hi and welcome to everyday digital forensics. I'm your host just then, you said. And in today's module of mobile forensics, I want to go over the tools classification system
today is not sure where to go over the tool classifications system.
We're gonna break down into what Emanuel extractions. Illogical extraction, hex dumping, Jay tagging
chip off and micro reading when it comes to tools itself
before I can go over there,
take a moment. And do you recall what some of the challenges founds in mobile forensics are?
These are some of the challenges of mobile forensics, as discussed earlier. Most of them are is over on the fact that a mobile device is evolved out in nature. You have many streams of data pulling in and out many different types of protocols, such as Bluetooth, your NFC, your mobile data, your Web data,
your emails and everything in between.
There's also the fact that there's so many different models of mobile devices supporting operating systems and manufactures, which lead to multiple cables different specific drivers.
Can you think of any other challenges of normal forensics outside of this list?
Moving over to today's topic tools classification system
but a friend's ex tools they made.
These are This is a system used to classifying that specific tool set.
Not each tools the same, and not each tool can do exactly the same as the other one. So if you ever see the tool kit or forensic examiner, they may have multiple tools, software, hardware and so on to kind of support the different methods of extraction.
Your first method of extraction is your manual obstruction. This is a physical extraction of taking the device, logging in, scrolling through and
manipulating the buttons, the keyboard in touch screens just to get to the data unique
for extraction. This data recording could be used by an extra, not digital camera.
There's some tools that happens if I look to provide the forensics examiner with the ability to documenting
categorized. The information recorded more quickly,
however it's become more inclusive is difficult and perhaps unachievable. One. Encountering a
missing or broken LCD screen or damaged or missing Keeve keyboard innovates
some of the challenges that this also provides two examiners
is the fact that it's not. Only it's very time consuming can be impossible to recover deleted data,
but if the phones could figure to a language that's unknown to examiner,
it may be difficult to successfully navigate through the device itself.
Our next step is the logical extraction. This process starts based on a series of commands or the established connection.
This could be seen with the android debug bridged, a beady where you're connected to this particular device and you're able to send commands to that particular devices shop. If you understand
if you have the route credentials, you can also log in as a route and run even more commands.
The mobile device will respond accordingly, and these responses are returned to the workstation itself.
The Examiner should be aware of issues associated with specific connectivity methods as different connection types
and associated protocols may result in zeta being modified or different amounts or types of data being extracted.
Our next extraction method is hex dumping Jay Attack.
So the mix. These two were kind of joined together because their direct access to raw data in flash memory
there's a challenge with a tool parson and decoding the capture data itself. Heck, stumping is the process of uploading a modified boot loader into a protected area of memory such as RAM.
A series of commands is sent from the Flasher box, which is connected to the mobile device,
and to the first station. The Flasher box sets the mobile device itself into a diagnostic mode, and once in dynasty mold, the Flasher box captures all or sections of flash memory and sends it to the forensic workstation over the same communication linked used for uploading.
There are very rare cases where extractions can be accomplished using WiFi
and then Drake Tag, also known as Joint Test Action Group,
defines a common test interface for processor memory and others. Semiconductor chips examiners can communicate with a J tag compliant component by utilizing special purpose standalone programmer devices to probe to find test points. So what does this mean? So if you have access to the actual memory trip off
up probe, you're able to actually point and find the J type here, you'll connect to it and extract data needed.
The methods typically evolved, attaching a cable from the workstation to the mobile devices J tag interface and access the memory via the devices Michael Processor to produce an image
J tag is very invasive, compared to the hacks thumping as it access to the connectors frequently require that the examiners dismantles some of the mobile devices to obtain access to establish the wiring connections.
Next on the list is chip off. This is accusation directly from flash memory.
It requires physical removal of fash memory
provides the ability to create binary images of that removed chits.
However, extensive training is required.
J tag is more commonly used in chip off in the sense
one of the challenges with chip off is there is a wider range of chip types. There's so many different raw data formats and the risk of causing physical damage to trip during the extraction point, maybe twice a risk for an examiner. That's why they rather use J tag, which connects directly to that devices ports rather than
extracting the chip itself.
This isn't there's no known US law enforcement's that's performed this level accusation, but this level accusation is possible.
It requires a team of experts, proper equipment, time and in depth knowledge of the preparatory information. Remember, mobile devices? There's a plethora of mobile devices, including hardware, software, the device itself.
This method itself is only attempted in high profile cases do the extreme technicalities,
and this requires recording the observation of the gates on a nano Nord chip using an electronic Michael trips. We won't get into too much detail on this on as there's no evidence off is actually being done
from a U. U S law enforcement.
So I hope you enjoyed today's video where we discussed the different tool quantification system such as the manual extraction, the logical extraction, the hex dumping and J tech your trip off and you're migrating.
I'll get you on the next one.