Mobile device forensics
Encyclopedia
Mobile device forensics is a branch of digital forensics
relating to recovery of digital evidence
or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phone
s; however, it can also relate to any digital device that has both internal memory and communication
ability.
The use of phones in crime was widely recognised for some years, but the forensic study of mobile devices is a relatively new field, dating from the early 2000s. A proliferation of phones (particularly smartphone
s) on the consumer market caused a demand for forensic examination of the devices, which could not be met by existing computer forensics
techniques.
The memory type, custom interface
and proprietary nature of mobile devices requires a different forensic process compared to computer forensics
. Each device often has to have custom extraction techniques used on it. Mobile devices can be used to save several types of personal information such as contacts, photos, calendars and notes.
In comparison to computer forensics, law enforcement are much more likely to encounter a suspect with a mobile device in his possession and so the growth of demand for analysis of mobiles has increased exponentially in the last decade.
Early efforts to examine mobile devices used similar techniques to the first computer forensics investigations; analysing phone contents directly via the screen and photographing important content. Over time commercial tools appeared which allowed examiners to recover phone memory with minimal disruption and analyse it separately.
In more recent years these commercial techniques have developed further and the recovery of deleted data from proprietary mobile devices has become possible with some specialist tools.
Traditionally mobile phone forensics has been associated with recovering SMS
and MMS
messaging, as well as call logs, contact lists and phone IMEI/ESN
information. Newer generations of smart phones also include wider varieties of information; from web browsing, Wireless network
settings, e-mail and other forms of rich internet media, including important data now retained on smartphone 'apps'.
(or bag).
Because of the proprietary nature of mobiles it is often not possible to acquire data with it powered down, most mobile device acquisition is performed live. With more advanced smartphones using advanced memory management, connecting it to a recharger and putting it into a faraday cage may not be good practice. The mobile device would recognize the network disconnection and therefore it would change its status information that can trigger the memory manager to write data.
Most acquisition tools for mobile devices are commercial in nature and consist of a hardware and software component, often automated.
s, similar to the file systems of computers, methods and tools can be taken over from hard disk forensics or only need slight changes.
The FAT
file system is generally used on NAND memory. A difference is the block size
used, which is larger than 512 bytes for hard disks and depends on the used memory type, e.g., NOR type 64, 128, 256 and NAND memory 16, 128, 256, or 512 kilobyte
.
Different software tools can extract the data from the memory image. One could use specialized and automated forensic software products or generic file viewers such as any hex editor
to search for characteristics of file headers. The advantage of the hex editor is the deeper insight into the memory management, but working with a hex editor means a lot of handwork and file system as well as file header knowledge. In contrast, specialized forensic software simplifies the search and extracts the data but may not find everything. AccessData
, Sleuthkit, and EnCase
, to mention only some, are forensic software products to analyze memory images. Since there is no tool that extracts all possible information, it is advisable to use two or more tools for examination. There is currently (February 2010) no software solution to get all evidences from flash memories.
. It produces a bit-by-bit copy of the device's flash memory
. Generally the physical extraction is then split into two steps, the dumping phase and the decoding phase.
. This usually does not produce any deleted information, due to it normally being removed from the file system of the phone. However, in some cases the phone may keep a database
file of information which does not overwrite the information but simply marks it as deleted and available for later overwriting. In this case, if the device allows file system
access through their synchronization interface, it is possible to recover deleted information. A logical extraction is generally easier to work with as it does not produce a large binary blob
. However a skilled forensic examiner will be able to extract far more information from a physical extraction.
can be utilized to investigate the content of the memory. Therefore the device is used as normal and pictures are taken from the screen. This method has the advantage that the operating system
makes the transformation of raw data into human interpretable information. In practice this method is applied to cell phones, e.g., Project-a-Phone, PDA
s and navigation systems
. The disadvantage is that only data visible to the operating system can be recovered and that all data are only available in form of pictures.
cards, SD
cards, MMC
cards, CF
cards, and the Memory Stick
.
For external memory and the USB flash drive, appropriate software, e.g., the Unix command dd
, is needed to make the bit-level copy. Furthermore USB flash drive
s with memory protection do not need special hardware and can be connected to any computer. Many USB drives and memory cards have a write-lock switch that can be used to prevent data changes, while making a copy. If the USB drive has no protection switch a write blocker can be used to mount the drive in a read-only mode or, in an exceptional case, the memory chip can be desoldered
.
The SIM and memory cards need a card reader
to make the copy. The SIM card is soundly analyzed, such that it is possible to recover (deleted) data like contacts or text messages.
.
, connecting to a network share or another device with clean tools. Therefore system commands could be the only way to save the volatile memory
of a mobile device. With the risk of modified system commands it must be estimated if the volatile memory is really important. A similar problem arises when no network connection is available and no secondary memory can be connected to a mobile device because the volatile memory image must be saved on the internal non-volatile memory
, where the user data is stored and most likely deleted important data will be lost. System commands are the cheapest method, but imply some risks of data loss. Every command usage with options and output must be documented.
commands, e.g., Hayes command set
and Motorola phone AT commands
, and can therefore only be used on a device that has modem support. Using these commands one can only obtain information through the operating system
, such that no deleted data can be extracted.
or flash memory
. These tools mainly originate from the manufacturer or service centers for debugging, repair, or upgrade services. They can overwrite the non-volatile memory
and some, depending on the manufacturer or device, can also read the memory to make a copy, originally intended as a backup. The memory can be protected from reading, e.g., by software command or destruction of fuses in the read circuit.
Note, this would not prevent writing or using the memory internally by the CPU
. The flasher tools are easy to connect and use, but some can change the data and have other dangerous options or do not make a complete copy
equipment (NMEA
) or to get deceleration information from airbag units.
Not all mobile devices provide such a standardized interface nor does there exist a standard interface for all mobile devices, but all manufacturers have one problem in common. The miniaturizing of device parts opens the question how to test automatically the functionality and quality of the soldered integrated components. For this problem an industry group, the Joint Test Action Group (JTAG), developed a test technology called boundary scan
.
Despite the standardization there are four tasks before the JTAG device interface can be used to recover the memory. To find the correct bits in the boundary scan
register one must know which processor and memory circuits are used and how they are connected to the system bus. When not accessible from outside one must find the test points for the JTAG interface on the printed circuit board and determine which test point is used for which signal. The JTAG port is not always soldered with connectors, such that it is sometimes necessary to open the device and re-solder the access port. The protocol for reading the memory must be known and finally the correct voltage must be determined to prevent damage to the circuit.
The boundary scan
produces a complete forensic image of the volatile
and non-volatile memory
. The risk of data change is minimized and the memory chip must not be desoldered
. Generating the image can be slow and not all mobile devices are JTAG enabled. Also, it can be difficult to find the test access port.
the non-volatile memory
chip and connect it to a memory chip reader. This method contains the potential danger of total data destruction: it is possible to destroy the chip and its content because of the heat required during desoldering. Before the invention of the BGA
technology it was possible to attach probes to the pins of the memory chip and to recover the memory through these probes. The BGA technique bonds the chips directly onto the PCB
through molten solder balls, such that it is no longer possible to attach probes.
Desoldering the chips is done carefully and slowly, so that the heat does not destroy the chip or data. Before the chip is desoldered the PCB is baked in an oven to eliminate remaining water. This prevents the so-called popcorn effect, at which the remaining water would blow the chip package at desoldering.
There are mainly three methods to melt the solder: hot air, infrared light, and steam-phasing. The infrared light technology works with a focused infrared light beam onto a specific integrated circuit
and is used for small chips. The hot air and steam methods cannot focus as much as the infrared technique.
After desoldering the chip a re-balling process cleans the chip and adds new tin balls to the chip. Re-balling can be done in two different ways.
A third method makes the entire re-balling process unnecessary. The chip is connected to an adapter with Y-shaped springs or spring-loaded pogo pin
s. The Y-shaped springs need to have a ball onto the pin to establish an electric connection, but the pogo pin
s can be used directly on the pads on the chip without the balls.
The advantage of forensic desoldering is that the device does not need to be functional and that a copy without any changes to the original data can be made. The disadvantage is that the re-balling devices are expensive, so this process is very costly and there are some risks of total data loss. Hence, forensic desoldering should only be done by experienced laboratories.
In recent years a number of hardware/software tools have emerged to recover evidence from mobile devices. Most tools consist of a hardware portion, with a number of cables to connect the phone to the acquisition machine, and some software, to extract the evidence and, occasionally, to analyse it.
Some current tools include those by Radio Tactics, eDEC Digital Forensics, Cellebrite UFED
, Micro Systemation XRY
, Oxygen Forensic Suite 2, Paraben Device Seizure and MOBILedit! Forensic.
An example of a mobile forensics tool currently available to forensic investigators:
For a detailed discussion see Gubian and Savoldi, 2007.
For a wide overview on nand flash forensic see Salvatore Fiorillo, 2009
is more difficult because of the small size of the devices and the user's restricted data accessibility. Nevertheless there are developments to secure the memory in hardware with security circuits in the CPU
and memory chip, such that the memory chip cannot be read even after desoldering.
Digital forensics
Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime...
relating to recovery of digital evidence
Digital evidence
Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial...
or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phone
Mobile phone
A mobile phone is a device which can make and receive telephone calls over a radio link whilst moving around a wide geographic area. It does so by connecting to a cellular network provided by a mobile network operator...
s; however, it can also relate to any digital device that has both internal memory and communication
Telecommunication
Telecommunication is the transmission of information over significant distances to communicate. In earlier times, telecommunications involved the use of visual signals, such as beacons, smoke signals, semaphore telegraphs, signal flags, and optical heliographs, or audio messages via coded...
ability.
The use of phones in crime was widely recognised for some years, but the forensic study of mobile devices is a relatively new field, dating from the early 2000s. A proliferation of phones (particularly smartphone
Smartphone
A smartphone is a high-end mobile phone built on a mobile computing platform, with more advanced computing ability and connectivity than a contemporary feature phone. The first smartphones were devices that mainly combined the functions of a personal digital assistant and a mobile phone or camera...
s) on the consumer market caused a demand for forensic examination of the devices, which could not be met by existing computer forensics
Computer forensics
Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
techniques.
The memory type, custom interface
Gui
Gui or guee is a generic term to refer to grilled dishes in Korean cuisine. These most commonly have meat or fish as their primary ingredient, but may in some cases also comprise grilled vegetables or other vegetarian ingredients. The term derives from the verb, "gupda" in Korean, which literally...
and proprietary nature of mobile devices requires a different forensic process compared to computer forensics
Computer forensics
Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
. Each device often has to have custom extraction techniques used on it. Mobile devices can be used to save several types of personal information such as contacts, photos, calendars and notes.
History
As a field of study forensic examination of mobile devices dates from the late 1990s and early 2000s. The role of mobile phones in crime had long been recognised by law enforcement. With the increased availability of such devices on the consumer market and the wider array of communication platforms they support (e.g. email, web browsing) demand for forensic examination grew.In comparison to computer forensics, law enforcement are much more likely to encounter a suspect with a mobile device in his possession and so the growth of demand for analysis of mobiles has increased exponentially in the last decade.
Early efforts to examine mobile devices used similar techniques to the first computer forensics investigations; analysing phone contents directly via the screen and photographing important content. Over time commercial tools appeared which allowed examiners to recover phone memory with minimal disruption and analyse it separately.
In more recent years these commercial techniques have developed further and the recovery of deleted data from proprietary mobile devices has become possible with some specialist tools.
Types of evidence
As mobile device technology advances, the amount and types of data that can be found on a mobile device is constantly increasing. Evidence that can be potentially recovered by law enforcement agents from a mobile phone may come from several different sources, including SIM card, Handset and attached memory cards.Traditionally mobile phone forensics has been associated with recovering SMS
SMS
SMS is a form of text messaging communication on phones and mobile phones. The terms SMS or sms may also refer to:- Computer hardware :...
and MMS
Multimedia Messaging Service
Multimedia Messaging Service, or MMS, is a standard way to send messages that include multimedia content to and from mobile phones. It extends the core SMS capability that allowed exchange of text messages only up to 160 characters in length.The most popular use is to send photographs from...
messaging, as well as call logs, contact lists and phone IMEI/ESN
Electronic Serial Number
Electronic serial numbers were created by the U.S. Federal Communications Commission to uniquely identify mobile devices, from the days of AMPS in the United States from the early 1980s. The administrative role was taken over by the Telecommunications Industry Association in 1997 and is still...
information. Newer generations of smart phones also include wider varieties of information; from web browsing, Wireless network
Wireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
settings, e-mail and other forms of rich internet media, including important data now retained on smartphone 'apps'.
Service provider logs
The European Union requires its members countries to retain certain telecommunications data for use in investigations. This includes data on calls made and retrieved. The location of a mobile phone can be determined and this geographical data must also be retained. Although this is a different science than forensic analysis which is undertaken once the mobile phone has been seized.Forensic process
The forensics process for mobile devices broadly matches other branches of digital forensics; however, some particular concerns apply. One of the main ongoing considerations for analysts is preventing the device from making a network/cellular connection; which may bring in new data, overwriting evidence. To prevent a connection mobile devices will often be transported and examined from within an Faraday cageFaraday cage
A Faraday cage or Faraday shield is an enclosure formed by conducting material or by a mesh of such material. Such an enclosure blocks out external static and non-static electric fields...
(or bag).
Seizure
Seizing mobile devices is covered by the same legal considerations as other digital media. Mobiles will often be recovered switched on; as the aim of seizure is to preserve evidence the device will often be transported in the same state to avoid a shutdown changing files.Acquisition
The second step in the forensic process is acquisition, in this case usually referring to retrieval of material from a device (as compared to the bit-copy imaging used in computer forensics).Because of the proprietary nature of mobiles it is often not possible to acquire data with it powered down, most mobile device acquisition is performed live. With more advanced smartphones using advanced memory management, connecting it to a recharger and putting it into a faraday cage may not be good practice. The mobile device would recognize the network disconnection and therefore it would change its status information that can trigger the memory manager to write data.
Most acquisition tools for mobile devices are commercial in nature and consist of a hardware and software component, often automated.
Examination and analysis
As an increasing number of mobile devices use high-level file systemFile system
A file system is a means to organize data expected to be retained after a program terminates by providing procedures to store, retrieve and update data, as well as manage the available space on the device which contain it. A file system organizes data in an efficient manner and is tuned to the...
s, similar to the file systems of computers, methods and tools can be taken over from hard disk forensics or only need slight changes.
The FAT
File Allocation Table
File Allocation Table is a computer file system architecture now widely used on many computer systems and most memory cards, such as those used with digital cameras. FAT file systems are commonly found on floppy disks, flash memory cards, digital cameras, and many other portable devices because of...
file system is generally used on NAND memory. A difference is the block size
Block (data storage)
In computing , a block is a sequence of bytes or bits, having a nominal length . Data thus structured are said to be blocked. The process of putting data into blocks is called blocking. Blocking is used to facilitate the handling of the data-stream by the computer program receiving the data...
used, which is larger than 512 bytes for hard disks and depends on the used memory type, e.g., NOR type 64, 128, 256 and NAND memory 16, 128, 256, or 512 kilobyte
Kilobyte
The kilobyte is a multiple of the unit byte for digital information. Although the prefix kilo- means 1000, the term kilobyte and symbol KB have historically been used to refer to either 1024 bytes or 1000 bytes, dependent upon context, in the fields of computer science and information...
.
Different software tools can extract the data from the memory image. One could use specialized and automated forensic software products or generic file viewers such as any hex editor
Hex editor
A hex editor is a type of computer program that allows a user to manipulate the fundamental binary data that makes up computer files. Note that computer files can be very small to very large...
to search for characteristics of file headers. The advantage of the hex editor is the deeper insight into the memory management, but working with a hex editor means a lot of handwork and file system as well as file header knowledge. In contrast, specialized forensic software simplifies the search and extracts the data but may not find everything. AccessData
Forensic Toolkit
Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard drive looking for various information. It can for example locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.The toolkit also includes a...
, Sleuthkit, and EnCase
EnCase
EnCase is a computer forensics product produced by Guidance Software used to analyze digital media . The software is available to law enforcement agencies and corporations.EnCase includes tools for data acquisition, file recovery, indexing/search and file parsing...
, to mention only some, are forensic software products to analyze memory images. Since there is no tool that extracts all possible information, it is advisable to use two or more tools for examination. There is currently (February 2010) no software solution to get all evidences from flash memories.
Physical acquisition
Physical acquisition implies a bit-by-bit copy of an entire physical store (e.g., a memory chip). A physical acquisition has the advantage of allowing deleted files and data remnants to be examined. Physical extraction acquires information from the device by direct access to the flash memories. Generally this is harder to achieve because the device vendors needs to secure against arbitrary reading of memory so that a device may be locked to a certain operator. A physical extraction is the method most similar to the examination of a personal computerPersonal computer
A personal computer is any general-purpose computer whose size, capabilities, and original sales price make it useful for individuals, and which is intended to be operated directly by an end-user with no intervening computer operator...
. It produces a bit-by-bit copy of the device's flash memory
Flash memory
Flash memory is a non-volatile computer storage chip that can be electrically erased and reprogrammed. It was developed from EEPROM and must be erased in fairly large blocks before these can be rewritten with new data...
. Generally the physical extraction is then split into two steps, the dumping phase and the decoding phase.
Logical acquisition
Logical acquisition implies a bit-by-bit copy of logical storage objects (e.g., directories and files) that reside on a logical store (e.g., a file system partition). Logical acquisition has the advantage that system data structures are easier for a tool to extract and organize. Logical extraction acquires information from the device using the vendor interface for synchronizing the contents of the phone with a personal computerPersonal computer
A personal computer is any general-purpose computer whose size, capabilities, and original sales price make it useful for individuals, and which is intended to be operated directly by an end-user with no intervening computer operator...
. This usually does not produce any deleted information, due to it normally being removed from the file system of the phone. However, in some cases the phone may keep a database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
file of information which does not overwrite the information but simply marks it as deleted and available for later overwriting. In this case, if the device allows file system
File system
A file system is a means to organize data expected to be retained after a program terminates by providing procedures to store, retrieve and update data, as well as manage the available space on the device which contain it. A file system organizes data in an efficient manner and is tuned to the...
access through their synchronization interface, it is possible to recover deleted information. A logical extraction is generally easier to work with as it does not produce a large binary blob
Binary blob
In the free software community, binary blob is a pejorative term for an object file loaded into the kernel of a open source operating system without publicly available source code...
. However a skilled forensic examiner will be able to extract far more information from a physical extraction.
Manual acquisition
The user interfaceUser interface
The user interface, in the industrial design field of human–machine interaction, is the space where interaction between humans and machines occurs. The goal of interaction between a human and a machine at the user interface is effective operation and control of the machine, and feedback from the...
can be utilized to investigate the content of the memory. Therefore the device is used as normal and pictures are taken from the screen. This method has the advantage that the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
makes the transformation of raw data into human interpretable information. In practice this method is applied to cell phones, e.g., Project-a-Phone, PDA
Personal digital assistant
A personal digital assistant , also known as a palmtop computer, or personal data assistant, is a mobile device that functions as a personal information manager. Current PDAs often have the ability to connect to the Internet...
s and navigation systems
GPS navigation device
A GPS navigation device is any device that receives Global Positioning System signals for the purpose of determining the device's current location on Earth...
. The disadvantage is that only data visible to the operating system can be recovered and that all data are only available in form of pictures.
External memory
External memory devices are SIMSubscriber Identity Module
A subscriber identity module or subscriber identification module is an integrated circuit that securely stores the International Mobile Subscriber Identity and the related key used to identify and authenticate subscriber on mobile telephony devices .A SIM is held on a removable SIM card, which...
cards, SD
Secure Digital
Secure Digital is a non-volatile memory card format developed by the SD Card Association for use in portable devices. The SD technology is used by more than 400 brands across dozens of product categories and more than 8,000 models, and is considered the de-facto industry standard.Secure Digital...
cards, MMC
MultiMediaCard
The MultiMediaCard is a flash memory memory card standard. Unveiled in 1997 by Siemens AG and SanDisk, it is based on Toshiba's NAND-based flash memory, and is therefore much smaller than earlier systems based on Intel NOR-based memory such as CompactFlash. MMC is about the size of a postage...
cards, CF
CompactFlash
CompactFlash is a mass storage device format used in portable electronic devices. Most CompactFlash devices contain flash memory in a standardized enclosure. The format was first specified and produced by SanDisk in 1994...
cards, and the Memory Stick
Memory Stick
Memory Stick is a removable flash memory card format, launched by Sony in October 1998, and is also used in general to describe the whole family of Memory Sticks...
.
For external memory and the USB flash drive, appropriate software, e.g., the Unix command dd
Dd (Unix)
In computing, dd is a common Unix program whose primary purpose is the low-level copying and conversion of raw data. According to the manual page for Version 7 Unix, it will "convert and copy a file". It is used to copy a specified number of bytes or blocks, performing on-the-fly byte order...
, is needed to make the bit-level copy. Furthermore USB flash drive
USB flash drive
A flash drive is a data storage device that consists of flash memory with an integrated Universal Serial Bus interface. flash drives are typically removable and rewritable, and physically much smaller than a floppy disk. Most weigh less than 30 g...
s with memory protection do not need special hardware and can be connected to any computer. Many USB drives and memory cards have a write-lock switch that can be used to prevent data changes, while making a copy. If the USB drive has no protection switch a write blocker can be used to mount the drive in a read-only mode or, in an exceptional case, the memory chip can be desoldered
Desoldering
In electronics, desoldering is the removal of solder and components from a circuit for troubleshooting, for repair purposes, component replacement, and to salvage components...
.
The SIM and memory cards need a card reader
Card reader
A card reader is a data input device that reads data from a card-shaped storage medium. Historically, paper or cardboard punched cards were used throughout the first several decades of the computer industry to store information and programs for computer system, and were read by punched card readers...
to make the copy. The SIM card is soundly analyzed, such that it is possible to recover (deleted) data like contacts or text messages.
Internal memory
This section describes various possibilities to save the internal storage, nowadays mostly flash memoryFlash memory
Flash memory is a non-volatile computer storage chip that can be electrically erased and reprogrammed. It was developed from EEPROM and must be erased in fairly large blocks before these can be rewritten with new data...
.
System commands
Mobile devices do not provide the possibility to run or boot from a CDCompact Disc
The Compact Disc is an optical disc used to store digital data. It was originally developed to store and playback sound recordings exclusively, but later expanded to encompass data storage , write-once audio and data storage , rewritable media , Video Compact Discs , Super Video Compact Discs ,...
, connecting to a network share or another device with clean tools. Therefore system commands could be the only way to save the volatile memory
Volatile memory
Volatile memory, also known as volatile storage, is computer memory that requires power to maintain the stored information, unlike non-volatile memory which does not require a maintained power supply...
of a mobile device. With the risk of modified system commands it must be estimated if the volatile memory is really important. A similar problem arises when no network connection is available and no secondary memory can be connected to a mobile device because the volatile memory image must be saved on the internal non-volatile memory
Non-volatile memory
Non-volatile memory, nonvolatile memory, NVM or non-volatile storage, in the most basic sense, is computer memory that can retain the stored information even when not powered. Examples of non-volatile memory include read-only memory, flash memory, ferroelectric RAM, most types of magnetic computer...
, where the user data is stored and most likely deleted important data will be lost. System commands are the cheapest method, but imply some risks of data loss. Every command usage with options and output must be documented.
AT commands
AT commands are old modemModem
A modem is a device that modulates an analog carrier signal to encode digital information, and also demodulates such a carrier signal to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded to reproduce the original digital data...
commands, e.g., Hayes command set
Hayes command set
The Hayes command set is a specific command-language originally developed for the Hayes Smartmodem 300 baud modem in 1981. The command set consists of a series of short text strings which combine together to produce complete commands for operations such as dialing, hanging up, and changing the...
and Motorola phone AT commands
Motorola Phone AT Commands
AT commands are used to control modems to do their specified functions. Cellular phones are not much different from the old dial-up modems that are still found in many computers. This article focuses on the Motorola RAZR V3m from Verizon and the AT commands that this phone supports and their...
, and can therefore only be used on a device that has modem support. Using these commands one can only obtain information through the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
, such that no deleted data can be extracted.
Flasher tools
A flasher tool is a programming hardware and/or software that can be used to program (flash) the device memory, e.g., EEPROMEEPROM
EEPROM stands for Electrically Erasable Programmable Read-Only Memory and is a type of non-volatile memory used in computers and other electronic devices to store small amounts of data that must be saved when power is removed, e.g., calibration...
or flash memory
Flash memory
Flash memory is a non-volatile computer storage chip that can be electrically erased and reprogrammed. It was developed from EEPROM and must be erased in fairly large blocks before these can be rewritten with new data...
. These tools mainly originate from the manufacturer or service centers for debugging, repair, or upgrade services. They can overwrite the non-volatile memory
Non-volatile memory
Non-volatile memory, nonvolatile memory, NVM or non-volatile storage, in the most basic sense, is computer memory that can retain the stored information even when not powered. Examples of non-volatile memory include read-only memory, flash memory, ferroelectric RAM, most types of magnetic computer...
and some, depending on the manufacturer or device, can also read the memory to make a copy, originally intended as a backup. The memory can be protected from reading, e.g., by software command or destruction of fuses in the read circuit.
Note, this would not prevent writing or using the memory internally by the CPU
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
. The flasher tools are easy to connect and use, but some can change the data and have other dangerous options or do not make a complete copy
JTAG
Existing standardized interfaces for reading data are built into several mobile devices, e.g., to get position data from GPSGlobal Positioning System
The Global Positioning System is a space-based global navigation satellite system that provides location and time information in all weather, anywhere on or near the Earth, where there is an unobstructed line of sight to four or more GPS satellites...
equipment (NMEA
NMEA
NMEA 0183 is a combined electrical and data specification for communication between marine electronic devices such as echo sounder, sonars, anemometer, gyrocompass, autopilot, GPS receivers and many other types of instruments. It has been defined by,...
) or to get deceleration information from airbag units.
Not all mobile devices provide such a standardized interface nor does there exist a standard interface for all mobile devices, but all manufacturers have one problem in common. The miniaturizing of device parts opens the question how to test automatically the functionality and quality of the soldered integrated components. For this problem an industry group, the Joint Test Action Group (JTAG), developed a test technology called boundary scan
Boundary scan
Boundary scan is a method for testing interconnects on printed circuit boards or sub-blocks inside an integrated circuit. Boundary scan is also widely used as a debugging method to watch integrated circuit pin states, measure voltage, or analyze sub-blocks inside an integrated circuit.The Joint...
.
Despite the standardization there are four tasks before the JTAG device interface can be used to recover the memory. To find the correct bits in the boundary scan
Boundary scan
Boundary scan is a method for testing interconnects on printed circuit boards or sub-blocks inside an integrated circuit. Boundary scan is also widely used as a debugging method to watch integrated circuit pin states, measure voltage, or analyze sub-blocks inside an integrated circuit.The Joint...
register one must know which processor and memory circuits are used and how they are connected to the system bus. When not accessible from outside one must find the test points for the JTAG interface on the printed circuit board and determine which test point is used for which signal. The JTAG port is not always soldered with connectors, such that it is sometimes necessary to open the device and re-solder the access port. The protocol for reading the memory must be known and finally the correct voltage must be determined to prevent damage to the circuit.
The boundary scan
Boundary scan
Boundary scan is a method for testing interconnects on printed circuit boards or sub-blocks inside an integrated circuit. Boundary scan is also widely used as a debugging method to watch integrated circuit pin states, measure voltage, or analyze sub-blocks inside an integrated circuit.The Joint...
produces a complete forensic image of the volatile
Volatile memory
Volatile memory, also known as volatile storage, is computer memory that requires power to maintain the stored information, unlike non-volatile memory which does not require a maintained power supply...
and non-volatile memory
Non-volatile memory
Non-volatile memory, nonvolatile memory, NVM or non-volatile storage, in the most basic sense, is computer memory that can retain the stored information even when not powered. Examples of non-volatile memory include read-only memory, flash memory, ferroelectric RAM, most types of magnetic computer...
. The risk of data change is minimized and the memory chip must not be desoldered
Desoldering
In electronics, desoldering is the removal of solder and components from a circuit for troubleshooting, for repair purposes, component replacement, and to salvage components...
. Generating the image can be slow and not all mobile devices are JTAG enabled. Also, it can be difficult to find the test access port.
Forensic desoldering
Commonly referred to as a "Chip-Off" technique within the industry - this is the last and most intrusive method to get a memory image is to desolderDesoldering
In electronics, desoldering is the removal of solder and components from a circuit for troubleshooting, for repair purposes, component replacement, and to salvage components...
the non-volatile memory
Non-volatile memory
Non-volatile memory, nonvolatile memory, NVM or non-volatile storage, in the most basic sense, is computer memory that can retain the stored information even when not powered. Examples of non-volatile memory include read-only memory, flash memory, ferroelectric RAM, most types of magnetic computer...
chip and connect it to a memory chip reader. This method contains the potential danger of total data destruction: it is possible to destroy the chip and its content because of the heat required during desoldering. Before the invention of the BGA
Ball grid array
A ball grid array is a type of surface-mount packaging used for integrated circuits.- Description :The BGA is descended from the pin grid array , which is a package with one face covered with pins in a grid pattern. These pins conduct electrical signals from the integrated circuit to the printed...
technology it was possible to attach probes to the pins of the memory chip and to recover the memory through these probes. The BGA technique bonds the chips directly onto the PCB
Printed circuit board
A printed circuit board, or PCB, is used to mechanically support and electrically connect electronic components using conductive pathways, tracks or signal traces etched from copper sheets laminated onto a non-conductive substrate. It is also referred to as printed wiring board or etched wiring...
through molten solder balls, such that it is no longer possible to attach probes.
Desoldering the chips is done carefully and slowly, so that the heat does not destroy the chip or data. Before the chip is desoldered the PCB is baked in an oven to eliminate remaining water. This prevents the so-called popcorn effect, at which the remaining water would blow the chip package at desoldering.
There are mainly three methods to melt the solder: hot air, infrared light, and steam-phasing. The infrared light technology works with a focused infrared light beam onto a specific integrated circuit
Integrated circuit
An integrated circuit or monolithic integrated circuit is an electronic circuit manufactured by the patterned diffusion of trace elements into the surface of a thin substrate of semiconductor material...
and is used for small chips. The hot air and steam methods cannot focus as much as the infrared technique.
Chip re-balling
After desoldering the chip a re-balling process cleans the chip and adds new tin balls to the chip. Re-balling can be done in two different ways.
- The first is to use a stencil. The stencil is chip-dependent and must fit exactly. Then the tin-solder is put on the stencil. After cooling the tin the stencil is removed and if necessary a second cleaning step is done.
- The second method is laser re-balling; see. Here the stencil is programmed into the re-balling unit. A bondhead (looks like a tube/needle) is automatically loaded with one tin ball from a solder ball singulation tank. The ball is then heated by a laser, such that the tin-solder ball becomes fluid and flows onto the cleaned chip. Instantly after melting the ball the laser turns off and a new ball falls into the bondhead. While reloading the bondhead of the re-balling unit changes the position to the next pin.
A third method makes the entire re-balling process unnecessary. The chip is connected to an adapter with Y-shaped springs or spring-loaded pogo pin
Pogo pin
A Pogo pin is a device used in electronics to establish a connection between two printed circuit boards. Named by analogy with the pogo stick toy, the pogo pin usually takes the form of a slender cylinder containing two sharp, spring-loaded pins...
s. The Y-shaped springs need to have a ball onto the pin to establish an electric connection, but the pogo pin
Pogo pin
A Pogo pin is a device used in electronics to establish a connection between two printed circuit boards. Named by analogy with the pogo stick toy, the pogo pin usually takes the form of a slender cylinder containing two sharp, spring-loaded pins...
s can be used directly on the pads on the chip without the balls.
The advantage of forensic desoldering is that the device does not need to be functional and that a copy without any changes to the original data can be made. The disadvantage is that the re-balling devices are expensive, so this process is very costly and there are some risks of total data loss. Hence, forensic desoldering should only be done by experienced laboratories.
Tools
Early investigations consisted of live analysis of mobile devices; with examiners photographing or writing down useful material for use as evidence. This had the disadvantage of risking the modification of the device content, as well as leaving many parts of the proprietary operating system inaccessible.In recent years a number of hardware/software tools have emerged to recover evidence from mobile devices. Most tools consist of a hardware portion, with a number of cables to connect the phone to the acquisition machine, and some software, to extract the evidence and, occasionally, to analyse it.
Some current tools include those by Radio Tactics, eDEC Digital Forensics, Cellebrite UFED
Cellebrite
Founded in 1999, Cellebrite is a global company known for its work in the cellular industry. Cellebrite has offices in the US, Israel and Germany....
, Micro Systemation XRY
.XRY
XRY is a digital forensics product by Micro Systemation used to analyze and recover information from mobile devices such as mobile phones, smartphones, GPS navigation tools and tablet computers...
, Oxygen Forensic Suite 2, Paraben Device Seizure and MOBILedit! Forensic.
An example of a mobile forensics tool currently available to forensic investigators:
Controversies
In general there exists no standard for what constitutes a supported device in a specific product. This has led to the situation where different vendors define a supported device differently. A situation such as this makes it much harder to compare products based on vendor provided lists of supported devices. For instance a device where logical extraction using one product only produces a list of calls made by the device may be listed as supported by that vendor while another vendor can produce much more information. Furthermore different products extract different amounts of information from different devices. This leads to a very complex landscape when trying to overview the products. In general this leads to a situation where testing a product extensively before purchase is strongly recommended. It is quite common to use at least two products which complement each other.For a detailed discussion see Gubian and Savoldi, 2007.
For a wide overview on nand flash forensic see Salvatore Fiorillo, 2009
Anti-forensics
Anti-computer forensicsAnti-computer forensics
Anti-computer forensics is a general term for a set of techniques used as countermeasures to forensic analysis.- Definition :...
is more difficult because of the small size of the devices and the user's restricted data accessibility. Nevertheless there are developments to secure the memory in hardware with security circuits in the CPU
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
and memory chip, such that the memory chip cannot be read even after desoldering.