Jtag and Chip Off Forensics

JTAG & Chip-Off Forensics


In addition to conventional forensic analysis and evidence collection services, our laboratory preforms advanced JTAG and chip-off data extractions.  MCAA are recognized as a global leaders in advanced mobile device forensics, we support law enforcement and government investigations, civil, employment, corporate matters and private domestic issues, the relationship allows for both of the organisations experiences to be combined to ensure that all avenues of forensic data extraction retrieval utilising a number of processes.

Our advanced full physical extraction techniques allow us to collect all data from devices when conventional forensic methods fail or are insufficient. Our lab is engaged to perform JTAG and Chip-Off forensic examinations with devices that are;

  • unsupported or only partially supported (logical or file-system only) by commercial forensic equipment and software
  • secured with a password or pattern lock
  • has a disabled/locked data port (common with prepaid providers) or completely lacks a data connection.
  • is damaged physically (by water/liquid, fire, trauma, etc.) or logically “bricked” (by software malfunction, data corruption, failed update, etc.)
  • must be preserved in its exact state so the device cannot be powered for conventional extractions (booting the device for a live acquisition changes data and file-system access dates)

Besides the forensic testing of evidence devices, our examiners perform continuous research and development in order to improve data extraction and analysis techniques. Because of this, JTAG and chip-off exams are no longer limited to high-dollar/high-profile cases; these advanced procedures can now feasible and cost-effective for almost any situation.

JTAG Forensics

What is JTAG forensics?
JTAG (Joint Test Action Group) forensics is an advanced level data acquisition method which involves connecting to Test Access Ports (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. When supported, jtagging is an extremely effective technique that MCAA utilises to extract a full physical image from devices that cannot be acquired with normal tools.

When is it appropriate to JTAG an evidence device?
When commercial forensic extraction options cannot acquire a physical image or when a device is logically damaged or “bricked”. The majority of our JTAG engagements involve Android phones which are pattern locked and cannot be bypassed by other means.

What are the basic steps of a JTAG forensic examination?
Step 1 – identify TAPs by researching documented devices. When TAPs are unknown, inspect the device PCB for potential TAPs and manually trace or probe to pinpoint appropriate connector pins.
Step 2 – solder wire leads to the correct connector pins or utilize a solderless jig.
Step 3 – connect wire leads to an appropriate JTAG emulator with support for the exhibit device.
Step 4 – read the flash memory after selecting the appropriate device profile or manually configuring the correct processor/memory settings.
Step 5 – analyze the extracted data using industry standard forensic tools and custom utilities.

How long is the turnaround time for a JTAG forensic extraction?
Our lab performs numerous JTAG forensic extractions and is constantly upgrading our JTAG toolkit with the latest technologies. When a device is supported, we attempt to complete JTAG engagements in seven to tenfourteen days and, when requested, we may be able to provide rush services in one to three days.

What type of devices can be extracted with the JTAG process?
Like chip-offs, the majority of our JTAG engagements involve mobile phones; however, forensic jtagging can be employed with any device that contains embedded flash memory, a supported processor and has working TAPs. In addition to mobile phones, the JTAG method can commonly be used to extract data from video gaming systems, tablets and network devices.

Chip-Off Forensics


What is Chip-Off Forensics?
Chip-off forensics is an advanced digital data extraction and analysis technique which involves physically removing flash memory chip(s) from a subject device and then acquiring the raw data using specialized equipment. Chip-off forensics is a powerful capability that allows MCAA to collect a complete physical image of nearly any device – even those which have suffered catastrophic damage.

When should a Chip-Off extraction be considered?
Typically, when all other forensic extraction options – including JTAG – have been exhausted; however, there are certain situations in which a chip-off may be the initial preferred method. These include situations in which it is important to preserve the state of memory exactly as it exists on the evidence device.

How is a Chip-Off done?
Step 1 – the memory chip is physically removed. This is accomplished using appropriate heat (de-soldering) and chemicals (adhesive removal).
Step 2 – the chip is cleaned and repaired (or re-balled) as necessary.
Step 3 - the raw data is acquired or “imaged” from the chip using specialized chip programmers and adapters.
Step 4 – the raw forensic image is then analyzed using industry standard forensic tools and custom utilities.

How long does it take to complete a Chip-Off project?
Our lab performs hundreds of chip-off forensic extractions and we maintain a substantial inventory of programming devices and adapters. For this reason, we are often able to turnaround chip-off projects in seven to fourteen days and, when necessary, we can often expedite cases for turnaround in one to three days. Turnaround may be longer for cases which require special adapters or equipment.

What type of devices can be extracted with a Chip-Off?
Most of our chip-off projects involve extracting data from mobile phones; however, the chip-off method can be used to extract data from nearly any device that utilizes flash memory (NAND, NOR, OneNAND or eMMC). In addition to cell phones we have extracted data from digital voice recorders, GPS units, tablets, USB drives, gaming systems, network devices and vehicle components.

What is the success rate of Chip-Off projects?
MCAA utilises advanced equipment and has extensive experience in the area of chip-off forensics. Our laboratory maintains an exhibit device success rate that exceeds 99%. However, there is always some risk to the target memory chip during the removal and cleaning steps of the process. Our exports will advise clients throughout the process and will advise when it is recommended to proceed with test of a control device before operating on the actual evidence device.