January 31, 2020
Damaged mobile phones are still filled with plenty of useful data, according to researchers at the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce. NIST published the results of a recent study on forensic methods for getting data from mobile damaged mobile phones. It tested the tools that law enforcement uses to hack phones and found that even if criminals attempt to destroy the evidence by burning, drowning, or smashing their phones, forensic tools can still successfully extract data from the phone’s electronic components.
“If the phone has some structural damage or thermal damage, or liquid damage, you’re still able to sometimes bypass that,” says Rick Ayers, the NIST digital forensics expert who led the study. He told ZDNet that modern forensic techniques are effective, although that hasn’t always been the case.
Ayers has been working on mobile forensics for the United States government for the last 17 years. During that time, he witnessed the evolution of mobile phones and the forensic tools that are used to investigate them. He started back in 2003 with PDAs (personal digital assistants) such as palm pilots and the Windows mobile PDA, then basic feature phones, and the first iPhones.
While early mobile devices were groundbreaking at the time, they had limited capabilities and therefore didn’t carry much useful evidence for law enforcement. They had phone logs, some texts, and perhaps a few photos. Plus, there weren’t many reliable forensic tools for extracting data. The tools that did exist weren’t standardized, so they could only be used on certain makes and models, such as a tool that could only hack a Nokia phone.
Now, Ayers says, there is a plethora of evidence on mobile phones and better, more universal tools for extracting that data.
“Essentially, everybody’s carrying around a workstation in their pocket,” Ayers says.
The capabilities that consumers enjoy on modern smartphones also come in handy for criminal investigations. We’re all leaving behind a digital trail of where we’ve been, who we communicate with, what we buy, and much more. All of the apps, videos, and internet browsing that we do on our phones comes along with metadata that can be extracted with modern forensic methods.
The researchers put data on phones and then attempted to extract it using forensic tools.
Ayers explains, “We have a testbed of about 40 or 50 of a variety of Android and iOS devices and feature phones and we populate each one of those phones so we know exactly what’s on the phone. We use each one of those phones just like a normal user would.”
They added contacts, social media apps with fake accounts, and created multiple accounts to talk back and forth to each other. They drove around with the phones so that GPS data would be added. They added data and deleted it so they could test whether the tools could extract both active and deleted data.
Then, they used two forensic techniques to break into the phones the see if the data could be recovered.
“The JTAG and chip-off method are two techniques that allow you to get a byte for byte memory dump of the data is contained on a mobile device,” says Ayers.
NIST computer scientist Jenise Reyes-Rodriguez performed the JTAG procedure on site.
JTAG stands for Joint Task Action Group, the industry association that formed to create a standard for the manufacturing of Integrated Circuits. The NIST study only included Android devices because most Android devices are “J-taggable,” while iOS devices aren’t. The forensic technique takes advantage of taps, short for test access ports, which are usually used by manufacturers to test their circuit boards. By soldering wires onto taps, investigators can access the data from the chips.
To perform a JTAG extraction, Reyes-Rodriguez first broke the phone down to access the printed circuit board (PCB). She carefully soldered thin wires the size of a human hair onto small metal components called taps, which are about the size of a tip of a thumbtack.
“JTAG is very tedious and you do need a lot of training,” says Ayers. “You need to have good eyes and very steady hand.”
The researchers compared JTAG to the chip-off method, which is another forensic technique. While JTAG work was done at NIST, the chip-off extraction was conducted by the Fort Worth Police Department Digital Forensics Lab and a private forensics company in Colorado called VTO Labs. (See our previous coverage of their drone forensics work here.)
Delicate metal pins connect chips to a phone’s circuit board. An older version of the chip-off method involved experts gently pulling the chips off a PCB, but this risked damaging the tiny pins, which made it impossible to get the data. For the newer chip-off technique, forensic experts grind down the PCB to the pins underneath the chip and then put the chip in a reader.
Ayers explains, “That’s going to give you more data than compared to a logical file extraction done through software.”
After the data was extracted, Ayers and Reyes-Rodriguez used forensic software to interpret the data. They recovered contacts, locations, social media data, etc. and compared it to the original data that they had loaded onto the phones. They concluded that both JTAG and chip-off methods effectively extracted data from phones.
This study focused on the forensic tools that are used to extract data, but it didn’t focus on how to get past encrypted data. However, the researchers note that law enforcement agents are often able to retrieve criminals’ passwords during the investigation.
The full reports from the study are available on the Department of Homeland Security’s cyber forensics website.