Joint Test Action Group (JTAG) is an industry standard devised for testing printed circuit boards (PCBs) using boundary scan and was designed to quickly and easily test PCBs coming off a manufacturing assembly line. JTAG Forensics is a process that uses that same process and involves connecting the the Test Access Ports (TAPs) on a PCB via solder, molex or jig and then uses a supported JTAG Box (Riff, Z3X, ATF, etc.) to instruct the processor to acquire the raw data stored on the connected memory chip to get a full physical image from the device. This process is non-destructive to the phone.
Chip-off Forensics is the process in which a BGA memory chip is removed from a device and prepared so that a chip reader can acquire the raw data to obtain a physical data dump. A chip reader, like the UP 828P Programmer or a SIREDA test socket, is required to perform the read and in the case of the UP 828P, a specific adapter will be required depending on the specific chip. Unlike JTAG, chip-off is a destructive process, and the device will no longer function. Many examiners start with a non-destructive technique like JTAG or ISP before submitting to a Chip-off.
In-System Programming (ISP) applied to forensics, is the practice of connecting to an eMMC or eMCP flash memory chip for the purpose of downloading a device’s complete memory contents. eMMC and eMCP memory are the standard in today’s smartphones, and the ISP practice enables examiners to directly recover a complete data dump without removing the chip or destroying the device. Identifying the taps that connect to the memory chip using a multimeter is required in ISP technique. Thus, for each evidence phone, a second identical phone that can be destroyed will be needed.
Students learn how to make a JTAG connection to a locked device by primarily soldering to the TAPs (Test Action Points) in order to access the physical memory on the device. Connecting via a Molex Connection or using a custom JIG is also taught. Some newer phones may not be JTAGable.
Students learn how to remove the chip from board using various techniques and prepare the board to do a read. Students also learn the fundamentals of the various memory structures found on devices ranging from smartphones, tables and SSD drives.
ISP is a good choice for labs seeing newer phones unsupported by JTAG that contain an eMMC or eMCP chip. It is a non-destructive process like JTAG, but it requires very fine precision soldering and either excellent vision or proper magnification.
The Workbench Gear is needed to work physically with the device, however you will need tools and software to read the data off the phone. See the sections covering what to buy depending on your budget below.
Teel Tech offers an adapter subscription service that allows you to purchase a set number of adapters up front, and we will overnight you the specific adapter you need based on the evidence phone in your lab.
What’s the difference between the UP828P and the SIREDAs?:
The UP828P has adapters for chips from older phones. SIREDAs do not support older devices. Depending on the phones you are seeing, the SIREDAs may be all you need.
If you have invested in JTAG and/or Chip-off, there is little more that is needed.
Even if budget is small, a higher quality solder iron or at the very least, a precision solder tip, is highly recommended.
Because of the fine precision soldering, magnification is important for ISP. Magnification varies in price and style, be it a Jewelers Loop, Head Visor, USB Pen Microscope, traditional Lab Microscope to high end Inspection Stations.
We will have various types of magnification available for you to try in class and encourage you to find one that you like that fits your budget.
Various Types of Magnifications that work for you. Preference of magnification seems to vary widely from person to person. We will have several types of magnification available to try in class, and encourage you to try them all to find the one that best suits you.
Teel Tech JTAG, Chip-off and ISP students get access to the Physical and RAW Mobile Forensic Google Group, with a focus on Mobile Phone Forensics – Forensics Tools; Flasher Box; Bootloader; JTAG; ISP; and Chip-off are some of the topics of discussion. Moderated by Bob Elder, Director of Training and the head of Teel Tech Canada, the group is now over 1000 people, all LE, a policy strictly maintained. Below is a real example of a daily topic summary.
In addition to the Physical and RAW group, ISP students are also invited to an ISP discussion only google group where they can share pin outs and experiences with one another.
Teel Technologies was the first to introduce JTAG, Chip-off and ISP to the mobile forensic community. We constantly receive feedback that our classes are the best. And our classes are taught by seasoned mobile forensic examiners who are either active or retired law enforcement who practice these techniques day in and day out.