TESTING

The make and model of flash memory chips can vary depending on the make and model of the mobile device itself. Out of the mobile phones tested, Toshiba, Samsung, and Hynix flash memory chips were the most common, with three Toshiba, two Samsung, and two Hynix chips. All the BlackBerry Curve 9320s had the same make and model of chip. All other chips were unique.

After the initial identification, research was done to garner more information about the chip. At times this proved rather difficult, especially when working with older and less common phones such as the BlackBerry Curve 9320 and the LG 306G TracFone. Finding detailed information about the iPhone 4 chip, for example, was much easier and straightforward. Many chips have datasheets that are accessible online. Below are the details that could be determined for each chip

Chip-off forensics can be conducted on a variety of devices such as “tablet computers, GPS units, voice recorders, answering machines, USB flash drives, printers/scanners, music players, camera, video game consoles, vehicles, industrial machines, medical testing equipment, network devices and security systems” (Swauger). Virtually any device that has permanent storage embedded in it can be analyzed using this technique.

For this research, mobile phones were exclusively used. A wide array of devices was tested, such as BlackBerrys, Androids, an iPhone, and a TracFone. The BlackBerrys (BlackBerry Curve 9320 model) were purchased in bulk to serve as starter and practice devices. Many BlackBerry Curve 9320 models were purchased. All other phones were donated to the project by peers. Several of the mobile phones tested had actual hardware damage or power and operational problems. This helped simulate real case scenarios that would bring cause for the use of chip-off forensics. The following were the phones tested:

Samsung Fascinate
Samsung Galaxy S4
Samsung Galaxy S5
BlackBerry Curve 9320 (9)
LG Env
LG TracFone
iPhone 4
Motorola Q9m

Samsung Fascinate	BlackBerry Curve 9320
LG TracFone	LG Env
iPhone 4	Samsung Galaxy S4

Once the flash memory chips were thoroughly identified, the subsequent adapter type that was needed for each chip was determined. Then, it was known whether the adapters on hand were compatible with the memory chips. In four cases, the appropriate adapters were available to read the chip: BlackBerry Curve 9320s, Samsung Galaxy S4, Samsung Galaxy S5 and the Samsung Fascinate.

Appropriate adapters were not available for the following chips: LG Env VX9900, LG 306G TracFone, iPhone 4, and the Motorola Q9m.

Once the necessary adapter was identified, then began the actual chip-off process. The stripped-down circuits boards were placed in a PCB holder. Heat was applied from about one to two inches directly above the chip. The heat gun allowed different levels of air flow and the highest setting was used. The hot air was set to temperatures between 250-350℃ (482-662℉). The temperature was adjusted depending on the chip and the amount of glue or epoxy that the chip was attached with. The more glue, the higher the temperature.

Heat applied to flash memory chip

The BlackBerry Curve 9320s, the iPhone 4, and the Motorola Q9m each had a metal shield covering the flash memory chip. The BlackBerrys’ shield was in place using glue and heat was applied at 450℃ to lift the shield from the circuit board. The iPhone 4 and the Motorola Q9m shields were more difficult and attached using solder. A soldering iron, hot air, and pliers were used to peel the metal shields, revealing the chips.

BlackBerry Curve 9320 with and without metal shielding

iPhone 4 with and without metal shielding

After heat was applied for a couple of minutes, tweezers were used to hold the sides of the chip so that it could be removed as soon as the glue melted and released the chip. On average, the chips were successfully removed in under ten minutes. Some chips, like the Samsung Galaxy S4 had a large amount of compound holding the chip to the board. This made the chip-off more difficult and required the use of an exacto knife to break up the compound along the edges of the chip so that it could be removed. Due to this extra compound, sometimes chips were unknowingly heated longer than necessary.

The following mobile devices had successful chip-offs: BlackBerry Curve 9320, Samsung Galaxy S4, Samsung Galaxy S5, LG Env, Samsung Fascinate, LG 306G TracFone, and the Motorola Q9m. The iPhone 4 had a difficult PCB and the chip for this device was not able to be removed.

After the chips were removed from the circuit boards, they were not always in readable condition. The high temperatures caused stress on the chips and often there was glue and solder on the chip after removal. While the cleansing process for flash memory chips can be extensive, available resources were limited. The chips were first allowed to cool after being exposed to the hot air. Then a soldering iron and soldering wick were used to remove excess solder and glue. The soldering iron was also used to remove any bridging between the contact points on the chip. Finally, rubbing alcohol was used to wipe the chip clean.

Once the chips visually appeared to be in good condition, they were tested with their appropriate adapters. There were compatible readers for only four of the chips removed: BlackBerry Curve 9320, Samsung Galaxy S4, Samsung Fascinate, and the Samsung Galaxy S5. These chips used the same eMMC chip adapter. The adapter allows for various sized chips so all could fit using different size adjusters that came with it.

The adapter was plugged into a forensic workstation using a USB adapter. If the chip was in good enough quality to be read, the workstation saw it as removable media. If the chip did not appear, it went through the cleaning process again. There were some instances where the chip was not seen when viewing disks in “Computer” via File Explorer; however, they were visible in Disk Management. The Samsung Fascinate is the only chip out of the four that would not appear in Disk Management, even after multiple cleanings.

As only an adapter, not an adapter and a programmer, was used with the chips, they still needed to be imaged. FTK Imager (v. 3.4.2.6) was used to get a raw dd image of the data. The images were then added to Cellebrite’s UFED Physical Analyzer (v. 5.4.7.5). This tool works well as it “has lots of pre-made solution (sic) for parsing data” and “an examiner can control the algorithm of data parsing choosing modules manually” (Mikhaylov and Skulkin). Once in Physical Analyzer, the appropriate chains for BlackBerrys and Androids were selected. For example, with the Samsung Galaxy S4 and S5, AndroidContent and AndroidDD chains were selected.

Additionally, the exact model of the phones was selected as the “Device”. This allowed Physical Analyzer to correctly parse data from the three image files.

After Physical Analyzer ran the chains against the images, the results were viewed. There was a distinct difference in the amount of types of data parsed from the BlackBerry Curve 9320, the Samsung Galaxy S4, and the Samsung Galaxy S5.

As the BlackBerry Curve 9320s were purchased online, they did not contain any user data and only had a couple of artifacts that were present in each of the nine that were chip-offed. One of the artifacts was a generic message about the service provider.
The Samsung Galaxy S4 had more data than the BlackBerrys but contained little to no user data. This was expected as the phone had previously been wiped by the owner after encountering severe performance issues.
The Samsung Galaxy S5 was the most successful chip-off. There was a wealth of user data that was recovered and the amount of data depended on which chains were selected. Additionally, more photos were recovered after selecting an option to carve images from unallocated space. Some of the notable artifacts included 105,597 images, 56,419 SMS messages, 19,384 emails, 2,148 calls.