In order to delve as deeply as possible into a mobile device for your forensic investigation, you may need to access the device’s contents on a physical level—creating and sorting through a raw data dump of the smartphone’s NAND or NOR flash memory chips. There are many tools and techniques which allow forensic investigators to obtain this level of access, even if the smartphone is locked—but when tools like Cellebrite UFED and other forensic examination packages fail, you may need JTAG forensics to access and physically acquire the phone.
The JTAG forensic method is a difficult procedure, and could be risky if attempted by an individual without the proper training and expertise due to the delicacy of the operation. If you need a JTAG physical acquisition performed for your forensic investigation, you can turn to Gillware. Our highly skilled forensic experts have the tools, resources, and expertise to successfully perform JTAG forensic operations for smartphone acquisition. The experts at Gillware can use JTAG forensics to dump the contents of the smartphone in question and examine the bounty of data we uncover on your behalf.
What Is JTAG Forensics?
The JTAG (short for “Joint Action Test Group”) method allows forensic investigators to physically acquire a device such as a smartphone non-invasively. In the digital forensics world, “physical acquisition” refers to making complete (or as complete as possible) images of every chip in a device capable of storing data. This is in contrast to file system acquisition, which only copies over the full (or partial)( file system (including directory structure and files) and logical acquisition, which only acquires the contents of specific storage objects (the SQLite database containing SMS message records, for example). Physical acquisition is the deepest and most thorough level of forensic acquisition.
Physical acquisition allows a forensic examiner to look over everything—including the things they’d miss or which wouldn’t be extracted in more superficial extractions. But in order to physically acquire a device such as a smartphone, a forensic investigator must access the flash memory chips inside the phone directly. This could require an invasive and destructive chip-off procedure, requiring a skilled and highly trained expert to carefully remove the chips, fully disassembling the smartphone and rendering it unusable.
JTAG forensics gives forensic investigators a different approach to the invasive chip-off method. For the JTAG method, the forensic examiner connects leads to specific Test Access Ports (TAPs) on the phone’s motherboard, allowing data from the smartphone’s NAND or NOR flash memory chips to travel through them and directly to the examiner’s system, creating a raw memory dump of the device’s contents.
JTAG Forensics: Strengths and Weaknesses
The JTAG method can be a very useful and powerful technique for smartphone forensics. Physical acquisition of a mobile device can reveal digital fingerprints and trace amounts of information that the higher-level and more superficial levels of forensic acquisition on their own would not reveal. When possible, physical acquisition can be an important part of your mobile forensics investigation, but it can be very difficult to physically acquire a device.
JTAG forensics is one of several methods of physical acquisition. In cases where the smartphone is still locked and physical acquisition fails by other means, such as Cellebrite UFED, JTAG forensics can provide a raw hexadecimal dump of all of a smartphone’s stored memory. If the phone has suffered some minor damage that makes it harder to access, such as damage to its screen or keyboard, JTAG may be the only non-invasive way to physically acquire the device.
However, the JTAG method can only be successful as long as the device can still turn on. If the phone you need to pull data from has been damaged to the point where it no longer functions at all (whether by water damage, fire damage, or excessive physical trauma), chip-off methods are required for physical acquisition (and due to the damage to the phone, a full physical acquisition may not be possible).
JTAG is one of many methods of forensic physical acquisition, and like the other methods, it doesn’t have a 100% success rate. The JTAG standard sees use by smartphone manufacturers to test and debug the mobile devices before they are finally assembled and packaged, and some manufacturers disable JTAG access altogether before they ship off the phones to be sold.
The JTAG method tends to work extremely well, however, for prepaid burner phones. Burner phones are easy to purchase with cash, come with no contracts, are difficult to trace, and can be thrown away after just a few uses. These prepaid phones, which appear frequently in criminal investigations due to their use in transactions of questionable legality, are usually extremely difficult to physically acquire through simpler methods due to the extra restrictions placed on them by their manufacturers. The data ports on prepaid burner phones have often been locked to prevent third parties from flashing these devices’ firmware and reselling them for profit. This also prevents forensic investigators from using simpler means to physically acquire the devices. JTAG forensics may be the only non-invasive way to acquire the contents of these prepaid phones.
JTAG forensics has a few risks, despite being a non-invasive acquisition method, due to the delicate work and electrical skills needed to apply the leads to the phone’s proper access points. While the smartphone is powered on, the forensic examiner must partially disassemble the phone to expose its motherboard, then carefully solder the leads to the correct access ports.
Special adapters exist for many smartphone models to make JTAG forensics easier and more straightforward, but an individual who incorrectly performs the JTAG process and solders wires to incorrect parts of the phone can fry components of the motherboard and stymie forensic examination efforts. While there is no risk to a trained professional attempting the JTAG method with the proper tools, as with all forensic techniques, if an individual performs these procedures incorrectly, some data on the device can be rendered irretrievable.
Gillware: The JTAG Experts You Need
An unskilled individual may cause further damage to a smartphone when attempting to use the JTAG method for physical acquisition. This method requires specialized tools, as well as a special set of skills and knowledge. If the smartphone is damaged during disassembly or when soldering leads to the TAPs on the phone’s motherboard, the evidence on the phone may be rendered unusable.
Gillware Digital Forensics leverages the skills and expertise of its president Cindy Murphy, a digital forensics veteran with over three decades of experience in law enforcement, as well as the data recovery capabilities of Gillware Data Recovery’s secure, world-class data recovery lab. Our mobile device forensics and data recovery experts are well-versed in the tools of the trade and various methods for forensic acquisition, including JTAG forensics.
JTAG forensics is merely one of many methods that can be used to acquire a smartphone for forensic analysis. It can be difficult, and may not always work, but when it does, it can be a powerful tool in the forensic investigator’s toolkit. Gillware’s expert analysts are well-versed in JTAG forensics and all other methods of forensic acquisition. Our digital forensics experts can help you with every step of your mobile forensics needs, from the initial consultation to providing expert testimony on our findings in court.