“I begin by imagining
And end by accomplishing
― Sri Chinmoy
I love my work!
I’ve said it before, and I’ll say it again: I love my work! Part of my enthusiasm comes from working with an extraordinary team of engineers and examiners.
It’s great to work with people who don’t ever assume that something is “impossible” just because others say so. Instead, the Gillware team relentlessly searches for creative solutions, resulting in victories small and large.
In Mobile Phone Forensics, Starting Assumptions Make for Quick Endings
I’ve talked about this previously, most notably in my post about Flash Memory Amnesia. I was awed by the successful recovery over 300 image files from a flash memory card that forensic tools only saw as containing all zeros.
All zeros understandably causes forensic examiners to assume that a device is wiped and recovery is impossible. But, it turns out that it’s possible after all! We’ve all heard the old saying about what you make of “you” and “me” when you “assume”, and in forensics and data recovery, throwing those old assumptions out the window can sometimes lead to surprising new solutions.
Today’s success story starts with another often repeated assumption: Chip Off forensics is a destructive process that results in destruction of the original evidence, and a non-functional phone.
We’ve done plenty of operations under this assumption. But I can now tell you that this isn’t always the case. I know this because after a lot of trial and error and R&D work, and cooperation between the Gillware Data Recovery and Gillware Digital Forensics teams, we successfully performed not only a chip-off procedure, but a chip-on procedure as well!
A New Frontier in Mobile Phone Forensics: Chip Off, Chip On
This was one of those cases that walks the fence between data recovery and forensics. A client, involved in active litigation, accidentally dropped his phone in the toilet, and needed to retrieve data from the now-waterlogged phone. We tried a number of things that should have worked and had worked in the past, but to no avail.
We then went to our typical last resort and performed a chip-off procedure on the LG VN-150 Revere cell phone. A spiderwebbing technique was used to obtain a full physical image of the phone. But things were slightly “off”: The data was misaligned in odd ways that didn’t make sense for Flash Translation Layer alignment issues or other problems.
A team of us got together, including Greg Andrzejewski, head of R&D for Gillware Digital Forensics, Mike Skaar, one of our chip-off engineers with incredibly steady hands and an eye for detail, myself, and another engineer who prefers to remain unnamed, to brainstorm the problem.
We made and compared of physical dumps from multiple LG VN-150 Revere test phones using different mobile forensic extraction methods. After this, we decided to try something crazy. We thought, “Wouldn’t it be cool to swap the chip from the damaged phone onto a different, non-damaged board?”
We’ve had a lot of success with creating Frankenphones in order to recover data or do forensics on severely damaged phones. This usually entails swapping parts from a donor phone to a damaged phone, or swapping the Printed Circuit Board out of the damaged phone into a donor phone body.
In my law enforcement days, I invented a method called the Fraternal Clone Method for CDMA cell phones, where data was extracted from a damaged phone and injected into a substantially identical non-damaged phone.
On the data recovery side of the business, our engineers commonly make delicate ROM chip replacements and repair PCBs. Replacing just the flash memory chip is a new level of difficulty though. It requires removing the original chip from the donor phone without doing damage to any of the surrounding circuitry, and re-installing the chip from the evidence phone onto the donor phone board.
If at First You Don’t Succeed…
All of us saw the intrinsic value in attempting what most would consider downright impractical if not impossible. I have heard rumors that it might be possible, and whispers of secret government labs where research was happening. I had even seen YouTube videos where people claimed to do chip swaps–but the camera always cut away at the most inopportune moments, leaving me to wonder if the claims were true at all.
These were always unsubstantiated claims at best. I know of a lot of people in the mobile device forensics world, and I have never heard of anyone attempting or actually achieving a successful memory chip swap.
Persistence is paramount in forensics and data recovery. You just can’t give up when you hit hurtles and bumps in the road. We ordered a bunch of donor phones and tried.
And we tried again.
Until this morning, when there was a shout of joy from Mike in chorus with the distinctive sound of an LG flip phone powering on. We dialed in our methodology, and successfully completed a chip-off-chip-on procedure. The customer’s data was intact!
We used Cellebrite Physical Analyzer to perform full physical, file system, and logical extractions from the chip-off-chip-on’d phone. We were able to provide both active and deleted data to our client.
The Impossible is Possible.
This case is a proof of concept, which we hope will lead to future mobile phone forensics successes with more complex innards. We have proved that it is possible to remove a chip from a bad board and put it back onto another, preserve the user data, and have a working phone containing the original memory chip.
Obviously, this is a flip phone with a pretty simple memory chip and a relatively sturdy PCB. You can be sure, however, that this initial taste of success will drive us on to smartphones and tablets. In fact, we have a couple in the queue waiting for just this sort of solution. I can’t wait to get to work on them!