There have been some issues during data acquisitions with Samsung Galaxy having the Android 4.3, Jelly Bean as the operating system even if using the recommended steps for Logical File Dump, File System, or Physical Acquisitions for Cellebrite UFED Touch, Classic, and UFED4PC. All were unable to connect even if the mobile device was in Download Mode or Android Debugging (ADB) was on. The issues have been the device shuts off, will not connect, or keeps rebooting. Investigators have contacted Cellebrite and were told it was a known issue with the Android 4.03 Jelly Bean, and were developing fixes.
A way to acquire a physical image of the NAND memory without using a UFED, is using Joint Test Action Group (JTAG). JTAG is used by industry developers to test devices. These are small pins on the circuit board. We can use the JTAG to access the NAND Memory and copy it instead of using a USB cable to access the data. Using the Riff Box Hardware and JTAG software, we are able to acquire a physical image of the NAND. Here are the steps for acquiring a physical image using JTAG.
The Riff Box JTAG Manager application controls the settings and uses drivers to communicate with the mobile device. The Riff Box is able to read and write to the mobile device. The Riff Box needs to be connected to a computer. In this case we will be using the read feature. It also needs to have the current firmware update, and the specific .DLL file for the mobile device (SCH-R530) needs to be downloaded. For testing purposes, the model used was the SCH-R530U. The SCH-R530U JTAG pin-out is a small connector. A ribbon cable with a snap connector can be found for this mobile device, and will just snap right on. In other mobile devices, they are small metal pads which can be soldered to, but are very small and can damage the board when soldering.
The mobile device needs power to it. Since the acquisition can take over 48 hours, a power-up cable is used. The power-up cable used is from Cellebrite UFED. There are other power-up cables on the market that provide power to a mobile device without using a battery. The power-up cable connects to the battery pins on the mobile device and gets power through the USB cable connected to the computer. (The mobile device is not powered on yet).
Next the mobile device needs to be in Download Mode. This can be manually done, but in testing Cable #133 from the UFED was used. This cable turns on the mobile device and puts it into Download Mode automatically
Now, we can setup the Riff Box JTAG Manager. Different settings can make the process acquisition slow or fast. Other times, the Riff Box will not be able to read because of settings. After numerous tries, it was found that the following settings work the best and the fastest:
• “Settings by Code” should be applied to the setting “read full image from eMMC/NAND/NOR”
• Override DLL’S embedded I/O
• RTCK sampling set to “SAMPLE AT MAX”
• Auto Full Flash
• Access ROM1 Address Space
• (In some cases) “Ignore ID Code” found in special settings
Figure 1. JTAG Manager
The Riff Box can see the Samsung Galaxy SCH-R530U’s two Chips, one 14.68GB and the other 2MB. The first chip has the data we are looking for. The RIFF Box will read Chip1. The JTAG Manager will save the data under a temporary file ($$TEMP$$.tmp) in the Programs Folder. The temporary file can be saved to a .bin file after the data acquisition is done. The .bin file then can be opened in Physical Analyzer 3 (PA3).
Figure 2. The JTAG pins
Figure 3. RIFF Box connected to the Mobile Device
The following information in Figure 4 is from an acquisition. It was copied from the JTAG Manager.
The information above shows the settings. It is noted that the acquisition was interrupted. If during the process the “read” is interrupted, the JTAG Manager will pick up where it left off when the “Read Memory” is done again.
Physical Analyzer 3
This is the application that comes with the Cellebrite UFED. In Advanced Open the model of the mobile device, in this case SCH-R530U, is selected. Physical –Android Samsung Odin is selected for the decoding method. The .bin file is added. PA3 will now parse the file system. Data such as deleted messages, call logs, mms, and images can be found.
Verification of Data Acquisition
The .bin file can also be placed in FTK Imager. It is able to see the file system. The mmssms.db can be opened with a SQLite browser. The data for sms is the same as was found in PA3. This was checked by decoding the date and time values that are in Unix in the SQLite database, mmsms.db, using DCode. The dates and times were also verified on the test mobile device itself.
Also during testing the data was acquired twice from the same mobile device. Each .bin file was placed in FTK Imager and the Hash Values were calculated. Both Hash Values were the same.
Figure 5. Hash Values
Using FTK Imager the data in the .bin files were converted into .E01 files for EnCase. Placing just the .bin files that were created by the Riff Box and its JTAG Manager into EnCase will not see the file system. EnCase sees it as just a .bin. Creating an .E01 and opening it as a “SmartPhone” will parse messages, pictures, contacts, and call logs. In this case the data is the same as what was reported by PA3.
What is seen here is that after two acquisitions the Riff Box acquired the same data. It acquire from Flash Chip 1. The Riff Box started from the first byte, reading the address as the file offset 0x00000000000 to 0x0003AB3FFFFF. That would be the 14.68GB the RIFF Box saw.
Data and Reporting
Expensive tools are not required to examine the contents of the mobile device in question. The Riff Box and cables are under $400.00. FTK Imager is free. Placing the created .E01 file into a free forensic tool like Autopsy 3 will show the file system and unallocated space.
With the data collected using the Riff Box the examiner is able to place the .bin file into an array of tools to examine the data. Verification has been done using these different tools to show the same data is reported again and again. This shows the JTAG acquisition is a reliable procedure. Reports can be generated, and otherwise lost data can be recovered.
· Physical Analyzer 22.214.171.124
· RIFF Box with JTAG Manager
· EnCase v7.9
· Autopsy 3 v3.0.6
· FTK Imager 126.96.36.199
· DCode v4.02a
· SQLite Database Browser 2.0b1