Chip off forensics ...
 
Notifications
Clear all

Chip off forensics - when and why?

Page 1 / 2
wotsits
(@wotsits)
Active Member

when does it become necessary to do chip off forensics? Is it useful on iPhones?

Quote
Topic starter Posted : 05/07/2015 4:29 am
Igor_Michailov
(@igor_michailov)
Senior Member

Is it useful on iPhones?

It depends on the model of iPhones.

ReplyQuote
Posted : 06/07/2015 12:13 am
harshbehl
(@harshbehl)
Member

Since i work in a data recovery & forensics company, chip off is one very useful and common phenomena for us. We have clients which come with burnt, dead or unresponsive phones. Also we get cases from govt. agencies which require data from suspect's phones at any cost. If those phones are not supported via UFED, MPE+, oxygen or even JTAG the only option we remain with is Chip-off forensics.
I hope this helps you in understanding when and why chip-off forensics.

ReplyQuote
Posted : 06/07/2015 4:15 pm
v.katalov
(@v-katalov)
Member

Is it useful on iPhones?

It depends on the model of iPhones.

Absolutely useless on 64-bit devices (iPhone 5S, 6, 6 Plus) due to full disk encryption. Useless on all devices running iOS 8 due to encryption. Can be used on some very old iPhones running old versions of iOS.

ReplyQuote
Posted : 07/07/2015 1:13 am
v.katalov
(@v-katalov)
Member

when does it become necessary to do chip off forensics?

Basically, chip-off is the last resort after attempting physical acquisition (if available) and JTAG acquisition (if there is a JTAG port available). Generally, you would only want to chip-off an unencrypted device. Finally, since pretty much all recent smartphones use eMMC as internal storage, chip-off is not going to read the content of the flash chips directly. Instead, it'll work through the integrated eMMC controller, which in turn means that any overprovisioned space will remain inaccessible. We're just about to publish a whitepaper on this and related subjects in maybe a week or two.

ReplyQuote
Posted : 07/07/2015 1:18 am
wotsits
(@wotsits)
Active Member

Is it useful on iPhones?

It depends on the model of iPhones.

Absolutely useless on 64-bit devices (iPhone 5S, 6, 6 Plus) due to full disk encryption. Useless on all devices running iOS 8 due to encryption. Can be used on some very old iPhones running old versions of iOS.

What about if you have the passcode or passcode turned off, is chip off still useless for these devices?

ReplyQuote
Topic starter Posted : 10/07/2015 7:36 pm
sam305754
(@sam305754)
Junior Member

There is a recent article available http//articles.forensicfocus.com/2015/06/23/future-of-mobile-forensics/

I quote it "In the case of Apple devices, Samsung phones and many other devices encryption is enforced out of the box and cannot be bypassed during or after chip-off acquisition even if the correct passcode is known. As a result, chip-off acquisition is limited to unencrypted devices or devices using encryption algorithms with known weaknesses
"
So even if you have the password you cannot use to decrypt your chip-off acquisition on recent model.

If there is no password it "is limited to unencrypted devices or devices using encryption algorithms with known weaknesses."
So depends of the model and iOS version I think.

Regards

ReplyQuote
Posted : 10/07/2015 8:17 pm
v.katalov
(@v-katalov)
Member

What about if you have the passcode or passcode turned off, is chip off still useless for these devices?

Unfortunately, yes. 64-bit Apple devices use secure encryption with a dedicated security chip that keeps the master key for protected encryption metadata. A special communication path is dedicated for the security chip. The master key cannot be extracted via chip-off or during physical acquisition, even if the device is jailbroken. All this effectively limits acquisition options available for 64-bit iOS devices to logical or over-the-air acquisition. Basically, your best option (if you know the passcode or if there is no passcode) would be making the device produce a password-protected (!) backup with a known password. (A password-protected backup will contain more accessible information than a backup without a password, e.g. keychain data).

ReplyQuote
Posted : 13/07/2015 5:02 pm
sideshow018
(@sideshow018)
Member

There is a recent article available http//articles.forensicfocus.com/2015/06/23/future-of-mobile-forensics/

Regards

This is a great white paper from the crew at Belkasoft but there are some misleading statements in the contents, probably not intended, just the way it reads

"There is no longer an easy way to get through the passcode in new iOS devices running the latest version of iOS."

In fairness to the crew at Belkasoft, at the time of this writing, this may of been true, but this is no longer correct, Cellebrite Services now has the capability to get into iPhone devices with up to date IOS version, only some models are supported but this is a great advancement in circumnavigating the newer iphones, Kudo's to Cellebrite.

"Blackberries were highly resistant to chip-off acquisition from the beginning, and Android is getting there quickly."

We are successfully doing chipoff acquisitions on Blackberry's up to the new Z10 and Z30's with no issues, even the classic, we have been doing Chipoff on Blackberry (Even JTAG in that early days) since the early 8000 series with only a few models giving us a problem.

Chipoff on Android phones has never been easier, less epoxy and less shielding present.

The only roadblocks with each of these devices is the presence of Encryption at times, we only have been seeing this with high level crime groups who are using off shore BES; Corp using in house encryption on in house BES's; OS 7+ where user has implemented on device encryption; but for the most part, regular users are not implementing these measures. For Android, we will see this a bit more with the new OS's and chips coming out with Encryption in place.

"Android Forensics"

For Android and Windows devices, there is no mention of In-System-Programming (ISP), a process that is in between JTAG and Chipoff that is only available to devices (phones, GPS, etc) that utilize eMMC style BGA chips. A full read can be obtained through access points around the BGA chip. Non destructive but requires some skill sets.

"From the very beginning, BlackBerries were secure. BlackBerry smartphones used full-disk encryption, making chip-off acquisition fruitless."

As I mentioned earlier, this is not totally accurate, we are seeing a lot of Blackberry phones that are not encrypted. This process needs to be activated by the user and/or the Admin of the BES and is not on by default. We can do ASCII keyword searches through our physical dumps and the data is all present in plain view.

"At this time, the only vector of attack on BlackBerry smartphones is accessing a BlackBerry backup file (or making the device produce a backup via BlackBerry Link),"

Not correct again, Chipoff is still viable if all the stars are in line.

This one hits me hard "Most would agree that the golden age of mobile forensics is over. "

Not over, just more challenging (- I believe this same statement was made when Windows 7 came out with Bit-Locker, everyone was crying the computer forensics world will end with Bit-locker, has that happen? No!

With on chip encryption, we just need to find new ways to get into the phones, attacking the mechanics of the phone; using bootloaders to access secured levels of the device; examining live devices using unique methods; etc. The end is not "over", never give up!

I say this with all the respect to the crew at Belkasoft, they are a great and very smart bunch of experts, the white paper in total is excellent and a very good read. Thanks Oleg, Danil & Yuri for the nice read, very well written.

ReplyQuote
Posted : 14/07/2015 11:57 am
sideshow018
(@sideshow018)
Member

when does it become necessary to do chip off forensics?

Basically, chip-off is the last resort after attempting physical acquisition (if available) and JTAG acquisition (if there is a JTAG port available). Generally, you would only want to chip-off an unencrypted device. Finally, since pretty much all recent smartphones use eMMC as internal storage, chip-off is not going to read the content of the flash chips directly. Instead, it'll work through the integrated eMMC controller, which in turn means that any overprovisioned space will remain inaccessible. We're just about to publish a whitepaper on this and related subjects in maybe a week or two.

"overprovisioned space will remain inaccessible."

In your research, have you determined if any user data is also found in this space? Is this like the bad sectors on on the older NAND flash that may of contained older dated user data that could only be obtained through Chpoff?

Or does the eMMC Controller allow user data to be stored there and one requires a process to gain access to these areas using Chipoff, ISP or JTAG?

Interesting topic, look forward to the read. Thanks for your work in this field.

ReplyQuote
Posted : 14/07/2015 12:08 pm
jaclaz
(@jaclaz)
Community Legend

We are successfully doing chipoff acquisitions on Blackberry's up to the new Z10 and Z30's with no issues, even the classic, we have been doing Chipoff on Blackberry (Even JTAG in that early days) since the early 8000 series with only a few models giving us a problem.

Chipoff on Android phones has never been easier, less epoxy and less shielding present.

The only roadblocks with each of these devices is the presence of Encryption at times, we only have been seeing this with high level crime groups who are using off shore BES; Corp using in house encryption on in house BES's; OS 7+ where user has implemented on device encryption; but for the most part, regular users are not implementing these measures. For Android, we will see this a bit more with the new OS's and chips coming out with Encryption in place.
….

"From the very beginning, BlackBerries were secure. BlackBerry smartphones used full-disk encryption, making chip-off acquisition fruitless."

As I mentioned earlier, this is not totally accurate, we are seeing a lot of Blackberry phones that are not encrypted. This process needs to be activated by the user and/or the Admin of the BES and is not on by default. We can do ASCII keyword searches through our physical dumps and the data is all present in plain view.

"At this time, the only vector of attack on BlackBerry smartphones is accessing a BlackBerry backup file (or making the device produce a backup via BlackBerry Link),"

Not correct again, Chipoff is still viable if all the stars are in line.

Maybe the usage of encryption is different in different countries, and as well as the diffusion of the devices.

Here the ONLY reason why anyone (private/final user) would buy a Blackberry is because of the encryption features, and the exact same reason applies to the corporate users, and the IT personnel set normally it to on, with the net effect that it is extremely rare to see a non-encrypted Blackberry (not that nowadays Blackberries are very common anyway).

jaclaz

ReplyQuote
Posted : 14/07/2015 3:21 pm
trewmte
(@trewmte)
Community Legend

This one hits me hard "Most would agree that the golden age of mobile forensics is over. "

Not over, just more challenging (- I believe this same statement was made when Windows 7 came out with Bit-Locker, everyone was crying the computer forensics world will end with Bit-locker, has that happen? No!

I agree with Bob and his well set out commentary.

There are so many avenues to examine under Mobile Forensics, chip off is only one of the avenues. There are simply too many handsets out there to throw in the towel merely because of the mention about encryption. Encryption still has to be proven on a case by case basis.

Moreover, with the introduction of handsets that have no USB/JTAG but large memory, chip off might be the only option available; particularly where IIoC and other criminal activity is taking place…and that is without consideration of national security needs.

Furthermore, generating a physical image (where no JTAG is possible) has the capability to identify data that might not have been captured by other well known tools.

ReplyQuote
Posted : 14/07/2015 11:00 pm
v.katalov
(@v-katalov)
Member

"overprovisioned space will remain inaccessible."

In your research, have you determined if any user data is also found in this space? Is this like the bad sectors on on the older NAND flash that may of contained older dated user data that could only be obtained through Chpoff?

Or does the eMMC Controller allow user data to be stored there and one requires a process to gain access to these areas using Chipoff, ISP or JTAG?

The answer is, "it depends". Overprovisioned area is just that a number of additional storage blocks on eMMC chips that are not advertised as available storage capacity. These blocks don't have logical addresses (or physical addresses available to the OS); they cannot be addressed from the outside of an eMMC chip. In short, only the integrated eMMC controller has access to these blocks.

The content of those blocks can be either of the following

1. Bad blocks. Each and every eMMC chip, with no exceptions, comes from the factory with a number of bad blocks. These are obviously mapped out. If any particular block of NAND flash becomes unstable (or reaches the maximum allowable number of write cycles), it will be placed into the overprovisioned area, and its address will be assigned to one of the healthy blocks from the overprovisioned area.

2. Trimmed (erased) blocks. These are commonly used by the controller as quick substitutes for 'dirty' blocks (the 'dirty' block is mapped out of addressable space and placed into the overprovisioned area, while a fresh block from the overprovisioned area gets the address previously assigned to the 'dirty' block.

3. 'Dirty' blocks waiting for their turn to be cleaned (trimmed, erased). Generally, these blocks have the special "do not care" status assigned to them; eventually, they will be erased, but there is no guaranteed timeframe, and the standard does not require the controller to erase them at any particular time. If (or when) these blocks will be actually trimmed depends on the make and model of a particular eMMC chip, its controller, and current read/write load.

#3 is the only situation when overprovisioned blocks may contain user data. While we've never been able to check out a real physical dump of the flash chip (as opposed to those obtained via chip-off), my experience with SSD drives (which do contain individual chips that can be dumped one after another) tells me that there can be remnants of user data scattered around. Notably, this will be actual *user data* as opposed to system files (system files are read-only and are not normally moved or deleted, unless there was a recent OTA/firmware update).

There is no process I am aware of that can be used to access data stored in the overprovisioned area.

ReplyQuote
Posted : 16/07/2015 4:57 pm
sideshow018
(@sideshow018)
Member

Thanks Vladimir, very good information, thanks for sharing….you have left us with a challenge (-

See you at FT Days?

Cheers,

B

ReplyQuote
Posted : 30/07/2015 9:47 am
v.katalov
(@v-katalov)
Member

See you at FT Days?

Yep, we'll be there!

ReplyQuote
Posted : 06/08/2015 4:24 pm
Page 1 / 2
Share:
Share to...