling "Developer Mode", but enabling this mode has the unfortunate side effect of wiping any data currently present.
- You can't remove the data storage on many Chromebooks, but even if you could the user data is encrypted.
It's possible that Developer Mode has been enabled by the user of your Chromebook, but it's unlikely since you say it's password protected. If you can't get that password then there's not much you can do.
I would love to be proved wrong and for my knowledge to be out of date, though )
Thank you all for your help! I really appreciate it, and it's given me some direction for now! Thank you again!