Virtual machine forensics is like opening up a Matryoshka doll--There's always more inside.
Forensic Case Files: Virtual Machine Matryoshka
February 21, 2017
Forensic Case Files: Exonerating an Employee of Data Theft
March 7, 2017
Show all

Forensic Case Files: A Chip-Off Our Shoulders

"Don't Try to Knock a Chip from Riley's Shoulder"

“Leland, in his last issue, struts out with a chip on his shoulder, and dares Bush to knock it off.” The Weekly Oregonian, 1855

In this case study, our client, a nearby police department, came to us with a Samsung Galaxy Tab 4 tablet. Our client needed as complete as possible of a picture of the device’s contents and usage. But many mobile devices, unfortunately, are only partially supported by available digital forensics tools for data extraction. This necessitates the use of specialized tools and techniques. We frequently perform chip-off data acquisitions in the tablet forensics and mobile phone forensics cases we see.

In this case, our clients needed the Samsung Galaxy Tab’s internal flash memory chip removed in a chip-off forensics procedure. This is a difficult and highly specialized operation. We here at Gillware Digital Forensics, though, are well up to the task.

"Don't Try to Knock a Chip from Riley's Shoulder"The phrase “a chip on your shoulder” came from a tradition in Royal Navy Dockyards across the British Empire. The dockyards allowed shipwrights to take an allotment of “chips” of lumber home at the end of the day. The shipwrights would carry their chips on their shoulders. If a man were in the mood to fight, he’d hope that somebody would knock the chip off his shoulder. This would give him a perfect excuse to deck the poor sod. This became a ritual for any two people looking to settle their differences—much like slapping a man with a glove and demanding satisfaction. The phrase now refers to anybody hoping for someone else to provoke them into doing something (usually something violent or punitive).

Chip-off forensic procedures carry with them a significant investment of time, energy, and special tools. While you’d be hard pressed to find someone who’s really chomping at the bit to do these things, Gillware Digital Forensics is a good place to start. You could say we have chip-off on our shoulders.

Chip-Off Forensics—Why We Do It

Chip-off forensics is, as its name implies, a rather intensive forensic procedure. It involves completely disassembling the entire device in question, rendering it down to its basic components, and removing its internal flash memory chip.

The flash memory chip we’re aiming for puts up a good fight. After all, its manufacturers never intended for anyone to actually remove the chip from its home. Removing the chip requires us to either carefully heat the adhesive epoxy holding the chip in place or sand away the bottom of the logic board until there’s nothing left under the chip. We used the former method in this case study. (But if you’d like to see some rather stunning pictures of the latter method, check out Cindy Murphy’s blog post “Digital Forensics as Art and Science.”)

Samgung Galaxy Tab 4 disassembledThis, of course, is a procedure that irreversibly destroys the device. However, the data on the device is completely preserved, which is the goal of all digital forensics investigations. Chip-off forensics is the textbook definition of a “last resort method”. In many situations, manual, logical, and file system level acquisitions provide plenty of useful information. However, these forms of mobile forensic investigation can be stymied in many ways.

When it comes to mobile devices such as Android phones and tablets, readily available software forensic tools sometimes cannot fully investigate a device. This makes it difficult to form a complete and accurate picture of their contents and usage. In this case, for example, this Samsung Galaxy Tab 4 tablet was only partially supported by the forensic tools available to our client. Getting a fuller picture of the tablet’s contents required some form of thorough physical acquisition. In this case, the best tool we had for that was our chip-off forensic facilities.

Samsung Galaxy Tab Forensics

Our forensic investigation of this Samsung Galaxy Tab tablet started with the tablet’s removable 32 GB microSD card and SIM card. These cards, unlike the tablet’s internal chip, put up significantly less of a fight. Using our imaging tools, we made 100% accurate forensic images of the removable chips. Then we moved on to the hard work of getting the internal flash memory chip.

Samsung Galaxy Tab 4 logic board

The Samsung Galaxy Tab’s flash memory chip sits on the tablet’s internal printed circuit board. A protective heat shield partially obscures it. After de-soldering the heat shield, our electrical engineers could carefully use a controlled application of heat to loosen the chip’s grip on the board.

Removing the flash memory chip with controlled heatOnce the chip became unmoored, we started the delicate work of cleaning the chip. This included removing any residue that remained on the chip’s underside from the epoxy resin. The next step is re-balling the chip by hand so that our specialized chip-reader could make contact with it to read it.

eMMC flash memory chip cleanedeMMC flash memory chip cleaningAfter all that hard work, we ran the chip through Gillware’s own proprietary imaging tools. Using them, we created a forensically-sound image of the Samsung Galaxy Tab’s internal flash memory chip. Decoding and parsing the forensic chip image verified that we had indeed created a complete and accurate “portrait” of the tablet’s contents. The contents of the Samsung Galaxy Tab tablet, along with the remains of the tablet itself, returned to our client so they could continue their own investigation, now better-equipped with all of the information they needed, thanks to Gillware Digital Forensics.

2 Comments

  1. […] Our chip-off forensic examination of a Samsung Galaxy Tab 4 tablet yielded perfect results for our client, a local Wisconsin police department.  […]

  2. Simon Smith says:

    Simon Smith eVestigator here. I must say this stuff I do as well, and I must compliment these guys because it is not only very difficult but the slightest movement and you can lose everything. This should be a lesson to everybody that hardware is worthless compared to data. Also, for those cyber-criminals out there, there is always a way to find answers. I congratulate this company on a well written press release but also on this very hard level of digital forensic extraction techniques that is very hard and very rare. I’m sure they have stories to tell where they have made that little slip and learnt as we all admit. This follows what I have always said about data. Recently I caught hold of a discussion about data classification where some newly trained ‘IT Experts’ were discussing how ‘they’ would decide what certain data is ‘valuable’ and should be considered ‘secure’ or not. I simply stated 4 words. “All data is secure”. To a cybercriminal one could not possibly tell what the intent or use of the tiniest piece of information could reveal. As a Forensic Investigator, solving cases with a shoestring of evidence I can tell you, it is certainly not what an IT Graduate deems. Cybersecurity now is a board level concern. Well done guys on a good physical element on digital forensics.

Leave a Reply

Your email address will not be published. Required fields are marked *