Chip-Off Forensics

    Chip-off forensics can be conducted on a wide variety of devices and that target market has only increased with the large success of Internet of Things devices (IoT). These are products that have been transformed and created to connect to the internet and are often controlled via an application on a mobile device. The main market of IoT devices is the home; products to create a ‘Smart Home’ where every mundane task can be controlled via technology and home activity is monitored and quantified. Through personal digital forensic research on Internet of Things devices, it has been proven that a wealth of user data is collected, stored, and sent back to the organization that produces them. In turn, there is a great possibility that these devices could provide a wealth of user data via chip-off. This is an area that should absolutely be researched and tested in the future as the popularity of IoT devices increases.

​

    In addition to traditional chip-off forensics, there are two related methods of interest and areas for future work.

One is chip-off forensics by matter subtraction. This is a relatively new concept with only one research paper written about it at the time of this project. The less-destructive method puts minimal stress on flash memory chips which potentially provides greater success rates and better data pulls. The “matter subtraction” component occurs during the chip-off step, where instead of using heat and de-soldering the chip, the motherboard is cut out so the surrounding material is removed and the chip is all that is left. This technique “is more respectful of the data integrity since it does not impose additional stress on the memory chip, and the quality of the data extraction is enhanced” (Billard and Vidonne). This method for extracting data is clearly beneficial to the digital forensics community. The industry is dedicated to innovation and this method could be the new go-to technique for flash memory extraction.

​

    The second avenue of interest is NAND mirroring as demonstrated on an iPhone 5c by researcher Sergei Skorobogatov and published in September, 2016 (Skorobogatov). This process makes a copy of the flash memory chip and uses brute force techniques to determine the security code on a mobile device. After the maximum allotted attempts are used and before the device wipes itself, the original chip is then flashed with the data from the copied chip and the process is repeated. With this method, the phone does not realize X amounts of attempts have already been made to enter the password and thus can be repeated until the correct password is achieved and access to the phone is granted. This technique could be used by forensic investigators when faced with the problem of a locked iPhone 5c. The concept could potentially be applied to other devices and research and testing should be conducted to determine if this is a viable technique for combatting password protected devices.