Recovering data from mobile devices continues to bring new challenges to investigators, and using “chip-off” and Joint Test Action Group (JTAG) methods have become topics of growing interest in the law enforcement community.

When a mobile device is damaged or locked, the chip-off and JTAG methods are among the best alternative solutions for examiners looking to gain access to the memory.

JTAG is an advanced level data acquisition method which involves connecting to a device’s Test Access Ports (TAPs) and instructing the processor to transfer the raw data stored on connected memory chips. When supported, JTAG-ing is an extremely effective technique that can let examiners extract a full physical image from devices that aren’t supported with standard methods.

Eric Reverdito, deputy chief of research and technical development at OCLCTIC (part of the French National Police), recently shared a sensitive case where they had to extract data from a Land Rover model Z18 phone.

“We did not have the phone’s security code because the main suspect was on the run. The Z18 can be extracted in physical mode without the access code, but after many attempts we had to admit our failure to access it,” said Reverdito. “Thanks to MSAB’s Advanced Acquisition (AA) training – where the trainers focused on the extraction and recovery of data via JTAG and chip off methods – and to the cooperation of the MSAB team on this sensitive issue, we were able to implement a chip off technique.”

The MSAB team bought the same phone model Z18 to Reverdito’s team, so that tests could be run on it before trying to extract from the suspect’s phone. “We received the device and started using the phone like any other user. We created accounts on several apps such as WhatsApp and Telegram. We made calls, sent SMS, took pictures and videos on the new device. In short, we created a real scenario by erasing some data we had created from it. Then we disassembled the phone and heated the chip sufficiently to disengage it from the motherboard,” Reverdito said.

This manipulation was performed without a hitch. Then the chip was inserted in a card reader and via the free software, FTK Imager, a binary file was created from this chip.

“With the binary in hand, we inserted it into the XRY software, taking care to select the same brand and model as the original phone. We compared the two extractions, one logical and one physical, to ensure that we had recovered the deleted elements.”

“This process made it possible to validate our methodology and with the agreement of the magistrate, we then proceeded with the chip off of the actual phone from the real case. The extraction of the chip and the subsequent analysis of the data went smoothly and successfully.”

“Without the help of MSAB we would not have been able to help that investigation. It enabled us to give the investigators some very interesting information which definitely helped enhance the progress of the investigation,” said Reverdito.

It was also the case that the comprehensive training with MSAB enabled us to gain a solid knowledge of the theoretical and practical aspects of hands-on working with devices, he added.

References:
OCLCTIC (L’Office central de lutte contre la criminalité liée aux technologies de l’information et de la communication (English: Central Office for the Fight Against Crime Linked to Information Technology and Communication – part of the French National Police).