Saturday, May 20, 2017

JTAG Acquisition in Mobile Forensics , the forensics analyst's guide

Hi all, today we have an interesting and very important topic in mobile forensics which is “JTAG “. jtag forensics in an advanced acquisition method in mobile forensics which require an expert and patience . 

Firstly we need to know what JTAG is:


JTAG is a common hardware interface that provides your computer with a way to communicate directly with the chips on a board. It was originally developed by a consortium, the Joint (European) Test Access Group, in the mid-80s to address the increasing difficulty of testing printed circuit boards (PCBs).
Jtag forensics is a method to connect the TAPs standardized by the Joint Test Action Group (JTAG) to a jtag emulator to access raw data stored in the connected device. By using the TAPs, communication can occur via the boundary-scan path, interfacing with the Boundary Scan Registers (BSR) that interface with components on the PCB. These components can be programmed or read without the removal, independently reading, or programming each separately. You can read this paper which explains jtag much better. But generally JTAG acquisition produces a full image of the device's memory complete with unallocated space.

Note that:  


1-this way is not available for any Apple device either.
2-JTAG will not bypass the controller and can only obtain access to the device memory area allowed by the controller of the device being acquired so, it is not recommended with phones have plain flash chips.

When using jtag method? You decide to use jtag when : 

1-commercial forensic tools fail to image the device.

2-The device is soft-bricked or unbootable.

3-Device locked with an unknown passcode and the USB debugging option not enabled.

Advantages and Disadvantages using JTAG:

Advantages:

1- Non-destructive, but invasive process.

2- acquire locked, damaged and broken.

3- Available for many Windows Phone models as this is the only solution before chip-off (destructive).

4-Available for devices running proprietary operating systems (Ubuntu Touch, Firefox).

Disadvantages:

1-Requires a high skill level , disassembling the device.

2-Slow acquisition speed (The dumping process can take 2+ days with an 8GB phone).

3- Only available for a limited number of devices with TAP ports.

4-you will have to get one more JTAG boxes, every box is for some models of mobiles no one can support all types of mobile devices.

5-Cannot overcome encryption. As if encryption is enabled you will extract a raw encrypted image.

Tools to perform JTAG Extraction : (I will mention the main not everything like flux , wires ):

1-jtag box like Riff , Z3x , medusa pro .

2-JPIN JTAG Molex Flex Kit(which sometimes you won’t need to solder).

3- Software (support carving) to mount the extracted image like XRY as Android Physical/JTAG image.

steps of a JTAG forensic examination process :


1- identify TAPs which will be used in jtag connection there is no documentation so you have 2 options the first is using documentation from the box you use like Z3X as example in it every supported phone has a jpg image called pinout has TAPs you need to connect , the second option if phone isn’t in the box and you searched the internet and didn’t find anything you will have to use a hardware tool called JTAGulator  which is an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads on a target device .or you can use JTAGenum to identify ports .

2-connect wires to identified taps by soldering or using jpin molex.

 3- The wires above lead to a jtag box .

4- Using the box software to dump the physical image from the mobile which will be saved as bin file .

5- Disconnect the wires and clean the board from soldering and reassemble the device again.

6- open the bin file in the forensics software to start analyzing.

Now you have performed a physical dump from mobile device using JTAG method, you can extract data, recover deleted data or even do some carving. the next time I will have another method in details like this called ISP/ICSP .. In-System Programming/ In-Circuit Serial Programming.

References:



3-Digital Forensics Corp. (Especially Igor Mikhaylov who helped me a lot :) )

 















Sunday, April 9, 2017

Mobile Device Forensics 101


Hi all , please get your triple Espresso and let’s go . nowadays digital mobile forensics  becomes one of the most trends in digital forensics so what we can do for this process , types and techniques .
Firstly why do you need mobile forensics ?  the mobile device now is an important part in our life despite its type so in many cases we must pay attention to it . you have to extract data  as more as you can from mobile so what are the methodologies you will use ? we can see blow :

Manual Extraction : in this method the mobile has no passcode you can use it as its user so document and capture all you need , this the easiest case .

Logical Extraction: in this method you connect the device to pc or forensics hardware/software to push commands to extract data from the phone like ADB command or agent based which require usb debugging is enabled in android as example .

Physical Extraction : this the most preferred method as you can recover deleted data from the phone and use multiple techniques in recovery like file carving , it’s create a bit by bit copy . to do this you must have a root access and sometimes you can’t root the phone as it’s boot loader is locked so when unlocking this it will wipe the phone so you have destroyed the evidence :D  , as example you can install custom recovery like and open terminal then make a dd image . So in physical extraction as its challenges there are types to do it :


ISP ( In System Programming ) :
this a technique which enables you to do EMMC dump ( Flash memory ) of the  device without removing the chip or destroying the phone .


Jtaging :
Jtag is is an industry standard devised for testing printed circuit boards (PCBs) using boundary scan so in this process you connect TAPS on the board of the phone to a jtag box like Riff Box and start extracting data from the phone . this method is commonly used in Lumia Phones which is locked with a password .

                                          


Chip off :  the most destructive method , in which the BGA Chip is removed via special equipment and use a chip reader to read and extract raw data from the phone .

                                                     

so based in the device you have in the case you should determine the method compatible to use and extract data . you will use the last types of physical extraction when you fail in the normal physical or logical as those classified as hard and destructive which need experience in dealing with phones , disassembling them and apply the method .  

Tuesday, May 10, 2016

HDD Reverse Imaging Ft. Forward Imaging using Deepspar Disk Imager

Hi all  , After installing Deepspar Disk Imager  I have to try it with its great features for the first case my friend’s damaged hard disk drive which have more than 3000 bad sectors in HDD Regenerator so I decided to recover data from it the first phase as I learned in Scott Moulton Course the first step is to image the HDD but when I tried to image it with the normal process imaging from LBA0 to MAX LBA but it shows many skipped sectors due to ECC Errors , Bad sectors so it must be failed you know that when you tried more read/write process it will kill hard drive  so what should I do ??

we have 2 types of imaging the first is forward imaging which drive make sense to ECC i.e. Buffer Ram as imaging from LBA0 to MAX LBA from Outside to inner ring .There are many softwares and hardwares doing this like FTK Imager and DDI but when you find problems like I faced you should try the type 2 Reverse Imaging,
Reverse Imaging images HDD from MAXLBA to LBA 0 but what the difference is that there is no cache memory on HDD  caches only data forward imaging is from inner ring to outside but this is 5x slower than forward imaging but this imaging can be of a high quality and can recover more data than forward imaging .
When imaging you can see in status bar some words which are hard disk status like: BSY, ERR.
These error codes and Diagnostic info this is from Drive Status Register which are:

  •  BSY - drive busy
  • DRDY - Drive ready to accept commands
  • ERR - The Last Result was an Error 
  •  DREQ -exchange data with host 
  •  UNCR-Uncorrectable Error
  •   WRFT - Write Fault
  •  IDNF- Sector ID Not Found. If the sector that holds this information is corrupt there is no way for the hard drive to locate this sector and it will return the result IDNF.
  • AMNF-Address Marker Not Found. This is similar to the IDNF but relates to the data. If there is an error and this marker is corrupt then the data for this sector cannot be located. The data in this area is 512 bytes of user data
  •   ABRT- Command Aborted. - is an abort error and it will discontinue trying to read that block
  •   TONF - Track 0 not found

References:
1-      Deepspar Disk Imager User Manual.
2-      Forensic Hard Drive Data Recovery By Scott A. Moulton .