LITIGATION SUPPORT TIP OF THE NIGHT

Three common forensic techniques are used to extract data from mobile phones.

1. A JTAG (Joint Test Action Group) involves soldering wires to JTAG ports in order to connect to a processor which can create an image from the memory card of the phone. An example of a JTAG connection is shown here, on the website of Farley Forensics.

2. ISP (In System Programming) extractions are used when no JTAG or test access points (TAPs) are available, and the examiner has to solder a connection directly to the board.

With both JTAG and ISP connections the wires are connected to outside hardware, such as the Medusa Pro or Easy JTAG box.

3. Chip Off extractions are generally performed when JTAG or ISP extractions are not possible. This approach involves physically removing the memory card from the phone. The data on the chip can then be collected using a reader specifically designed for the chip. Devices exist which include adapters for all of the chips commonly used in smartphones.

Each of these techniques allows data on a passcode protected phone to be accessed, but not data on an encrypted phone. These methods are used when the logical, physical, and file system acquisition of data is limited or not possible.

Here's a follow-up to last night's tip on a DHS/NIST report on the collection of data from mobile devices using the Cellebrite tool. Last September, the same team published a study, Test Results for Binary Image (JTAG, Chip-Off) Decoding and Analysis Tool: Paraben’s Electronic Evidence Examiner – Device Seizure (E3:DS), which tested the Paraben tool's ability to collect data from HTC, Samsung, LG and ZTE Android cell phones.

Paraben was shown to have trouble collecting data for contacts from Samsung and HTC phones; data from calendars from HTC phones; and could not collect notes; stand-alone files; or GPS data from the HTC One Mini Chip-off at all using a Chip-Off analysis. Call log data and social media data were not always collected from HTC Desire S smartphones.

SMS messages and internet data were collected with the Paraben tool successfully on all of the phones tested using both the JTAG and Chip-Off approaches.

In January, the Department of Homeland Security and the National Institute of Standards and Technology published a study, Test Results for Binary Image (Joint Test Action Group (JTAG), ChipOff) Decoding and Analysis Tool: Cellebrite Universal Forensic Extraction Device (UFED) Physical Analyzer v7.20.0.123 which tested the Cellebrite tool's ability to decode and analyze cell phone data. This study examined HTC, Samsung, LG, and Motorola Android devices.

The study showed that Cellebrite Physical Analyzer could not collect stand-alone files and GPS related data on the HTC One Mini.

Twitter social media was partially omitted in data collected from a LG K7.

Facebook was not fully collected from the HTC One XL.

Call logs; SMS messages; PIM Data (personal information synchronized over networks); application data; and internet data was collected without issue from all devices. Deleted contacts, deleted calendar appointments, and deleted call logs were recovered from HTC devices.