I should bring JTAG on the table again. By chance, I read the subject "Feedback on UFED system" and thanks to yunus' comment, I could think out of my box and came up with the new thought; "What is wrong with JTAG method forensically?"
In advance, I would like to let potential readers know that I am not an engineer who do know about JTAG tech in detail and forensic industry, nor do I argue with anyone about what is right and wrong. Please do not try to argue with in that sense. If you have different thought, these comments are more than welcome. Otherwise, I am not going to respond to comments which intend to convince me about your thought.
In S.Korea, law enforecement have used JTAG method to acquire the data.
At first, when I read the article by Mr. Svein Willassen; Forensic analysis of mobile phone internal memory,I thought that JTAG method was the right way of acquiring and analyzing data. (For your reference, I added this paper. http//
Until the new thought struck me, it was true to me. However, I started thinking about it differently this time. In any industry, when experts need to make a new standard for existing technology, it has been created not because it has been true without doubt but because people in this industry promise to consider it a standard. In S.Korea, JTAG is the necessary tech for investigators to find out some data from mobile phones. Nobody doubt that JTAG is one of forensic techs, at least in S.Korea.
Considering these facts, who could claim that JTAG is NOT the forensic method?
Personally I consider both JTag and boundary scan to be far more forensically sound than many other methods/systems, particularly the methods that rely on software packages to extract data.
I'm afraid I'm a bit of a hardware biggot, and unless I have hardware under complete control , I have difficulty believing any other source of information.
However JTAG/Boundry scan is not the fabled philosophers stone and in the wrong hands it can do significant damage to both credability and evidence.
But when done correctly JTAG and boundry scan have complete control over the system.(there may be issues related to Dram refresh that have to be taken into consideration).
That said , ultimatly it comes down to what the courts will accept, it's a bit like the 'flat earthers' of 400 years ago, courts specialise in legal aspects not technical and unfortunatly many of the so called experts called to advise the courts, have their own 'axe' to grind.
Specifically if certain techniques are moved towards than vast amounts of resources/training and equipment become useless. (in a manufacturing environment people have been using JTAG/ Boundry scan for over 30 years, and they have way more experience than many in the forensic field . seems some forensic engineers forget WHO put the JTAG port there in the first place and WHY!!)
JTAG/Boundry scan is the domain of hardware and to a certain extent Software engineers and this is a completely different field/ mindset than forensics engineering.
There is a reasonable introduction
Breeuwsma, I.M.F. (2006) Forensic imaging of embedded systems using JTAG (boundary-scan). Digital Investigation, Volume 3, Issue 1, Pages 32-42.
And I'm afraid If any of my engineers attacked a P.C.B as per the paper you have (fig10) , or indeed "re-balling"(5.6) I would be forced to cut their balls off.
C.
Personally I consider both JTag and boundary scan to be far more forensically sound than many other methods/systems, particularly the methods that rely on software packages to extract data.
I'm afraid I'm a bit of a hardware biggot, and unless I have hardware under complete control , I have difficulty believing any other source of information.
However JTAG/Boundry scan is not the fabled philosophers stone and in the wrong hands it can do significant damage to both credability and evidence.
But when done correctly JTAG and boundry scan have complete control over the system.(there may be issues related to Dram refresh that have to be taken into consideration).
That said , ultimatly it comes down to what the courts will accept, it's a bit like the 'flat earthers' of 400 years ago, courts specialise in legal aspects not technical and unfortunatly many of the so called experts called to advise the courts, have their own 'axe' to grind.Specifically if certain techniques are moved towards than vast amounts of resources/training and equipment become useless. (in a manufacturing environment people have been using JTAG/ Boundry scan for over 30 years, and they have way more experience than many in the forensic field . seems some forensic engineers forget WHO put the JTAG port there in the first place and WHY!!)
Nebula Well! Reverse engineering came up because of necessity. It doen't matter who put this and why. What it matters is how to utilize the existing tech for your goal.
JTAG/Boundry scan is the domain of hardware and to a certain extent Software engineers and this is a completely different field/ mindset than forensics engineering.
There is a reasonable introduction
Breeuwsma, I.M.F. (2006) Forensic imaging of embedded systems using JTAG (boundary-scan). Digital Investigation, Volume 3, Issue 1, Pages 32-42.
And I'm afraid If any of my engineers attacked a P.C.B as per the paper you have (fig10) , or indeed "re-balling"(5.6) I would be forced to cut their balls off.
Nebula There is a jig fixture for JTAG in Korea. You don't need to worry about attacking PCB directly.C.
)
And I'm afraid If any of my engineers attacked a P.C.B as per the paper you have (fig10) , or indeed "re-balling"(5.6) I would be forced to cut their balls off.
This brought back memories of my years in telecomms type approvals. One aspect of my work was to visit factories in Hong Kong and the New Territories and so on to check standards compliance, manufacturing, QA, PCB design, layout and manufacture, acoustics etc.
I remember dry-jointing was always a big problem with exported phones and answering machines etc. Returned goods in some of these factories use to get quite a back log and watching the components being stripped from boards and re-balled became quite an art-form for some repair engineers, whilst for others they would be more at home with a crowbar to lever off the components and hammer and masonary nail to put them back on again.
Mind you code_slave the isolation on the board was a nighmare as VLSI hadn't fully kicked in back then. 2mm between the tracking on lacquered board, emc tested, etc etc. What is the track distance today? Some tracks are so close they look like you couldn't get a human hair between them.
Nebula, as for using JTAG, I'm not sure that using the psychological trick to claim 'just beause it is there is can help reach a goal' is helpful. It rather smacks of desperation and suggests 'well if it wasn't there, we're all be screwed'.
And I'm afraid If any of my engineers attacked a P.C.B as per the paper you have (fig10) , or indeed "re-balling"(5.6) I would be forced to cut their balls off.
This brought back memories of my years in telecomms type approvals. One aspect of my work was to visit factories in Hong Kong and the New Territories and so on to check standards compliance, manufacturing, QA, PCB design, layout and manufacture, acoustics etc.
I remember dry-jointing was always a big problem with exported phones and answering machines etc. Returned goods in some of these factories use to get quite a back log and watching the components being stripped from boards and re-balled became quite an art-form for some repair engineers, whilst for others they would be more at home with a crowbar to lever off the components and hammer and masonary nail to put them back on again.
Mind you code_slave the isolation on the board was a nighmare as VLSI hadn't fully kicked in back then. 2mm between the tracking on lacquered board, emc tested, etc etc. What is the track distance today? Some tracks are so close they look like you couldn't get a human hair between them.
Nebula, as for using JTAG, I'm not sure that using the psychological trick to claim 'just beause it is there is can help reach a goal' is helpful. It rather smacks of desperation and suggests 'well if it wasn't there, we're all be screwed'.
Well, my English doesn't reach to you correctly. I don't mean that
'because it is there……'. People in Korea consider JTAG as one of forensic method because it is useful. It doesn't matter to me whether or not you regard it as a forensic one. At least in Korea, you can NOT deny that JTAG is forensic for sure.
Well, my English doesn't reach to you correctly. I don't mean that 'because it is there……'.
Nebula your English is understood, so you communicate very well thank you ).
People in Korea consider JTAG as one of forensic method because it is useful.
Which korean people? To what forensic Korean standard do yo refer that JTAG is a forensic method approved in Korea?
It doesn't matter to me whether or not you regard it as a forensic one.
OK, I respect your opinion, but you did ask for forensic focus forum members to comment; not everyone will automatically agree with you.
At least in Korea, you can NOT deny that JTAG is forensic for sure.
That remains to be proven based upon whether you can demonstrate Korea has a 'forensic standard' for 'JTAG' that is forensically followed; and whether the Korean forensic community agree with that standard?
Well, my English doesn't reach to you correctly. I don't mean that 'because it is there……'.
Nebula your English is understood, so you communicate very well thank you ).
People in Korea consider JTAG as one of forensic method because it is useful.
Which korean people? To what forensic Korean standard do yo refer that JTAG is a forensic method approved in Korea?
It doesn't matter to me whether or not you regard it as a forensic one.
OK, I respect your opinion, but you did ask for forensic focus forum members to comment; not everyone will automatically agree with you.
At least in Korea, you can NOT deny that JTAG is forensic for sure.
That remains to be proven based upon whether you can demonstrate Korea has a 'forensic standard' for 'JTAG' that is forensically followed; and whether the Korean forensic community agree with that standard?
Did I ask you to reply to me for each sentence? Could you see through what I am trying to say entirely?
All police departments in Korea currently use JTAG. A forensic forum was held this year and JTAG was introduced to forensic community as one of the useful forensic methods.
If you really love to reply to each sentence, No thanks. I am really O.K with that. I guess that you did not get my point or my explanation was not enough to get you what I meant.
Of course, I am looking for comments from the community, however at least not that like of comments.
Nebula the purpose of splitting your sentences is not to upset you, but I do not see a problem in asking you about certain points you have stated.
I was merely enquiring to you do you have a 'document' that is a forensic 'approved' standard or a written forensic 'approved' procedure in Korea that underpins your beliefs?
Perhaps I can add to my early comments by letting you know that there is no such document in UK that 'approves' the use of JTAG as a forensic standard or forensic procedure.
JTAG Tutorial - http//
What process that we use is 100 percent forensically sound? None! You either have to turn the phone on; upload boot loaders; replace firmware; ya da ya da…..in all these cases, just turning on the phone affects the, if I can use the word, "Unallocated Space" where the Wear Leveling and Garbage Collection is altering data. The only way to avoid this is to use the Chipoff process where no power is introduced to the phone.
JTAG is no different, the phone is placed into a test mode to accomplish the acquisition. It is safe and non desctructive to the phone. This is the same for Flasher Box techniques.
The concern for us should be the logical user data, is that being altered by all these processes. We have validated the JTAG process and found that it does not alter any of the logical user data that existed on the phone before the acquitions.
For more info http//copgeek018.wordpress.com/
We will be bringing the Teel Tech Advanced JTAG class on the road in early 2013, watch for dates in the UK coming soon!
B