Saturday, May 20, 2017

JTAG Acquisition in Mobile Forensics , the forensics analyst's guide

Hi all, today we have an interesting and very important topic in mobile forensics which is “JTAG “. jtag forensics in an advanced acquisition method in mobile forensics which require an expert and patience . 

Firstly we need to know what JTAG is:


JTAG is a common hardware interface that provides your computer with a way to communicate directly with the chips on a board. It was originally developed by a consortium, the Joint (European) Test Access Group, in the mid-80s to address the increasing difficulty of testing printed circuit boards (PCBs).
Jtag forensics is a method to connect the TAPs standardized by the Joint Test Action Group (JTAG) to a jtag emulator to access raw data stored in the connected device. By using the TAPs, communication can occur via the boundary-scan path, interfacing with the Boundary Scan Registers (BSR) that interface with components on the PCB. These components can be programmed or read without the removal, independently reading, or programming each separately. You can read this paper which explains jtag much better. But generally JTAG acquisition produces a full image of the device's memory complete with unallocated space.

Note that:  


1-this way is not available for any Apple device either.
2-JTAG will not bypass the controller and can only obtain access to the device memory area allowed by the controller of the device being acquired so, it is not recommended with phones have plain flash chips.

When using jtag method? You decide to use jtag when : 

1-commercial forensic tools fail to image the device.

2-The device is soft-bricked or unbootable.

3-Device locked with an unknown passcode and the USB debugging option not enabled.

Advantages and Disadvantages using JTAG:

Advantages:

1- Non-destructive, but invasive process.

2- acquire locked, damaged and broken.

3- Available for many Windows Phone models as this is the only solution before chip-off (destructive).

4-Available for devices running proprietary operating systems (Ubuntu Touch, Firefox).

Disadvantages:

1-Requires a high skill level , disassembling the device.

2-Slow acquisition speed (The dumping process can take 2+ days with an 8GB phone).

3- Only available for a limited number of devices with TAP ports.

4-you will have to get one more JTAG boxes, every box is for some models of mobiles no one can support all types of mobile devices.

5-Cannot overcome encryption. As if encryption is enabled you will extract a raw encrypted image.

Tools to perform JTAG Extraction : (I will mention the main not everything like flux , wires ):

1-jtag box like Riff , Z3x , medusa pro .

2-JPIN JTAG Molex Flex Kit(which sometimes you won’t need to solder).

3- Software (support carving) to mount the extracted image like XRY as Android Physical/JTAG image.

steps of a JTAG forensic examination process :


1- identify TAPs which will be used in jtag connection there is no documentation so you have 2 options the first is using documentation from the box you use like Z3X as example in it every supported phone has a jpg image called pinout has TAPs you need to connect , the second option if phone isn’t in the box and you searched the internet and didn’t find anything you will have to use a hardware tool called JTAGulator  which is an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads on a target device .or you can use JTAGenum to identify ports .

2-connect wires to identified taps by soldering or using jpin molex.

 3- The wires above lead to a jtag box .

4- Using the box software to dump the physical image from the mobile which will be saved as bin file .

5- Disconnect the wires and clean the board from soldering and reassemble the device again.

6- open the bin file in the forensics software to start analyzing.

Now you have performed a physical dump from mobile device using JTAG method, you can extract data, recover deleted data or even do some carving. the next time I will have another method in details like this called ISP/ICSP .. In-System Programming/ In-Circuit Serial Programming.

References:



3-Digital Forensics Corp. (Especially Igor Mikhaylov who helped me a lot :) )