Joint Test Action Group (JTAG) is an industry standard devised for testing printed circuit boards (PCBs) using boundary scan and was designed to quickly and easily test PCBs coming off a manufacturing assembly line. JTAG Forensics is a process that uses that same process and involves connecting the the Test Access Ports (TAPs) on a PCB via solder, molex or jig and then uses a supported JTAG Box (Riff, Z3X, ATF, etc.) to instruct the processor to acquire the raw data stored on the connected memory chip to get a full physical image from the device. This process is non-destructive to the phone.
Chip-off Forensics is the process in which a BGA memory chip is removed from a device and prepared so that a chip reader can acquire the raw data to obtain a physical data dump. A chip reader, like the UP 828P Programmer or a SIREDA test socket, is required to perform the read and in the case of the UP 828P, a specific adapter will be required depending on the specific chip. Unlike JTAG, chip-off is a destructive process, and the device will no longer function. Many examiners start with a non-destructive technique like JTAG or ISP before submitting to a Chip-off.
In-System Programming (ISP) applied to forensics, is the practice of connecting to an eMMC or eMCP flash memory chip for the purpose of downloading a device’s complete memory contents. eMMC and eMCP memory are the standard in today’s smartphones, and the ISP practice enables examiners to directly recover a complete data dump without removing the chip or destroying the device. Identifying the taps that connect to the memory chip using a multimeter is required in ISP technique. Thus, for each evidence phone, a second identical phone that can be destroyed will be needed.
Students learn how to make a JTAG connection to a locked device by primarily soldering to the TAPs (Test Action Points) in order to access the physical memory on the device. Connecting via a Molex Connection or using a custom JIG is also taught. Some newer phones may not be JTAGable.
Students learn how to remove the chip from board using various techniques and prepare the board to do a read. Students also learn the fundamentals of the various memory structures found on devices ranging from smartphones, tables and SSD drives.
ISP is a good choice for labs seeing newer phones unsupported by JTAG that contain an eMMC or eMCP chip. It is a non-destructive process like JTAG, but it requires very fine precision soldering and either excellent vision or proper magnification.
Teel Tech JTAG, Chip-off and ISP students get access to the Physical and RAW Mobile Forensic Google Group, with a focus on Mobile Phone Forensics – Forensics Tools; Flasher Box; Bootloader; JTAG; ISP; and Chip-off are some of the topics of discussion. Moderated by Bob Elder, Director of Training and the head of Teel Tech Canada, the group is now over 1000 people, all LE, a policy strictly maintained. Below is a real example of a daily topic summary.
In addition to the Physical and RAW group, ISP students are also invited to an ISP discussion only google group where they can share pin outs and experiences with one another.
Teel Technologies was the first to introduce JTAG, Chip-off and ISP to the mobile forensic community. We constantly receive feedback that our classes are the best. And our classes are taught by seasoned mobile forensic examiners who are either active or retired law enforcement who practice these techniques day in and day out.