- Mobile Forensics:Advanced Investigative Strategies
- Oleg Afonin Vladimir Katalov
- 353字
- 2025-02-21 14:00:06
Chip-off
Chip-off acquisition is a highly advanced, destructive extraction technique that requires attaching wire leads to the PCB contacts or physically removing (desoldering) the phone's flash memory chip. Chip-off is considered more difficult compared to JTAG; however, the amount of information acquired via chip-off acquisition is similar to the amount of data acquired by JTAGging the device. Since most smartphones use standard eMMC flash modules, the process is standardized and typically presents no surprises to the examiner.
When imaging computer hard drives, one normally attempts to go as low level as possible. In the world of mobile forensic, the lowest-level access is not always the best. While reading the chips directly produces a complete raw dump of the memory chips, the investigator may be faced with an encrypted partition with no decryption keys stored anywhere around. In the case of Apple devices, many Samsung phones, and other devices (for example, the Android 5 Nexus line), encryption is enforced out-of-the-box. This forced encryption cannot be bypassed during low-level acquisition or by attacking the offline image even if you know the correct passcode. Сhip-off acquisition delivers the best result when used on unencrypted devices.
Chip-off benefits include the following:
- It acquire locked devices with unknown PIN/passcode
- Supports locked Android devices with USB Debugging turned off
- Available for all Windows Phone models
- Available for devices running proprietary operating systems (for example, Ubuntu Touch, Firefox OS, and so on)
- Excellent chance of extracting the content of locked up, damaged, and broken devices
- Extracts data from devices not supported by any forensic tools
- Supports devices without JTAG ports
- High acquisition speed
Major drawbacks of chip-off acquisition include the following:
- Cannot overcome encryption (experts may or may not be able to decrypt extracted images)
- Requires disassembling the device
- Requires extremely high level of expertise
- Extremely labor-intensive
- Destructive process
Chip-off acquisition is useless on Apple iOS devices as these devices enforce encryption out-of-the-box. It's also useless on encrypted BlackBerry 10 devices; however, BlackBerry 10 does not enforce encryption and does not enable it out-of-the-box, so the encryption status of BB10 smartphones should be confirmed on a case-by-case basis.