For older Android devices, we can perform full physical extractions of data using a small program or set of instructions called a “bootloader”.^1, The bootloader is injected into the RAM of the device and executes before the operating system boots. Bootloaders are usually a generic solution, based upon a family of devices, often defined by the chipset in the phone. They are designed to be read-only and are therefore considered safe and forensically sound. Bootloaders allow for complete acquisition of flash memory of a mobile device, including spare area of the flash memory.¹

Manufacturers of cell phone forensic tools will often create custom bootloaders for full physical acquisition purposes. In order to use a bootloader for acquisition, sometimes the phone must be put into rescue or recovery mode, or a specialized cable might be necessary.² Sometimes firmware update protocols are used to insert a bootloader.

When a device is locked, it may be possible to use Android’s recovery partition to access the data on the device. The Android device needs to be placed into recovery mode so the custom recovery image can be pushed to the device. A custom recovery is a third-party image that replaces the stock Android recovery partition and allows the user to gain access to the data or root the device. Again, this is only supported for older, non-encrypted Android devices. A common custom recovery partition is Team Win Recovery Project (TWRP).  The Magnet Recovery Images are a great reference for researching custom recovery partitions: https://www.magnetforensics.com/resources/advancedmobile/.

EDL mode is available with some Qualcomm chips and can allow low-level access to the chipset. This is designed to allow for device analysis, repair, or re-flashing, but can present the opportunity to achieve a full physical extraction of the data from the chip.³ EDL mode can be accessed by several software methods, including:

•  Special key combinations: Depending on the manufacturer, the key combination may be different. The most common combination from a powered-off state is: Hold Vol Up + Vol Down while connecting USB. Other combinations may include Vol Up, Vol Up + Vol Down + Power, etc. Some vendors have early boot menus that offer the choice of entering the mode (recovery, fastboot, download).

•  ADB: Most phones with EDL available allow entry to EDL mode via a command available from an authorized ADB session. (Try: adb reboot edl.) This is useful for obtaining a physical extraction of an unlocked device. This is what Cellebrite UFED attempts when trying "Generic Qualcomm ADB".

•  Fastboot: An alternative vendor-specific method exists from the fastboot mode, which is sometimes reachable by other key combinations (usually Vol Down + Power).

•  FTM: Some vendors have implemented FTM mode (hold Vol Down while connecting the USB), which exposes an ADB interface. Cellebrite UFED can detect this mode and continue to extract normally using the "Generic Qualcomm ADB" method.

Hardware methods may include:

•  EDL cable: Some devices will detect a special cable that will signal the device to enter EDL. Specialized cables may be obtained from various stores and will be supplied by Cellebrite to customers when the phone is supported.

•  Test points: Some devices have test points that, when shorted to ground, will cause the device to enter into EDL mode. Depending on the board, they may be easily accessible, even without significant disassembly.

•  eMMC faults: Electrical faults are introduced to the eMMC chip as it boots. With a pinout chart for the specific board in the device, you may short the CMD, CLK, or D0 lines to ground temporarily during power on.

References:

[1] https://for585.com/e0d7p (Cellebrite white paper: “What Happens When You Press That Button?”)

[2] https://for585.com/cnosp (Magnet Forensics: "White Paper: Android Acquisition Methods from Root to Recovery”)

[3] https://for585.com/a4p61 (Cellebrite Practical Guide: Qualcomm EDL Extractions)

Cellebrite offers additional methods to acquire Android devices that are newer and otherwise inaccessible. These include Qualcomm Live, MTK Live and the latest capability referred to as Huawei (Kirin Live). These extraction methods are linked to the chip inside of the Android and are accessible via UFED.

The Joint Test Action Group (JTAG) method used to be heavily relied upon when forensic and open-source tools did not support data acquisition of a smartphone. Currently, many devices do not support this method of acquisition. Encryption and lack of TAPs are to blame for this lost craft.  This type of acquisition can damage a device if done by an untrained examiner. The JTAG method acquires data via the Test Access Ports (TAPs), which requires the device be taken apart, yet remain functional. (For example, the device must be able to be powered and recognized by the forensic workstation). Thus, if an examiner is untrained, the device may become damaged during disassembly or soldering to the TAPs, which renders the evidence unusable. Use caution when exploring this method and make sure you have proper training, and practice on test devices prior to attempting JTAG on real evidence.

When done correctly, JTAG is a great way to recover data from devices. Prepaid/throw-away/burner phones present challenges during examinations because they are usually difficult to acquire. The data ports have often been disabled to prevent individuals from re-flashing the firmware on these inexpensive phones and reselling them for use with a different carrier for a much higher price. These devices are generally good use cases for JTAG, ISP, or chip-off techniques.

ISP, or In-System Programming, is a method that enables examiners to extract data physically by connecting to the chip on the Printed Circuit Board containing phone data to obtain a full physical extraction. This method does not require the removal of the chip and is comparable to JTAG in that aspect.

Chip-off forensics is a data acquisition procedure that involves physically removing the non-volatile integrated circuit (IC) chip from a device and reading it directly on a specialized external reader designed specifically to read the make or model of chip being worked with. A complete bit-for-bit forensic image file is made from the data contained in the removed chip, which is read directly from the chip, and the data is not changed during the imaging process.² Use caution when exploring this method and make sure you have proper training, equipment, and practice on equivalent test devices prior to attempting chip-off on real evidence.

Chip-off data extraction is a forensically sound way to recover data from devices and may be the only option in some circumstances when phones are not supported for data extraction due to locked data ports, unsupported operating systems, encryption, or physical damage to the phone. In cases where a mobile forensic tool may support a full physical image of a device for decoding and parsing but cannot obtain a full physical image due to passcode protection, chip-off can be used to extract data from the device, and scripts can then be used to deal with passcodes or swipe codes once the data is loaded into the forensic tool. Chip-off is usually considered the last option because the removal of the chip is generally a one-way operation, and the original hardware will be damaged during the process. However, in modern-day forensics, this may be the only option, so it is important that you are aware of the possibilities.

The chip is taken off by removing the epoxy that surrounds it and then heating up the solder, allowing the chip to be removed from the Printed Circuit Board (PCB). The other option is to grind the chip away from the board. After the chip is removed from the phone, it will need to be cleaned up to remove remaining solder and residue so that it can be read. The chip may also need to be “re-balled” in order to repair contacts damaged during removal. The chip will then be placed in a reader or adapter of the exact size and pin out. Many adapters are custom made to accommodate various proprietary chips. The NAND chips follow the specifications from the Open NAND Flash Interface (ONFI) group, and while the pin out will remain the same for most chips, there may be different package sizes. Once the correct reader or adapter is found, the chip can be mounted, and a full physical image of the chip can be made.³

References:

[1] Mahalik, Tamma, and Bommisetty, "JTAG defined", in Practical Mobile Forensics, Second Edition (Birmingham, UK: Packt, 2016).

[2] https://for585.com/o19f6 (Chip-Off and JTAG Analysis)

[3] https://for585.com/ox4u5 (Open NAND Flash Interface)