JTAG / Chip-Off Forensics
Gillware is able to perform forensic data recovery operations on mobile devices unsupported by common toolkits, including Cellebrite. Gillware is also capable of extracting data from monolithic USB flash drives, a more recent adaptation of traditional USB flash drives that present some new data extraction difficulties.
First, some more background on the monolithic USB. A monolithic USB device is a USB thumb drive that looks the same on the outside as a traditional thumb drive, but has completely different internals. Instead of a small printed circuit board with a processor and NAND flash chips, the internals of a monolith look like a single black chip with four gold fingers on the end of it to plug into a USB port. Everything required to run the drive and store data has been compressed into a little black enclosure that makes the drive smaller, cheaper to produce, and very difficult to work with when something goes wrong with the drive. However, thanks to our Director of Research and Development, Greg Andrzejewski, Gillware is able to work on them.
How do we perform forensics work on these devices?
There are two techniques we use for dealing with these unsupported and unusual devices. These methods are known as “JTAG” and “Chip Offs.”
If you’re not familiar with JTAG, the acronym stands for Joint Test Action Group, and is a means of connecting to the chips in certain devices, mostly mobile phones, without having to completely dismantle the device. Though JTAG has been around since the late 1980s, it has only recently seen resurgence as a useful tool for testing chips. There are many uses for JTAG, though our own uses for it are somewhat limited. This is especially true because most manufacturers disable it before devices are shipped, so there is a somewhat slim chance that we will be able to use it on any given device. However, when possible, JTAG can be very useful and much less invasive than other methods.
The other method we use is known as a chip off. This involves taking a device apart and analyzing the chip of a device directly. The first step is to physically remove the chip from the board, which isn’t as easy as it sounds since chips are often stuck on by strong epoxy. After removing the chip, our engineers then read it and attempt to re-assemble the disk image. The reassembly is by far the hardest part as it requires a great deal of time to determine where each piece of data fits in with the others, like putting together a very difficult puzzle. Once the disk image is assembled, data should hopefully be in a readable format and most of the difficult aspects of the forensics process will be complete.