Digital Forensics as Art and Science
January 23, 2017
Virtual machine forensics is like opening up a Matryoshka doll--There's always more inside.
Forensic Case Files: Virtual Machine Matryoshka
February 21, 2017
Show all

Forensic Case Files: HTC One Mobile Chip-Off Forensics

The chip successfully removed from the HTC One logic board (again, circled in red)

The chip successfully removed from the HTC One mobile phone's logic board (again, circled in red)

“The number of American troops killed in Afghanistan and Iraq between 2001 and 2012 was 6,488. The number of American women who were murdered by current or ex male partners during that time was 11,766. That’s nearly double the amount of casualties lost during war.” – Domestic Violence Homicide Help

This mobile forensics case came to us from a nearby local police department in the Summer of 2016. The police department collected an HTC One mobile phone in a homicide investigation in which a 19-year-old girl and her father had been found dead. While it looked like a grisly murder-suicide, the police wanted to completely rule out the presence of a third party. They hoped that the phone found at the scene might hold the information they needed. There was just one problem: the police department’s digital forensics lab couldn’t get into the phone. Nothing they had tried could bypass or crack the phone’s pass code, which kept its contents safe from prying eyes.

This is no criticism of the police department’s forensics capabilities. Many modern smart phones are simply not supported for data extraction by available mobile forensics software tools—especially when an unknown pass code is involved. In these situations, it takes specialized tools and techniques to coax the data from locked phones.

There was still one procedure the police department hadn’t tried, though: dismantling the phone and acquiring the data directly from its internal flash memory chip. While the department lacked the expensive tools to do it themselves, fortunately, our mobile forensics specialists were extremely experienced and very capable of handling the task of this chip-off HTC One forensic analysis.

HTC One Forensic Assessment

When it comes to mobile device forensics, there are four “levels” of data acquisition. Each level provides a different look at the phone’s contents.

  • Manual examination: A forensic investigator scrolls through the device, just as its user would, taking notes and photographs as necessary to document their findings.
  • Logical acquisition: An investigator obtains the logical storage objects within the phone’s flash memory.
  • File system acquisition: An investigator acquires the device’s full file system, including directories and files. Unlike logical acquisition, this method may uncover remnants of deleted data as well as active data.
  • Physical acquisition: An investigator obtains all of the data, including both active and deleted data, on the device’s flash memory chip, either by using mobile forensics software, by using the JTAG method, or by removing and reading the chip itself in a chip-off forensic procedure.

Of course, with the phone securely pass code protected, manual examination was ruled out as an option. Logical and file system level acquisitions, too, were outside the realm of possibility here. Pass codes are meant to keep snoopers out of peoples’ phones, and they can do a fairly decent job of it. But there was still a way for the police department to get their hands on this phone’s contents.

This local police department contacted us so we could perform a chip-off forensic acquisition on their behalf. The chip-off procedure, in which we dismantle the phone and remove the flash memory chip from its logic board and image it using a special chip reader and forensic tools, is very difficult and requires special tools, methods, and expertise. Many digital forensics labs lack the capabilities to go this far. But at Gillware Digital Forensics, we can leverage the experts in our data recovery lab to pull off these difficult chip-off procedures.

The Chip-Off HTC One Forensics Procedure

The first step in the chip-off mobile forensics procedure is to completely disassemble the mobile phone:

HTC One phone completely disassembled for chip-off forensic acquisition

The HTC One phone, completely disassembled for chip-off forensic acquisition

There are a lot of things on the phone’s logic board. But the only thing we’re interested in is this chip right here:

HTC One logic board, with the flash memory chip circled in red

HTC One logic board, with the flash memory chip circled in red

This is the flash memory chip that stores the vast majority of the user’s data. Mobile phones typically use eMMC and eMCP chips for this purpose. They are cheaper (but slower) than NAND or NOR flash memory chips. Also, unlike the flash memory chips commonly found in USB flash drives and solid state drives (typically NAND chips), eMMC and eMCP chips have “embedded” controllers, making the chip itself bootable and allowing manufacturers to more easily fit them into smaller spaces.

Removing the flash memory chip is no small feat. The manufacturers of your phone don’t intend for anyone to remove the chip. Adhesive epoxy resin holds it securely in place. To remove chips from PCBs, our engineers can use a variety of methods.  In this case, a carefully controlled application of heat would loosen the resin enough to remove the chip.

The chip successfully removed from the HTC One logic board (again, circled in red)

The chip successfully removed from the HTC One mobile phone’s logic board (again, circled in red)

There we go: We got the chip off. But before we popped it into our specialized chip reader, we needed to touch it up quite a bit. Our engineers needed to carefully clean off the adhesive resin remaining on the chip. In addition, our engineers had to carefully re-ball the chip so that the reader could connect to it properly.

Chip successfully removed and cleaned

Left: The chip immediately after removal. Center and right: The top and bottom of the chip, after cleaning

HTC One Forensic Chip-Off Results

With the cleaning work taken care of, we could pop the chip into our chip reader. Using Gillware’s own proprietary imaging software, we created a forensically sound binary image of the data on the chip. Using forensic analysis tools, we verified the image. After imaging the phone’s removable microSD card and SIM card (which put up far less of a fight), we sent the data back to the forensics lab at the police department so they could continue their investigation using mobile forensics software.

With the information gleaned from our chip-off HTC One forensic analysis, the police department was able to close this case. Text messages on the phone disproved the claim that a third party could have been responsible for the deaths of both victims.  As police had suspected, this was a case of domestic homicide/suicide.

Domestic Violence

Domestic violence is the willful intimidation, physical assault, battery, sexual assault, and/or other abusive behavior as part of a systematic pattern of power and control perpetrated by one intimate partner against another. It includes physical violence, sexual violence, threats, and emotional abuse. The underlying reasons why one would inflict such violence on a member of their own family are varied and can be unpleasant to dwell on. The frequency and severity of domestic violence can vary dramatically, and can even be lethal.

Abusers hide in plain sight, their violence taking a psychological toll on their victims that often keeps them from speaking out or leaving—until it’s too late. When violence finally breaches the surface and emerges, in all its ugliness, it leaves a community in shock. You hear it from neighbors—”How could this have happened? We never imagined they were capable of this.”

Domestic violence costs thousands of lives each year, and leaves countless thousands more in shambles. For information about how to get involved and to help, contact the National Coalition Against Domestic Violence or your local law enforcement agency.

Leave a Reply

Your email address will not be published. Required fields are marked *