Tag Archive for: IT-Forensik

Challenges in digital forensics on smartphones

Smartphone forensics is a relatively new and rapidly developing area of interest within digital forensics. The market launch of “Simon”, the first smartphone from BellSouth and IBM, in 1995 did not yet lead to the birth of smartphone forensics in today’s sense. This was to drag on for a few more years, namely until the market launch of the first iPhone in 2007. It was this technology that triggered a change in society towards today’s digital society. The classic text message or the traditional phone call are now increasingly being replaced by other ways of exchanging information. Two examples of the communication transformation of today are video telephony and the exchange of location data. With these two new possibilities, we can create messages with greater information content more easily and quickly. Current devices can do much more than just exchange messages in the traditional sense. Since they contain a multitude of sensors, they are small everyday helpers that we like to have with us and use in many ways. This now means that the devices contain a huge collection of sensitive data about their owners.

Fig. 1: Global development of the ICT market segment

Sensitive user data

Given the pace at which development has progressed in recent years, there is also a need for forensic investigation of such devices. Of interest are the stored, sensitive user data, which can contribute decisively to the success of an investigation. Thus, this subfield of digital forensics is understood to mean the securing, recovery and analysis of digital information in criminal investigations. Central to this is the preservation of the integrity of the data. In order to extract the hidden information, a variety of different techniques are needed [1]. The specialists decide which adequate technique is to be used in a specific case. The decision is based on a large pool of experience and strongly influences the success of an investigation.

4 Methods for data extraction

Four types of data extraction are generally distinguished.

Fig. 2: Mobile forensics, pyramid of process classes, [3]

The last one, “physical data extraction”, we will look at in more detail. There are various criteria for comparing the methods. In this paper we will turn to a purely technical consideration and not include other aspects. A first method makes use of the fact that today’s devices generate comprehensive cloud backups. Here, the investigator can obtain an image of the information stored in the cloud if access data is available. Experts refer to this method as “over-the-air data extraction”. It provides a relatively modest depth of information. A particular disadvantage is that deleted data or data not stored in the cloud is withheld from the investigator. To mitigate this disadvantage, another variant is used, which is called “logical data extraction”. This technique exploits the offline backup capability of common devices to obtain data. For this, the device to be examined must be directly connected to a readout station. Often, special settings are necessary afterwards, such as activating software interfaces. In order to activate such software interfaces, access to the device settings is required. This can usually only be done with a known access code or a security hole in the system. This method is widespread and therefore many standardised procedures are known and tested. This has an extremely positive effect on efficiency and reproducibility. There are a number of manufacturers on the market who offer tool kits that address precisely this issue. The best known, to name but a few, are Cellebrite UFED [5], Micro Systemation [6] and Oxygen Forensic Suite [7]. These tools have several advantages, such as mobile use, prompt extraction and automated analysis of data, plus intuitive and easy usability.

Method depends on smartphone

The critical reader will certainly have noticed that the methods mentioned will not lead to success in all cases. Deleted data or very badly damaged devices are a particular sticking point. For it is often these pieces of information that contain an additional clue to play a decisive role in establishing the evidence. A device that has been reset to factory settings – possibly deliberately – contains a lot of data that is logically deleted but physically present. Special skills are needed to deal with such situations. This leads us to the discussion of procedures based on the method of “physical data extraction”. They make high demands on the methodology, the tools and the competence of the specialists. Especially because the technology is developing very fast. A new device is mostly based on the latest memory and mobile processor technologies. Another hurdle is the integration density as well as the accessibility of concrete information on the structure and components of a device. Physical data reading can be divided into two main groups. One group consists of so-called destructive extraction methods, while the other group combines the non-destructive ones.

Extraction via JTAG interfaces

A common non-destructive method uses the JTAG interface of integrated circuits (IC). The name JTAG is an acronym for Joint Test Action Group, which in turn is a common name for IEEE standard 1149 [12].1. This standard defines a method for testing and debugging ICs directly on the PCB. The resulting extraction procedure via the JTAG interface is the so-called Boundary Scan Test according to IEEE 1149.1, which enables the internal states of an IC to be read out. ICs that are JTAG-capable therefore have additional circuit logic that is completely disconnected during normal operation and thus does not influence the function of the component. Only after activating the JTAG function on a specific pin, the TMS (Test Mode Select) input, can the hardware system be influenced with the help of this additional functionality. This makes it possible to read out or change the internal states of the memory cells for test and analysis purposes.

What works without interfaces

Since certain mobile device manufacturers deliberately forego this procedure for hardware testing or permanently deactivate these interfaces, other methods are needed. A promising but also demanding method is the “chip-off”. Chip-off” is a data extraction process in which the device is destroyed. In this process, the relevant ICs are physically removed from the device board in order to address them directly via their standardised interface [8, 9]. Various reading and writing devices are used for this purpose. In certain cases, even customised procedures have to be designed and developed to make exotic memory ICs readable. In the “chip-off” process, the detachment of the memory IC is the critical step. There are several ways to do this as gently as possible. One is to heat the board just enough so that the solder connection between the board and the component under investigation can be separated. Precise adherence to temperature profiles is a key element here. If this is not successful, the data may be altered or the memory cell completely destroyed [10, 11]. Thermal destruction is irreparable and leads to the complete loss of the data.

Usefulness for criminal investigations

After physical extraction, the data is available as a binary memory image. Such a memory image must be processed further until the information is finally available in a suitable form. It is then this information that is used in a criminal investigation to substantiate evidence.

Fig. 3: The three phases of a chip-off process [4]

Choosing the right method in each case requires a lot of experience. Especially in the physical processes, where a high level of technical expertise in combination with process creativity is also required. For the specialists, what makes these challenges special is the zero error tolerance. The specific data in an investigation is always unique and therefore valuable.


  1. https://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx
  2. Mobile Forensics: Investigation Process Model (DFRWS 2003)
  3. Guidelines on Mobile Device Forensics
  4. https://resources.infosecinstitute.com/category/computerforensics/introduction/mobile-forensics/the-mobile-forensics-process-steps-types/
  5. A. Habegger, Removing and Securing Memory Chips, 11th National IT Investigators Conference in Bern, 2015
  6. https://www.cellebrite.com/de/products/ufed-ultimate-de/
  7. https://www.msab.com/
  8. https://www.oxygen-forensic.com/en/products/oxygen-forensic-kit
  9. M. Breeuwsma, et al. Forensic Data Recovery from Flash Memory (SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. 1, NO. 1, JUNE 2007)
  10. Svein Y. Willassen, Norwegian University of Science and Technology, Forensic analysis of mobile phone internal memory
  11. Improving the Reliability of Chip-O#Forensic Analysis of NAND Flash Memory Devices
  12. SWGDE Tech Notes regarding Chip-off via Material Removal Using a Lap and Polish Process
  13. https://standards.ieee.org/standard/1149_8_1-2012.html
Creative Commons LicenceCreate PDF

Related Posts

None found

Cybersecurity und IT-Forensik

The focus “Cyber Security & IT Forensics” deals with selected topics related to the security of the computer infrastructure, such as confidentiality, integrity and availability of data, but also with questions related to the protection of privacy. The digital society only functions if people can rely on a secure and trustworthy computer infrastructure. This consists of powerful end devices, omnipresent networks and central servers. Confidentiality, integrity and availability of data, but also protection of privacy are central to this. The focus is on the devices that people use directly and daily: their smartphones, tablets or laptops. Malware It is primarily these devices that are attacked by malware. Criminal elements spread malware around the world with the aim of deriving economic or financial benefit from it. Malware is a computer programme that usually performs unwanted functions invisibly. They appear in a wide variety of forms:

  • Computer viruses are programmes that spread copies of themselves via the exchange of documents on storage media
  • Computer worms infect other computers via networks
  • Trojan horses, on the other hand, are programmes that superficially benefit the user, but invisibly perform unwanted functions in the background, such as stealing passwords or contact information.
  • Recently, the number of cases in which so-called ransomware is used has increased. These are malware programmes that encrypt the user data of a system with a secret key, so that their access is blocked by the user for the time being. Access is only possible again after the payment of a ransom (ransom) by the communication of a secret key.

Protection through research In our research, we investigate how malware works. We try to understand how they work, how they spread and what they do. We also study the development history of the malware. Understanding the development history helps us to better protect and anticipate the systems. Our know-how is in demand from companies and service providers who provide security-critical computer infrastructure and/or use it themselves. On the other hand, the knowledge gained flows into teaching, for example so that students learn how to write robust software that is resistant to attacks of this kind. Protection of privacy Computers and terminals, networked with the Internet, represent a combination of private and public space, similar to private living space and public space (streets, squares, transport systems, public services). Just as there is protection of private information (for example, medical secrecy, voting secrecy) in real spaces, there must be the same protection in cyberspace. We are dealing with the question of how this protection can be provided on the basis of concrete issues such as e-voting, personal health data or mobility pricing. IT forensics If norms established by society are violated, it is important to record the facts in the case of suspicious incidents. As in the real world, traces of criminal acts must also be recorded in cyberspace, and in such a way that their evidence will stand up before a judge. The question here is: Are there traces in the suspects’ devices that confirm a criminal act that has been committed? Our research focuses on the field of memory forensics. On the teaching side, we actively help in the Master’s training course Maîtrise universitaire ès Sciences en science forensique orientation investigation et identification numériques at the University of Lausanne.

Creative Commons LicenceCreate PDF

Related Posts

None found