Chip off forensics ...
 
Notifications
Clear all

Chip off forensics - when and why?

22 Posts
11 Users
0 Likes
3,088 Views
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

when does it become necessary to do chip off forensics? Is it useful on iPhones?

 
Posted : 05/07/2015 3:29 am
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Is it useful on iPhones?

It depends on the model of iPhones.

 
Posted : 05/07/2015 11:13 pm
(@harshbehl)
Posts: 67
Trusted Member
 

Since i work in a data recovery & forensics company, chip off is one very useful and common phenomena for us. We have clients which come with burnt, dead or unresponsive phones. Also we get cases from govt. agencies which require data from suspect's phones at any cost. If those phones are not supported via UFED, MPE+, oxygen or even JTAG the only option we remain with is Chip-off forensics.
I hope this helps you in understanding when and why chip-off forensics.

 
Posted : 06/07/2015 3:15 pm
(@v-katalov)
Posts: 52
Trusted Member
 

Is it useful on iPhones?

It depends on the model of iPhones.

Absolutely useless on 64-bit devices (iPhone 5S, 6, 6 Plus) due to full disk encryption. Useless on all devices running iOS 8 due to encryption. Can be used on some very old iPhones running old versions of iOS.

 
Posted : 07/07/2015 12:13 am
(@v-katalov)
Posts: 52
Trusted Member
 

when does it become necessary to do chip off forensics?

Basically, chip-off is the last resort after attempting physical acquisition (if available) and JTAG acquisition (if there is a JTAG port available). Generally, you would only want to chip-off an unencrypted device. Finally, since pretty much all recent smartphones use eMMC as internal storage, chip-off is not going to read the content of the flash chips directly. Instead, it'll work through the integrated eMMC controller, which in turn means that any overprovisioned space will remain inaccessible. We're just about to publish a whitepaper on this and related subjects in maybe a week or two.

 
Posted : 07/07/2015 12:18 am
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Is it useful on iPhones?

It depends on the model of iPhones.

Absolutely useless on 64-bit devices (iPhone 5S, 6, 6 Plus) due to full disk encryption. Useless on all devices running iOS 8 due to encryption. Can be used on some very old iPhones running old versions of iOS.

What about if you have the passcode or passcode turned off, is chip off still useless for these devices?

 
Posted : 10/07/2015 6:36 pm
(@sam305754)
Posts: 44
Eminent Member
 

There is a recent article available http//articles.forensicfocus.com/2015/06/23/future-of-mobile-forensics/

I quote it "In the case of Apple devices, Samsung phones and many other devices encryption is enforced out of the box and cannot be bypassed during or after chip-off acquisition even if the correct passcode is known. As a result, chip-off acquisition is limited to unencrypted devices or devices using encryption algorithms with known weaknesses
"
So even if you have the password you cannot use to decrypt your chip-off acquisition on recent model.

If there is no password it "is limited to unencrypted devices or devices using encryption algorithms with known weaknesses."
So depends of the model and iOS version I think.

Regards

 
Posted : 10/07/2015 7:17 pm
(@v-katalov)
Posts: 52
Trusted Member
 

What about if you have the passcode or passcode turned off, is chip off still useless for these devices?

Unfortunately, yes. 64-bit Apple devices use secure encryption with a dedicated security chip that keeps the master key for protected encryption metadata. A special communication path is dedicated for the security chip. The master key cannot be extracted via chip-off or during physical acquisition, even if the device is jailbroken. All this effectively limits acquisition options available for 64-bit iOS devices to logical or over-the-air acquisition. Basically, your best option (if you know the passcode or if there is no passcode) would be making the device produce a password-protected (!) backup with a known password. (A password-protected backup will contain more accessible information than a backup without a password, e.g. keychain data).

 
Posted : 13/07/2015 4:02 pm
sideshow018
(@sideshow018)
Posts: 84
Trusted Member
 

There is a recent article available http//articles.forensicfocus.com/2015/06/23/future-of-mobile-forensics/

Regards

This is a great white paper from the crew at Belkasoft but there are some misleading statements in the contents, probably not intended, just the way it reads

"There is no longer an easy way to get through the passcode in new iOS devices running the latest version of iOS."

In fairness to the crew at Belkasoft, at the time of this writing, this may of been true, but this is no longer correct, Cellebrite Services now has the capability to get into iPhone devices with up to date IOS version, only some models are supported but this is a great advancement in circumnavigating the newer iphones, Kudo's to Cellebrite.

"Blackberries were highly resistant to chip-off acquisition from the beginning, and Android is getting there quickly."

We are successfully doing chipoff acquisitions on Blackberry's up to the new Z10 and Z30's with no issues, even the classic, we have been doing Chipoff on Blackberry (Even JTAG in that early days) since the early 8000 series with only a few models giving us a problem.

Chipoff on Android phones has never been easier, less epoxy and less shielding present.

The only roadblocks with each of these devices is the presence of Encryption at times, we only have been seeing this with high level crime groups who are using off shore BES; Corp using in house encryption on in house BES's; OS 7+ where user has implemented on device encryption; but for the most part, regular users are not implementing these measures. For Android, we will see this a bit more with the new OS's and chips coming out with Encryption in place.

"Android Forensics"

For Android and Windows devices, there is no mention of In-System-Programming (ISP), a process that is in between JTAG and Chipoff that is only available to devices (phones, GPS, etc) that utilize eMMC style BGA chips. A full read can be obtained through access points around the BGA chip. Non destructive but requires some skill sets.

"From the very beginning, BlackBerries were secure. BlackBerry smartphones used full-disk encryption, making chip-off acquisition fruitless."

As I mentioned earlier, this is not totally accurate, we are seeing a lot of Blackberry phones that are not encrypted. This process needs to be activated by the user and/or the Admin of the BES and is not on by default. We can do ASCII keyword searches through our physical dumps and the data is all present in plain view.

"At this time, the only vector of attack on BlackBerry smartphones is accessing a BlackBerry backup file (or making the device produce a backup via BlackBerry Link),"

Not correct again, Chipoff is still viable if all the stars are in line.

This one hits me hard "Most would agree that the golden age of mobile forensics is over. "

Not over, just more challenging (- I believe this same statement was made when Windows 7 came out with Bit-Locker, everyone was crying the computer forensics world will end with Bit-locker, has that happen? No!

With on chip encryption, we just need to find new ways to get into the phones, attacking the mechanics of the phone; using bootloaders to access secured levels of the device; examining live devices using unique methods; etc. The end is not "over", never give up!

I say this with all the respect to the crew at Belkasoft, they are a great and very smart bunch of experts, the white paper in total is excellent and a very good read. Thanks Oleg, Danil & Yuri for the nice read, very well written.

 
Posted : 14/07/2015 10:57 am
sideshow018
(@sideshow018)
Posts: 84
Trusted Member
 

when does it become necessary to do chip off forensics?

Basically, chip-off is the last resort after attempting physical acquisition (if available) and JTAG acquisition (if there is a JTAG port available). Generally, you would only want to chip-off an unencrypted device. Finally, since pretty much all recent smartphones use eMMC as internal storage, chip-off is not going to read the content of the flash chips directly. Instead, it'll work through the integrated eMMC controller, which in turn means that any overprovisioned space will remain inaccessible. We're just about to publish a whitepaper on this and related subjects in maybe a week or two.

"overprovisioned space will remain inaccessible."

In your research, have you determined if any user data is also found in this space? Is this like the bad sectors on on the older NAND flash that may of contained older dated user data that could only be obtained through Chpoff?

Or does the eMMC Controller allow user data to be stored there and one requires a process to gain access to these areas using Chipoff, ISP or JTAG?

Interesting topic, look forward to the read. Thanks for your work in this field.

 
Posted : 14/07/2015 11:08 am
Page 1 / 3
Share: