Understanding the various types of mobile acquisition tools and the data they can recover is important for a mobile forensic examiner. The classification system used in this section provides a framework for forensic examiners to compare the extraction methods used by different tools to acquire data. The objective of the tool classification system is to enable an examiner to classify and compare the extraction method of different tools easily. The tool classification system is displayed in Figure 6. As the pyramid is traversed from the bottom, Level 1, to the top, Level 5, the methodologies involved in acquisition become more technical, invasive, time-consuming, and expensive.
Level 1, Manual Extraction methods involve recording information on a mobile device screen when employing the user interface. Level 2, Logical Extraction methods are used most frequently at this time and are mildly technical, requiring beginner-level training. Methods for levels 3 to 5 entail extracting and recording a copy or image of a physical store (e.g., a memory chip), compared to the logical acquisitions used at level 2 involve capturing a copy of logical storage objects (e.g., directories and files) that reside on a logical store (e.g., a file system partition). Level 3, Hex Dumping/JTAG Extraction methods entail performing a “physical acquisition” of mobile device memory in situ and require advanced training. Level 4 Chip-Off methods involve the physical removal of memory from a mobile device to extract data, requiring extensive training in electronic engineering and file system forensics. Level 5, Micro Read methods involve using a high-powered microscope to view the physical state of gates. Level 5 methods are the most invasive, sophisticated, technical, expensive, and time-consuming of all the methodologies.
There are pros and cons to performing extraction types at each layer. For example, hex dumping allows deleted objects and any data remnants present to be examined (e.g., in unallocated memory or file system space), which otherwise would be inaccessible through logical acquisition methods. However, the extracted device images require parsing, decryption, and decoding. Though more limited than Hex Dumping/JTAG methods, Logical acquisition methods have the advantage in that the system data structures are at a higher level of abstraction. They are normally easier for a tool to extract and render. These differences are due to the underlying distinction between memory as seen by a process via the operating system facilities (i.e., a logical view) versus memory as seen in raw form by the processor or another hardware component (i.e., a physical view). Based upon a wide variety of circumstances (e.g., type of data needed, time available, urgency, available tools, etc.), an examiner may select a specific level to begin their examination. It is important to note that once a level is used, alternate levels may not be possible. For example, after performing chip-off (level 4), lower-level tools may not be physically possible. Forensic examiners should be aware of such issues and perform the appropriate level of extraction commensurate with their training and experience. With each methodology, data may be permanently destroyed or modified if a given tool or procedure is not properly utilized—the risk of alteration and destruction increases in tandem with the levels. Thus, proper training and mentoring are critical in obtaining the highest success rate for data extraction and analysis of the data contained within mobile devices.
The following discussion provides a more detailed description of each level and the methods used for data extraction.
Manual Extraction – A manual extraction method involves viewing the data content stored on a mobile device. The content displayed on the LCD screen requires the manual manipulation of the buttons, keyboard, or touchscreen to view the mobile device’s contents. Information discovered may be recorded using an external digital camera. At this level, it is impossible to recover deleted information. Some tools have been developed to provide the forensic examiner with the ability to document and categorize the information recorded more quickly. Nevertheless, if there is a large amount of data to be captured, a manual extraction can be very time-consuming, and the data on the device may be inadvertently modified, deleted, or overwritten as a result of the examination. Manual extractions become increasingly difficult and perhaps unachievable when encountering a broken/missing LCD screen or a damaged/missing keyboard interface. Additional challenges occur when the device is configured to display a language unknown to the investigator; this may cause difficulty in the successful menu navigation.
Logical Extraction – connectivity between a mobile device and the forensics workstation is achieved using either a wired (e.g., USB or RS-232) or wireless (e.g., IrDA, WiFi, or Bluetooth) connection. The examiner should be aware of the issues associated when selecting a specific connectivity method, as different connection types and associated protocols may result in data being modified (e.g., unread SMS) or different amounts or types of data being extracted. Logical extraction tools begin by sending a series of commands over the established interface from the computer to the mobile device. The mobile device responds based on the command request. The response (mobile device data) is sent back to the workstation and presented to the forensics examiner for reporting purposes.
Hex Dumping and JTAG – Hex Dumping and Joint Test Action Group (JTAG) extraction methods afford the forensic examiner more direct access to the raw information stored in flash memory. One challenge with these extraction methods is the ability of a given tool to parse and decode the captured data. Providing the forensic examiner with a logical view of the file system and reporting on other data remnants outside the file system that may be present are challenging. For example, not all data contained within a given flash memory chip is acquired, like many tools, such as flasher boxes, may only extract specific sections of memory. Methods used at this level require connectivity (e.g., cable or WiFi) between the mobile device and the forensic workstation.
Hex Dumping – this technique is the more commonly used method by tools at this level. This involves uploading a modified boot loader (or other software) into a protected area of memory (e.g., RAM) on the device. This upload process is accomplished by connecting the mobile device’s data port to a flasher box, and the flasher box is connected to the forensic workstation. A series of commands are sent from the flasher box to the mobile device to place it in a diagnostic mode. Once in diagnostic mode, the flasher box captures all (or sections) of flash memory and sends it to the forensic workstation over the same communications link used for the upload. Some flasher boxes work this way, or they may use a proprietary interface for memory extractions. Rare cases exist where WiFi extractions can be accomplished (i.e., early Jonathan Zdziarski (JZ) Methods).
JTAG – Many manufacturers support the JTAG standard, which defines a common test interface for processors, memory, and other semiconductor chips. Forensic examiners can communicate with a JTAG-compliant component by utilizing special-purpose standalone programmer devices to probe defined test points. The JTAG testing unit can be used to request memory addresses from the JTAG-compliant component and accept the responsibility for storage and rendition. JTAG gives specialists another avenue for imaging devices that are locked or devices that may have minor damage and cannot be properly interfaced otherwise. This method involves attaching a cable (or wiring harness) from a workstation to the mobile device’s JTAG interface and access memory via the device’s microprocessor to produce an image. JTAG extractions differ mainly from Hex Dumping. It is invasive as access to the connections frequently requires that the examiner dismantle some (or most) of a mobile device to obtain access to establish the wiring connections.
Flasher boxes are small devices originally designed with the intent to service or upgrade mobile devices. Physical acquisitions frequently require the use of a flasher box to facilitate the extraction of data from a mobile device. The flasher box aids the examiner by communicating with the mobile device using diagnostic protocols to communicate with the memory chip. This communication may utilize the mobile device’s operating system or bypass it altogether and communicate directly to the chip. Flasher boxes are often accompanied by software to facilitate the data extraction process working in conjunction with the hardware. Many flasher box software packages provide the added functionality of recovering passwords from mobile device memory and some configurations. Although acquisition methods differ between flasher boxes, a general process is used. Limitations of the use of flasher boxes include the following:
- Rebooting the mobile device is frequently required to begin the extraction process; this may cause authentication mechanisms to activate, preventing further analysis.
- Many flasher boxes recover the data in an encrypted format requiring the examiner to either use the software provided by the flasher box manufacturer to decrypt the data or may require reverse-engineering the data’s encryption scheme by the analyst.
- Many phone models do not provide the acquisition of the entire memory range within a given mobile device. Only certain ranges may be available for certain mobile devices
- The flasher box service software often has many buttons that are labeled with nearly identical names. This confusion may easily lead even an experienced examiner to press the wrong button, erasing the mobile device’s contents instead of dumping the memory.
- Lack of documentation on the use of the flasher box tools is common. Extraction methods are frequently shared on forums supported by the vendor and moderated by more seasoned users. Caution should be taken when advice is provided, as not all the information provided is correct.
- Forensic Use: Nearly all flasher boxes were not designed with forensic use as their intended purpose. Examiners must be experienced in the use of flasher boxes and should understand the proper use and function of flasher boxes.
- Despite all of these limitations, using a flasher box is a viable option for many forensics cases. Proper training, experience, and understating of how the tools work are the keys to success.
A wide range of technical expertise and proper training is required for extracting and analyzing binary images with these methods, including locating and connecting to JTAG ports, creating customized boot loaders, and recreating file systems.
Chip-Off – Chip-Off methods refer to the acquisition of data directly from a mobile device’s flash memory. This extraction requires the physical removal of flash memory. Chip-Off provides examiners with the ability to create a binary image of the removed chip. The wear-leveling algorithm must be reverse-engineered to provide the examiner with data in a contiguous binary format file. Once complete, the binary image analysis occurs. This type of acquisition is most closely related to physical imaging a hard disk drive in traditional digital forensics. Extensive training is required to perform extractions at this level successfully. Chip-Off extractions are challenging based on a wide variety of chip types, a myriad of raw data formats, and the risk of causing physical damage to the chip during the extraction process. Due to the complexities related to Chip-Off, JTAG extraction is more common.
Micro Read – A Micro Read involves recording the physical observation of the gates on a NAND or NOR chip using an electron microscope. Due to the extreme technicalities involved when performing a Micro Read, this acquisition level would only be attempted for high-profile cases equivalent to a national security crisis after all other acquisition techniques have been exhausted. Successful acquisition at this level would require a team of experts, proper equipment, time, and in-depth knowledge of proprietary information. There are no known U.S. Law Enforcement agencies performing acquisitions at this level. Currently, there are no commercially available Micro Read tools.
For a more complete and up-to-date list of forensic tools, refer to NIST Tool Taxonomy (http://www.cftt.nist.gov/tool_catalog/populated_taxonomy/). The tools listed in Table 3 are grouped by level, starting with Level 1 (Manual Extraction) through Level 4 (Chip-Off).
Several popular forensic tool kits are available to law enforcement that meet the standards to qualify for official forensic examinations for mobile devices.
- BlackBag Technologies
- Magnet Forensics
- Access Data – Forensic Took Kit (FTK)
- Oxygen Forensics