Mobile device examinations have evolved greatly over the years, from the simple “commando” style (manually examining a cell phone to obtain data) to modern ways of raw data extraction (physically removing the device flash memory chip).
A few years ago a mobile examination consisted of turning on the cell phone, clicking through the user’s items, and snapping a picture to actually document, by hand, relevant information such as calls and contacts. If the phone was locked, the examiner was out of luck. Nowadays, mobile device examiners can utilize specific hardware to help build, program, and in some instances, even repair the device at the manufacturing level to collect the data. By utilizing sophisticated methods for data collection, and known device hardware specifications, examiners can now bypass device gesture and password locks, and even collect data from damaged or encrypted devices by accessing the flash memory chip directly.
What we once thought to be only part of a CSI episode or only possible for the forensic scientist is now a reality among the mobile forensic community.
Some of these sophisticated data extraction methods, such as Chip-Off and JTAG (Joint Test Action Group) analysis, have become very popular. If we think about it, there is a reason why. The forensic examiner is in constant struggle with mobile device technology. There is a never ending amount of new mobile devices born daily, and chances are, these devices will translate into new challenges when it comes to data collection. Chip-Off and JTAG data extraction methods can give investigators the answer to those challenges.
Utilizing Chip-Off procedures, examiners can physically remove the device’s flash memory chip from the circuit board. Once this is done, that raw data - which is not available through regular tool extractions-, can be obtained right where it lives, the device’s flash. However, these methods can be difficult and often require advanced training to mitigate the risk of damaging device components in the process. Once the flash is removed, there is a risk that the device will no longer be operational, and traditional methods can no longer be attempted.
JTAG on the other hand, utilizes a much less intrusive method. JTAG attaches to the TAPs (Test Access Points) on the circuit board of the device. The data is acquired using instructions to the processor to extract the raw data from the flash memory chip(s) via the TAPs. Utilizing this procedure, the device is not physically damaged, and can be reassembled, allowing the device to function as it had prior to the JTAG procedure. More importantly, because the device is physically functioning, it can be examined with traditional methods if needed even after undergoing a JTAG extraction.
Unfortunately, going through all these procedures to access this raw data is not the only difficult part. Once the data is available, transforming it into human interpretable evidence is usually where the investigation becomes tedious. “Making sense” of this pile of information equates to being able to take the raw data presented in a binary format, decode it, parse it, and report it correctly. To do so, investigators usually need to rely on manual data carving and other tools to effectively achieve the task. There are just few solutions on the market that can “make sense” of raw data without the need of other tools in the process. AccessData’s Mobile Phone Examiner Plus (MPE+) is one of the select few that provide the ability to import a binary “dump”, decode the data, parse the user information, and properly report on the raw data collected. There is no magic trick required to decode the information or expensive “add-on” tools needed. MPE+ recognizes the file system, mounts it, and presents the user with the data extraction capabilities.
One of AccessData’s primary contributions to the forensic community has always been the recognition, decoding and parsing of file systems. MPE+ does that without the need of specifying the type of device from which the raw data came.
As an example, we have broken down a data collection performed with a JTAG appliance used all over the world. The collected data was detailed and could be visualized on MPE+. The device used in this instance, was a locked Samsung SPH-L710 which was tested by several mobile forensic tools available. During several attempted data extractions, no tool was able to bypass the device’s lock and a series of errors were observed.
The device was powered off and the appropriate JTAG jig was selected and applied to the device. The jig cable was attached to the JTAG appliance box and then to the computer. The computer software supplied by the JTAG Appliance, allows users to select the device and consequently collect the data of the entire NOR/NAND chip which will contain every partition on the device.
Figure 1 Connected SPH-L710 Overview
Figure 2- Zoom of JTAG connection at TAPs
The collection begins. Depending on the device, the extraction of data could take days for completion (There are alternative and faster techniques that allow the selection of only one partition to be extracted and analyzed. These methods are not covered in this blog.).
Once the extraction has completed, a very large image is provided; the image contained approximately 16 Gb of data. Figure 3.
Figure 3 - File after extraction using JTAG
Moving onto the next stage is considerably easy; as the file can be easily imported into MPE+.
Using MPE+, we simply select “Import Image” and navigate to the folder where the image was saved. By selecting the image, MPE+ automatically imports it into the interface. Almost immediately, the file system and the multiple partitions are viewable.
Since there are multiple partitions, we need to locate the user data partition or dbdata partition, and use the MPE+ Android autoparse fuction. Simply right click on the partition folder and select the autoparse Android Data capability.
Figure 4 Right Click capability to parse Android data
As the different capabilities are displayed through the MPE+ interface, we can simply select the items we are looking for in the JTAG binary image. We selected all the items and proceeded with the data extraction. The MPE+ user interface is populated and the task is complete.
Figure 5 - Parsed User Data
Since the entire file system is available, utilize the MPE+ SQLBuilder and the New Auto App Parser (Figure 6) to collect application data from any SQLite database that you have a script for. No more looking for the file, simply click the App Auto Parser on the toolbar and any script that you have loaded will be run, data extracted, and immediately available in the interface for review and reporting.
Figure 6 Application AutoParser
Mobile device collections have evolved into intricate evaluations in order to circumvent passwords and gestures with Android devices. As we have seen, utilizing these methods can be tricky and difficult, but ultimately necessary in some data extractions.
So, the question here is, are we going to let the examination of that collected data be just as difficult?
MPE+ from AccessData can transform this difficult task in an easy step. By introducing an entirely different approach to mobile device forensics, MPE+ takes investigations to a new level. No need of third party tools or expensive “add-on” tools. MPE+ is the only tool on the market that allows mobile device examiners to take control of their investigations by incorporating advanced analysis capabilities in one single solution.
For more information visit http://accessdata.com/MPE