Hi all, today we have an interesting and very important
topic in mobile forensics which is “JTAG “. jtag forensics in an advanced acquisition
method in mobile forensics which require an expert and patience .
Firstly we need to know what JTAG is:
JTAG is a common hardware interface that provides your computer with a way to communicate directly with the chips on a board. It was originally developed by a consortium, the Joint (European) Test Access Group, in the mid-80s to address the increasing difficulty of testing printed circuit boards (PCBs).
JTAG is a common hardware interface that provides your computer with a way to communicate directly with the chips on a board. It was originally developed by a consortium, the Joint (European) Test Access Group, in the mid-80s to address the increasing difficulty of testing printed circuit boards (PCBs).
Jtag forensics is a method to connect the TAPs standardized
by the Joint Test Action Group (JTAG) to a jtag emulator to access
raw data stored in the connected device. By using the TAPs, communication can
occur via the boundary-scan path, interfacing with the Boundary Scan Registers
(BSR) that interface with components on the PCB. These components can be
programmed or read without the removal, independently reading, or programming
each separately. You can read this paper which explains jtag much better.
But generally JTAG acquisition produces a full image of the device's memory
complete with unallocated space.
Note that:
1-this way is not available for any Apple device either.
2-JTAG will not bypass the controller and can only obtain
access to the device memory area allowed by the controller of the device being
acquired so, it is not recommended with phones have plain flash chips.
When using jtag method? You decide to use jtag when :
1-commercial forensic tools fail to image the device.
2-The device is soft-bricked or unbootable.
3-Device locked with an unknown passcode and the USB
debugging option not enabled.
Advantages and Disadvantages using JTAG:
Advantages:
1- Non-destructive, but invasive process.
2- acquire locked, damaged and broken.
3- Available for many Windows Phone models as this is the
only solution before chip-off (destructive).
4-Available for devices running proprietary operating
systems (Ubuntu Touch, Firefox).
Disadvantages:
1-Requires a high skill level , disassembling the device.
2-Slow acquisition speed (The dumping process can take 2+
days with an 8GB phone).
3- Only available for a limited number of devices with TAP ports.
4-you will have to get one more JTAG boxes, every box is for
some models of mobiles no one can support all types of mobile devices.
5-Cannot overcome encryption. As if encryption is enabled
you will extract a raw encrypted image.
Tools to perform JTAG Extraction : (I will mention the
main not everything like flux , wires ):
1-jtag box like Riff , Z3x , medusa pro .
2-JPIN JTAG Molex Flex Kit(which sometimes you won’t need to
solder).
3- Software (support carving) to mount the extracted image like
XRY as Android Physical/JTAG image.
steps of a JTAG forensic examination process :
1- identify TAPs which will be used in jtag connection there is no documentation so you have 2 options the first is using documentation from the box you use like Z3X as example in it every supported phone has a jpg image called pinout has TAPs you need to connect , the second option if phone isn’t in the box and you searched the internet and didn’t find anything you will have to use a hardware tool called JTAGulator which is an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads on a target device .or you can use JTAGenum to identify ports .
2-connect wires to identified taps by soldering or using
jpin molex.
4- Using the box software to dump
the physical image from the mobile which will be saved as bin file .
5- Disconnect the wires and clean
the board from soldering and reassemble the device again.
6- open the bin file in the forensics
software to start analyzing.
Now you have performed a physical
dump from mobile device using JTAG method, you can extract data, recover
deleted data or even do some carving. the next time I will have another method
in details like this called ISP/ICSP .. In-System Programming/ In-Circuit
Serial Programming.
References:
References:
3-Digital Forensics Corp. (Especially
Igor Mikhaylov who helped me a lot :)
)