Written by Rich Press
DIGITAL EXAMINERS faced
with the challenge of acquiring data from damaged mobile devices have many
hardware and software-based methods to choose from. Now, researchers at the
National Institute of Standards and Technology (NIST) have tested how well several
of these methods work.
“Our goal was to test the validity of
these methods,” said Rick Ayers, the NIST digital forensics expert who led the
study. “Do they reliably produce accurate results?”
This is important because these
methods produce data that might be presented as evidence in court. In addition,
the results of the NIST study can help labs choose the right tools for the job.
Some methods work better than others, depending on the type of phone, the type
of data, and the extent of the damage.
The NIST study only addresses data
acquisition from Android phones. Also, the study only covered methods
for accessing data, not decrypting it.
To conduct the study, NIST
researchers loaded data onto ten popular models of phones. They then extracted
the data, or had outside experts extract the data for them. The question was:
Would the extracted data exactly match the original data, without any changes?
To add data to the phones, the
researchers took photos, sent messages, and used Facebook, LinkedIn, and other
social-media apps. They entered contacts with multiple middle names and oddly
formatted addresses to see if any parts would be chopped off or lost when the
data was retrieved. They added GPS data by driving around town with all the
phones on the dashboard.
After loading data onto the phones,
the researchers used two methods to extract it: JTAG and Chip-off. The JTAG method
involves the small metal TAPS, or Test Access Ports, that manufacturers use to
test their circuit boards. Examiners can solder wires to the TAPS to access
chip-level data. JTAG stands for Joint Task Action Group, the manufacturing
industry association that codified this testing feature.
The second method, “Chip-off,”
involves accessing the chips directly via their pins. This used to be done by
gently plucking the chips off the board and seating them into chip readers, but
the pins are delicate. If you damage them, getting the data can be difficult or
impossible. A few years ago, experts found that instead of pulling the chips
off the circuit board, they could grind down the opposite side of the board on
a lathe until the pins were exposed. This is like stripping insulation off a
wire, and it allows access to the pins.
“It seems so obvious,” said Ayers.
“But it’s one of those things where everyone just did it one way until someone
came up with an easier way.”
The chip-off extractions were
conducted by the Fort Worth Police Department Digital Forensics Lab and a
private forensics company in Colorado called VTO Labs, which sent the extracted
data back to NIST. NIST computer scientist Jenise Reyes-Rodriguez did the JTAG
After the data extractions were
complete, Ayers and Reyes-Rodriguez used eight different forensic software
tools to interpret the raw data, generating contacts, locations, texts, photos,
social-media data, and so on. They then compared those to the data originally
loaded onto each phone.
The comparison showed that both JTAG
and chip-off extracted the data without altering it, but that some of the
software tools were better at interpreting the data than others, especially for
social-media apps. Those apps are constantly changing, making it difficult for
the toolmakers to keep up.
The results are published in a series
of freely available online reports. This study, and the resulting reports, are
part of NIST’s Computer Forensics Tool Testing project. Called CFTT, this
project has subjected a wide array of digital forensics tools to rigorous and
systematic evaluation. Forensic labs around the country use CFTT reports to
ensure the quality of their work.
“Many labs have an overwhelming
workload, and some of these tools are very expensive,” Ayers said. “To be able
to look at a report and say, this tool will work better than that one for a
particular case—that can be big advantage.”
This research was funded by NIST and
the Department of Homeland Security’s Cyber
Forensics Project. Background information is available on the CFTT
website, and the JTAG and chip-off reports are available on the DHS
About the AuthorRich Press is
science writer and public affairs specialist with the National Institute of Standards and Technology (NIST).