Smartphone forensics is a relatively new and rapidly developing area of interest within digital forensics. The market launch of “Simon”, the first smartphone from BellSouth and IBM, in 1995 did not yet lead to the birth of smartphone forensics in today’s sense. This was to drag on for a few more years, namely until the market launch of the first iPhone in 2007. It was this technology that triggered a change in society towards today’s digital society. The classic text message or the traditional phone call are now increasingly being replaced by other ways of exchanging information. Two examples of the communication transformation of today are video telephony and the exchange of location data. With these two new possibilities, we can create messages with greater information content more easily and quickly. Current devices can do much more than just exchange messages in the traditional sense. Since they contain a multitude of sensors, they are small everyday helpers that we like to have with us and use in many ways. This now means that the devices contain a huge collection of sensitive data about their owners.
Fig. 1: Global development of the ICT market segment
Sensitive user data
Given the pace at which development has progressed in recent years, there is also a need for forensic investigation of such devices. Of interest are the stored, sensitive user data, which can contribute decisively to the success of an investigation. Thus, this subfield of digital forensics is understood to mean the securing, recovery and analysis of digital information in criminal investigations. Central to this is the preservation of the integrity of the data. In order to extract the hidden information, a variety of different techniques are needed [1]. The specialists decide which adequate technique is to be used in a specific case. The decision is based on a large pool of experience and strongly influences the success of an investigation.
4 Methods for data extraction
Four types of data extraction are generally distinguished.
Fig. 2: Mobile forensics, pyramid of process classes, [3]
The last one, “physical data extraction”, we will look at in more detail. There are various criteria for comparing the methods. In this paper we will turn to a purely technical consideration and not include other aspects. A first method makes use of the fact that today’s devices generate comprehensive cloud backups. Here, the investigator can obtain an image of the information stored in the cloud if access data is available. Experts refer to this method as “over-the-air data extraction”. It provides a relatively modest depth of information. A particular disadvantage is that deleted data or data not stored in the cloud is withheld from the investigator. To mitigate this disadvantage, another variant is used, which is called “logical data extraction”. This technique exploits the offline backup capability of common devices to obtain data. For this, the device to be examined must be directly connected to a readout station. Often, special settings are necessary afterwards, such as activating software interfaces. In order to activate such software interfaces, access to the device settings is required. This can usually only be done with a known access code or a security hole in the system. This method is widespread and therefore many standardised procedures are known and tested. This has an extremely positive effect on efficiency and reproducibility. There are a number of manufacturers on the market who offer tool kits that address precisely this issue. The best known, to name but a few, are Cellebrite UFED [5], Micro Systemation [6] and Oxygen Forensic Suite [7]. These tools have several advantages, such as mobile use, prompt extraction and automated analysis of data, plus intuitive and easy usability.
Method depends on smartphone
The critical reader will certainly have noticed that the methods mentioned will not lead to success in all cases. Deleted data or very badly damaged devices are a particular sticking point. For it is often these pieces of information that contain an additional clue to play a decisive role in establishing the evidence. A device that has been reset to factory settings – possibly deliberately – contains a lot of data that is logically deleted but physically present. Special skills are needed to deal with such situations. This leads us to the discussion of procedures based on the method of “physical data extraction”. They make high demands on the methodology, the tools and the competence of the specialists. Especially because the technology is developing very fast. A new device is mostly based on the latest memory and mobile processor technologies. Another hurdle is the integration density as well as the accessibility of concrete information on the structure and components of a device. Physical data reading can be divided into two main groups. One group consists of so-called destructive extraction methods, while the other group combines the non-destructive ones.
Extraction via JTAG interfaces
A common non-destructive method uses the JTAG interface of integrated circuits (IC). The name JTAG is an acronym for Joint Test Action Group, which in turn is a common name for IEEE standard 1149 [12].1. This standard defines a method for testing and debugging ICs directly on the PCB. The resulting extraction procedure via the JTAG interface is the so-called Boundary Scan Test according to IEEE 1149.1, which enables the internal states of an IC to be read out. ICs that are JTAG-capable therefore have additional circuit logic that is completely disconnected during normal operation and thus does not influence the function of the component. Only after activating the JTAG function on a specific pin, the TMS (Test Mode Select) input, can the hardware system be influenced with the help of this additional functionality. This makes it possible to read out or change the internal states of the memory cells for test and analysis purposes.
What works without interfaces
Since certain mobile device manufacturers deliberately forego this procedure for hardware testing or permanently deactivate these interfaces, other methods are needed. A promising but also demanding method is the “chip-off”. Chip-off” is a data extraction process in which the device is destroyed. In this process, the relevant ICs are physically removed from the device board in order to address them directly via their standardised interface [8, 9]. Various reading and writing devices are used for this purpose. In certain cases, even customised procedures have to be designed and developed to make exotic memory ICs readable. In the “chip-off” process, the detachment of the memory IC is the critical step. There are several ways to do this as gently as possible. One is to heat the board just enough so that the solder connection between the board and the component under investigation can be separated. Precise adherence to temperature profiles is a key element here. If this is not successful, the data may be altered or the memory cell completely destroyed [10, 11]. Thermal destruction is irreparable and leads to the complete loss of the data.
Usefulness for criminal investigations
After physical extraction, the data is available as a binary memory image. Such a memory image must be processed further until the information is finally available in a suitable form. It is then this information that is used in a criminal investigation to substantiate evidence.
Fig. 3: The three phases of a chip-off process [4]
Choosing the right method in each case requires a lot of experience. Especially in the physical processes, where a high level of technical expertise in combination with process creativity is also required. For the specialists, what makes these challenges special is the zero error tolerance. The specific data in an investigation is always unique and therefore valuable.
References
- https://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx
- Mobile Forensics: Investigation Process Model (DFRWS 2003)
- Guidelines on Mobile Device Forensics
- https://resources.infosecinstitute.com/category/computerforensics/introduction/mobile-forensics/the-mobile-forensics-process-steps-types/
- A. Habegger, Removing and Securing Memory Chips, 11th National IT Investigators Conference in Bern, 2015
- https://www.cellebrite.com/de/products/ufed-ultimate-de/
- https://www.msab.com/
- https://www.oxygen-forensic.com/en/products/oxygen-forensic-kit
- M. Breeuwsma, et al. Forensic Data Recovery from Flash Memory (SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. 1, NO. 1, JUNE 2007)
- Svein Y. Willassen, Norwegian University of Science and Technology, Forensic analysis of mobile phone internal memory
- Improving the Reliability of Chip-O#Forensic Analysis of NAND Flash Memory Devices
- SWGDE Tech Notes regarding Chip-off via Material Removal Using a Lap and Polish Process
- https://standards.ieee.org/standard/1149_8_1-2012.html