Information Technology Reference
In-Depth Information
Physical data extraction
Android data extraction through physical techniques (hardware-based) mainly involves two
methods: JTAG and chip-off. These techniques are usually hard to implement and require
great precision and experience to try them on real devices during the course of an investig-
ation. The following sections provide an overview of these techniques.
JTAG
JTAG
(
Joint Test Action Group
) involves using advanced data acquisition methods,
which involve connecting to specific ports on the device and instructing the processor to
transfer the data stored on the device. By using this method, a full physical image of a
device can be acquired. It is always recommended to first try out the logical techniques
mentioned earlier as they are easy to implement and require less effort. Examiners must
have proper training and experience prior to attempting JTAG as the device may be dam-
aged if handled improperly.
The JTAG process usually involves the following forensic steps:
1. In JTAG, the device
Test Access Ports
(
TAP
s) are used to access the CPU of the
device. Identifying the TAPs is the primary and most important step. TAPs are
identified and the connection is traced to the CPU to find out which pad is respons-
ible for each function. Although device manufacturers document resources about
the JTAG schematics of a particular device, they are not released for general view-
ing. A good site for JTAG on an Android device is
http://www.forensicswiki.org/
2. Wire leads are then soldered to appropriate connecter pins and the other end is con-
nected to the device that can control the CPU, as shown in the following image
(published by
www.binaryintel.com
). JTAG jigs can be used to forgo soldering for
certain devices. The use of a jig or JTAG adapter negates the need to solder, as it
connects the TAPs to the CPU.
