In the late spring of 2016 we received a cell phone from Detective Robert Hale of the Town of Madison Police Department for forensic work. This was a prepaid cell phone, a ZTE Prestige N9132 handset produced by Boost Mobile. The phone had belonged to Elijah Washington III, who had been shot and killed at the Capitol Petro gas station in May of that year.
The police department had been unable to extract any data on their own. This had less to do with the damage done to the phone, however, and more to do with the phone’s passcode protection and lack of an enabled USB developer mode (mobile phones are actually quite durable).
We could turn the phone on (in a secure environment and with the device wrapped in RF shielding cloth to prevent any data spoilage from surrounding cell towers) and actually bring up the lock screen with the phone’s notifications. We could not delve any deeper into the phone at this point with Cellebrite Physical Analyzer. It looked like in order to delve into the phone’s data, we would have to dig into its innards—quite literally. This case would require chip-off forensic analysis, in which we directly read the data from the flash memory chips storing the phone’s data.
Forensic analysis is a science. Like all scientists, if we want good and reliable results, we need a control group. No sane medical practitioner would try an untested medical procedure on a patient (unless your name is Herbert West). Likewise, before attempting a chip-off analysis of this victim’s ZTE mobile phone, we would have to purchase a test phone of the same model and make sure that removing the phone’s flash memory chip from its internal logic board would actually yield results.
Our test proved successful. Even with our ZTE Prestige N9132 test subject passcode-locked, removing its chip and imaging its contents, then examining the chip’s binary image file using Cellebrite Physical Analyzer gave us a pretty good picture of the phone’s contents. We were now confident that the same procedure on the victim’s phone would yield results of a similar quality. Now it was time to move onto the real deal.
You can see the rough shape the victim’s ZTE mobile phone was in here:
That camera won’t be taking pictures anytime soon. You can even see the bent corner of the microSD card inserted into the phone. That is not a pretty sight. Here’s a better shot of the microSD card on its own, to really give you an idea of the extent of the damage:
All in all, microSD cards aren’t much to look at. They’re designed in an “all-in-one” monolithic form factor in which all of the components that make up a flash memory device get lumped together into a single package. Imagine laying out all of the components of a traditional flash drive, like this one, and squishing it down into a tiny black thing scarcely the size of your thumbnail:
Because real estate is at a premium inside these monolithic flash devices, it was very likely that this bent corner of the card meant that there was also a crack running through the flash memory chip itself, which would store any data held on the memory card. Damage to the flash memory chip itself can cause fatal damage to the data held inside.
To recover data from the damaged chip for forensic analysis, we would have to use laser ablation to remove the epoxy surrounding the chip. Then we must solder tiny leads to the chip. Using custom software, we reassemble the data into something useful. Due to the damage, the process would be even longer and more difficult than normal. Our chances of success would also be very low. At the behest of our client at the police department, we focused our efforts on the other chip.
Unlike the poor microSD card, the SKhynix flash memory chip inside the phone itself was in good enough shape. Understandably, it had the entire body of the phone surrounding it to cushion it and keep it safe. Now it was time to remove the chip from the phone’s logic board.
The eMMC chip inside a smartphone isn’t anything like the microSD card. The SD card works as removable storage—inserted and removed at the user’s convenience. As for the other chip, the manufacturers never intended you to be able to remove it. Getting the eMMC chip isolated from its control board takes a lot of elbow grease. Adhesive resin holds the chip to the board, and a controlled and careful application of heat is necessary to weaken it and pull off the chip. Afterward, we must clean the chip and prepare it for imaging.
With the mobile phone’s chip removed and cleaned, we could pop it into a chip reader. Next, we set out to make a forensic image of its contents. Using Gillware’s proprietary recovery platform Hombre, we successfully obtained a complete binary image of the chip’s contents. Now, using Cellebrite Physical Analyzer, we could open, decode, and parse the binary image.
The results of our work—all of the data we could pull from the victim’s ZTE Prestige N9132 handset—then went off to our client at the police department to aid in their continuing investigation. In November 2016, Kortney Moore, who had turned himself in four days after the shooting death of Elijah Washington III, pleaded guilty to 1st degree intentional homicide.