What is JTAG forensics?
JTAG (Joint Test Action
Group) forensics is an advanced level data acquisition technique, which
involves to connecting to Test Access Ports (TAPs) on a device and instructing
the processor to transfer the raw data stored on connected memory chips. When
supported, jtag is an extremely effective technique that Binary Intelligence
utilizes to extract a full physical image from devices that cannot be acquired
with normal tools.
When is it appropriate
to JTAG an evidence device?
When commercial forensic
extraction options cannot acquire a physical image or when a device is
logically damaged or “bricked”. The majority of our JTAG engagements involve
Android phones which are pattern locked and cannot be bypassed by other means.
We also regularly JTAG prepaid cell phone models (such as TracFone, Net10 and
Virgin) which have their data ports intentionally disabled by the carrier.
What are the
basic steps of a JTAG forensic examination?
Step 1 – identify TAPs by
researching documented devices. When TAPs are unknown, inspect the device PCB
for potential TAPs and manually trace or probe to pinpoint appropriate
connector pins.
Step 2 – solder wire leads to the correct connector pins or utilize a solderless jig.
Step 3 – connect wire leads to an appropriate JTAG emulator with support for the exhibit device.
Step 4 – read the flash memory after selecting the appropriate device profile or manually configuring the correct processor/memory settings.
Step 5 – analyze the extracted data using industry standard forensic tools and custom utilities.
Step 2 – solder wire leads to the correct connector pins or utilize a solderless jig.
Step 3 – connect wire leads to an appropriate JTAG emulator with support for the exhibit device.
Step 4 – read the flash memory after selecting the appropriate device profile or manually configuring the correct processor/memory settings.
Step 5 – analyze the extracted data using industry standard forensic tools and custom utilities.
What type of
devices can be extracted with the JTAG process?
Like chip-offs, the
majority of our JTAG engagements involve cellular phones; however, forensic
jtagging can be employed with any device that contains embedded flash memory, a
supported processor and has working TAPs. In addition to cell phones, the JTAG
method can commonly be used to extract data from video gaming systems, tablets
and network devices.
Here are some
actual case examples involving JTAG forensic examinations:
· Workplace
harassment – in support of a corporate employee
relations investigation, a JTAG extraction was performed on a standard GSM
phone which had only limited commercial forensic tool support (file-system
only). Important deleted SMS text messages, call logs and pictures were
identified by searching the memory image.
·
Homicide – a basic prepaid “throw down” phone with a disabled data port was
acquired via JTAG and several threatening text messages were recovered from
unallocated portions of the physical memory image.
·
Suicide –the family of a suicide victim desired access to a pattern locked
Android phone. A JTAG extraction was completed and the appropriate unlock
pattern was extracted and provided.
No comments:
Post a Comment