In this post, we’re taking a trip away from the Gillware Data Recovery lab and over to the Gillware Digital Forensics lab. This case is an example of the kind of work our newly formed branch does for law enforcement agencies and others in need of digital forensics services.
Forensic Recovery Type: Mobile Phone
Internal Memory: 8GB
Model Name: Prestige
Operating System: Android 5.1
Carrier: Prepaid Boost Mobile
Model Number: N9132
Manufacture Date: 09/2015
Main Symptom: Locked out – Swipe Code Unknown
Type of Data: Photos, text messages, app data, contacts, location information, videos, etc…
Data Recovery Grade: 10
MCP Chip Information
Manufacturer: SK Hynix
A Wisconsin local law enforcement agency was involved in the investigation of a series of suspected gang-related shootings and homicides. A homicide victim’s prepaid Boost Mobile ZTE N9132 “Prestige” cell phone was involved, and it was thought to potentially contain information that would help identify others involved in the shootings. Law enforcement examiners attempted to extract the data from the phone using Cellebrite, but it was swipe code protected, USB Debugging was not enabled, and they were unable to bypass the swipe code in order to perform any of the supported data extractions from the phone. The phone was submitted to Gillware Digital Forensics for assessment to see if forensic chip off or JTAG extraction of the data from the phone would be possible.
The phone was visually examined and found to be badly damaged. The screen was broken, the camera lens was shattered and the monolith style MicroSD card was cracked, all from apparent impact event(s). Various data extraction techniques were explored, and chip off was selected as being the most potentially viable option.
Gillware has a high success rate for forensic extraction of data from mobile devices. However, since this particular make and model of phone is quite new and unfamiliar to our engineers, Gillware forensic team engineers obtained an identical test phone and populated the test device with data representative of what they would likely need to look for in the actual phone’s data. They then disassembled the test phone and performed a forensic chip off extraction of the data from the chip of the test phone. After performing the test recovery, engineers determined that they would be able to successfully perform the forensic chip off data extraction on the locked phone.
Once Gillware forensic team engineers had extracted the data from the chip, they were able to use advanced functions in Cellebrite Physical Analyzer in order to successfully open, decode, and parse the image. After proving the ability to successfully extract the data from this device, the evidence phone was then processed in the same manner and Gillware forensic team members were able to provide a full physical extraction of the memory from the phone. They confirmed that the image was successfully decoded and parsed by Cellebrite, and the image was then provided to the investigating agency for further analysis.
Want to learn more about Gillware Digital Forensics? Have a forensics case you’d like Gillware to evaluate? Visit our website at www.www.gillware.com/digital-forensics.