- Mobile Forensics:Advanced Investigative Strategies
- Oleg Afonin Vladimir Katalov
- 308字
- 2025-02-21 14:00:06
In-system programming
In-system programming (ISP) forensics is a non-destructive variation of chip-off acquisition. ISP is an advanced acquisition process that is in between JTAG and chip-off. During the acquisition process, examiners can attempt to dump the content of the eMMC memory without removing the chip. ISP acquisition is only available for devices utilizing eMMC or eMCP-style ball grid array (BGA) chips. Access to the memory is obtained through access points around the BGA chip. This acquisition process is considered non-destructive in that, if all stars align, the device can be reassembled and booted after the extraction.
eMMC ISP is used to create a binary image of the device, which can be acquired and analyzed with one of the many commercially-available forensic tools, such as UFED or Oxygen Forensic Suite.
ISP benefits include the following:
- Standardized procedure for eMMC BGA chips
- Considered non-destructive (device can be reassembled and booted afterwards)
- Can acquire locked devices with unknown PIN/passcode
- Supports locked Android devices with USB Debugging turned off
- Available for all Windows Phone models
- Available for devices running proprietary operating systems (for example, Ubuntu Touch, Firefox OS, and so on)
- Excellent chance of extracting the content of locked up, damaged, and broken devices
- Extracts data from devices not supported by any forensic tools
- Supports devices without JTAG ports
- High acquisition speed
Major drawbacks of ISP acquisition include the following:
- Cannot overcome encryption (experts may or may not be able to decrypt extracted images)
- Highly invasive process, requires disassembling the device
- Still requires a high level of expertise
- Labor-intensive
Limitations of the ISP acquisition process are similar to those of chip-off. Encrypted devices are better left to other acquisition techniques, meaning that no Apple smartphone or tablet can be acquired via ISP. Technically, the technique can be used on an Apple iOS device; however, decrypting the data partition will not be possible.