Chip-off – isn’t that just for BlackBerrys?

We’ve been running chip-off training since 2013 and during that time we’ve taught a lot of delegates how to recover evidence from locked BlackBerry handsets. It feels like the right time to dispel some myths about chip-off and explain how the technique is just as relevant as it’s ever been (despite BlackBerry’s demise!)

chip_off_training_lab_web

 

MYTH 1 – Chip-off is only useful for locked BlackBerrys (and we hardly see any these days)

It’s true that locked BlackBerrys have historically been the most common scenario when chip-off has been utilised, but the same techniques can be applied to other devices with great results. Previous course delegates are routinely using chip-off techniques to secure physical extractions of Windows Phone devices which can’t be performed in commercial tools as well as locked and unsupported Android devices where even Direct eMMC (ISP) isn’t viable.

 

Delegates on our Flash Memory Chip Removal course perform chip-off on Nokia Lumia and Sony Xperia devices for which chip-off is ideally suited.

 

 

MYTH 2 – Chip-off is destructive to the device

Chip-off is typically performed using hot air to de-solder the flash memory from the printed circuit board (PCB) of the device, and usually components are damaged during the process. In other words, chip-off is undertaken in such a way that the device won’t work again (but acquiring the memory contents can justify this). But it doesn’t need to be so.
Using the right techniques, it’s possible to de-solder the flash memory chip (whilst protecting the rest of the device), read the chip and then re-solder it and re-assemble the device. If the device can be used after chip-off then new opportunities arise, such as entering passwords (recovered from the extracted data) into the device. This means that the device itself can be used to unlock and decrypt stored data and a manual examination or logical extraction can be performed. The approach won’t work in every case (so the process should still be assumed to be destructive), but the ability to restore the device to a working condition is extremely powerful.

 

We have been busy refining such techniques; our record is de-soldering and re-soldering the same eMMC chip ten times and the handset still works! We now teach delegates how to re-solder flash memory chips after data has been extracted from them.

 

MYTH 3 – Chip-off is really expensive

The simple answer to this is that chip-off can be expensive, but it absolutely doesn’t need to be. Infra-red rework stations can be used to de-solder flash memory chips instead of using a hot-air approach. Although these can be effective, they are expensive and are not well suited to flash memory which has been glued to the PCB using epoxy. For these reasons we use a cheaper and more flexible approach of hot air guns and hot air pencils in our training.

 

The equipment needed to de-solder and extract data from the eMMC flash memory chips found in almost all current smartphones and tablets can be purchased for under £2,000(including a fume extraction system). For organisations already outsourcing devices for chip-off, these equipment costs are easy to justify.

Chip-off now includes “chip back on” !

We have been teaching delegates how to successfully de-solder flash memory chips from mobile devices since 2013 with great success. Our Flash Memory Chip Removal now includes re-soldering chips after they have been removed and read.

Historically, chip-off has been seen as a process which is always destructive to the device in question. However, in some circumstances it is possible to replace the flash memory chip such that the device can be powered on and any PIN/password (recovered from analysis of the recovered data) entered to gain access to the device. We’ll be teaching techniques for protecting the PCB and re-soldering the flash memory in order to make chip-off an even more powerful solution for locked devices.

At the same time, we’re updating the devices we use on the course to better reflect current “problem” devices. Delegates work with locked Android and Windows Phone devices which cannot be dumped using commercial forensic tools or direct eMMC (ISP) – in other words, where chip-off is the only solution for data extraction.

Do get in touch if you would like to check availability.

New website makes “direct eMMC” (ISP) dumping easier

We’re very excited to tell you about a new online service that we’re launching today in collaboration with our partners FoneFunShop. The website emmcpinouts.com is a repository of high-quality tested pinout diagrams for Android and Windows handsets as well as tablets and satnav devices.

 

Dumping smartphones, tablets and satnavs via “direct eMMC” (also known as ISP) is becoming increasingly common within forensic units. Direct eMMC, like JTAG, can be used to perform physical extractions of locked devices. However it is also suited to situations where a logical extraction is incomplete and a physical extraction is not possible within commercial forensic tools.

 

The biggest challenge with direct eMMC is finding the test points on the printed circuit board (PCB) of the device to connect to! Which is why we’re launching emmcpinouts.com – a subscription based repository of high quality reliable documentation. Annual subscriptions for unlimited access cost just £280 + VAT.

 

The repository currently contains pinout diagrams for 67 devices including Sony, Samsung, Motorola, HTC, TomTom models and we are committed to growing that number each month. All of the pinout diagrams were researched and tested by us so you can rely on them. The site also includes chip-off schematics for 30 BlackBerry devices.

 

Browsing the site is free – so you can see exactly which devices are documented before buying a subscription.

Making sense of Android storage areas

Android devices provide storage via a removable microSD card, an eMMC chip soldered to the circuit board or in many cases both. Life would be easy if all Android device extractions showed the same folder path for those two storage areas but sadly that’s not the case. Variations in those folder paths between different Android devices, and different Android versions mean that working out exactly where a recovered file is physically located within an Android device is harder than it should be.
Which is why we’ve created www.controlf.net/sd within our Free Stuff area on the site. It lists the different folder paths that we’ve seen across different Android devices and versions for the removable microSD  card and also for the built-in eMMC storage. The hope is that the page will help examiners to make sense of the folder paths being reported in device extractions and be able to report them with more confidence.

2nd eMMC Device Forensics course sold out!

Our first two eMMC Device Forensics courses are sold out so added another course into the schedule running 28 November – 1 December in Leeds (UK).

Our new 4 day “eMMC Device Forensics” course will teach delegates how to utilise ‘Direct eMMC’ (also known as In-system Programming or ISP) to perform physical extractions of Android & Windows Phone handsets & tablets which may not be possible with commercial forensic tools. Not only that, the techniques can be applied to many TomTom satnav units as well as a range of other devices which use eMMC flash memory chips internally. Direct eMMC is similar to JTAG in that it is a non-destructive method for performing a physical extraction via connections on the printed circuit board of the device. Direct eMMC may be possible on devices where JTAG is not supported (or may not be possible due to damage to the device) meaning that less devices fall into the “too difficult” pile.

Get in touch to check availability on the November course.

New eMMC Device Forensics course

Mobile forensics has always involved having a “Plan B” (and more besides) for the all too frequent occasions when standard acquisition techniques don’t work. Locked devices and models which aren’t supported for a physical extraction within forensic tools often need just such a backup plan. We’re delighted to be launching a new course for exactly those devices in 2016.

Our new 4 day “eMMC Device Forensics” course will teach delegates how to utilise ‘Direct eMMC’ (also known as In-system Programming or ISP) to perform physical extractions of Android & Windows Phone handsets & tablets which may not be possible with commercial forensic tools. Not only that, the techniques can be applied to many TomTom satnav units as well as a range of other devices which use eMMC flash memory chips internally. Direct eMMC is similar to JTAG in that it is a non-destructive method for performing a physical extraction via connections on the printed circuit board of the device. Direct eMMC may be possible on devices where JTAG is not supported (or may not be possible due to damage to the device) meaning that less devices fall into the “too difficult” pile.

Our first course runs 11-14 July 2016 in Leeds. For more information on the course including costs, visit the course page here and get in touch to check availability.

Python scripts save you time

Simple Python scripts can automate what would otherwise be a time-consuming manual tasks in digital forensics; for example recovering evidence from unsupported binary file formats and exporting that information to a CSV file. Python is a powerful programming language which is ideally suited to digital forensics. Our 3 day Python Scripting 1 course is the quickest and easiest route to writing simple digital forensics scripts which will save you time.

Our next course runs 4-6 May 2015 at Wyboston Lakes (Bedfordshire, UK). Contact us now for availability.

SQLite everywhere!

Smartphone devices use SQLite databases to store calls, contacts and SMS but more importantly, 3rd party app data too. Understanding how to find, recover and report evidence from SQLite databases is essential for today’s mobile forensic examiners.

Our 4½ day Smartphone App Forensics course teaches delegates how to get the most from SQLite databases recovered from iOS, Android, BlackBerry and Windows Phone 8 devices. Students will get hands-on experience of generating reports for unsupported apps and recovering deleted app data which commercial forensic tools may miss.

Our next course runs at Wyboston Lakes (UK) on 4-8 January 2016. Contact us now to check availability.

Advanced Smartphone & Tablet Acquisition course success

Our new Advanced Smartphone & Tablet Acquisition course launched in February and we’ve had great feedback from delegates:

“Excellent course, extremely enjoyable”

“Very useful, very informative.  Excellent trainers”

Based on delegate feedback we have extended the course to 4½ days to give attendees more time to put into practice what they have learned.

Students learn how to bypass security mechanisms on Android, iOS and BlackBerry devices as well as exploit device backups to recover key evidence. We have limited places available on the next course running 16-20 November at Wyboston Lakes (UK)

Recover live & deleted data from Windows Phone devices

Windows Phone devices like the Nokia Lumia range are increasingly popular and can be tricky to acquire via a USB data cable. The good news however is that full physical extractions of many Windows Phone devices can be obtained via the JTAG interface (using connections on the circuit board of the device).

Delegates on our JTAG Dumping for Android & Windows Phone course learn how to safely disassemble handsets and dump the contents of their flash memory using RIFF Box. Delegates then gain hands on experience in the recovery of evidence from those dumps.

JTAG dumping is also an ideal solution for dealing with locked Android handsets where USB Debugging is disabled. Delegates leave the course able to perform physical extractions of such devices and (crucially) recover pattern, PIN and passwords from those dumps such that the devices can be accessed manually and data cable extractions performed.

Dates, locations and pricing can be found on the course page here.

Contact us to check availability.