Get hands-on with Cellebrite’s new JTAG Extraction and Decoding (CJED) course

The growing popularity of JTAG forensics is an indicator of its undeniable advantages. These include the ability to access physical memory even when a device is damaged, or when commercial tools don’t support user lock bypass, such as with prepaid devices. Furthermore, the method is non-destructive compared to the chip-off method.

Still, the JTAG process requires significant resources. It can take many hours for an examiner to transform the raw data into human interpretable evidence, and without training, making the wrong connections or pressing the wrong buttons can cause the destruction of evidence. Getting trained, therefore, is one of the top priorities any organization should have for a full investment in JTAG capabilities.

Part of the Advanced Training Pathway courses we announced two weeks ago, the new three-day instructor-led JTAG Extraction and Decoding (CJED) course introduces the techniques and best practices required to perform JTAG extractions and decoding, as well as addressing common challenges in these methods and offering hands-on practice.

Take 30 minutes to watch the video below to learn how to easily integrate and decode JTAG extractions using UFED Physical Analyzer, which newly supports JTAG chains both generic and brand-specific for automated decoding. Get a brief overview of the hardware you will receive in our CJED course, including a Molex adapter kit and a RIFF brand JTAG box, with which you’ll be able to practice fundamental soldering skills.

JTAG skills can help you expedite your investigation and maximize the evidence you can retrieve from damaged, prepaid, and unsupported devices. Once you’ve viewed the webinar, be sure to register at a location near you for the CJED class!

Download training white paper

New UFED release broadens decoding for extractions from prepaid, damaged devices

With the release of UFED Physical Analyzer 3.9.7, Cellebrite now offers improved decoding for the binary files resulting from JTAG extractions. This means that rather than have to carve or manually decode the image file, examiners can now save time with an automated process.*

JTAG (Joint Test Action Group) forensics is an advanced method of mobile data extraction. By taking advantage of a device’s test access ports (TAPs)—included in every mobile device model to aid in manufacturers’ quality assurance processes—examiners can unlock the device in order to gain access to raw data stored on the memory chip, and can thus obtain a full physical image of the memory.

Because it is non-destructive and affords the opportunity to access data from devices that have been altered or damaged in some way that makes them inaccessible using conventional mobile forensic extraction tools the JTAG technique is growing in popularity, with a number of examiners undergoing training to become proficient in the procedure.

The additional decoding support, made possible with generic chains, is now available for 110 tested devices, including Samsung, HTC, LG, ZTE, Nokia, Huawei, Casio, Pantech, and Kyocera models. Examiners can gain access to a rich set of data such as call logs, SMS, MMS, emails, media files, apps data, and locations.

Access the JTAG binary extraction files in UFED Physical Analyzer by using the “Open (Advanced)” feature and selecting the extraction and the appropriate JTAG chain. You can find step by step guidance, in Chapter 3, section 3.4.2.3 of the UFED Physical Analyzer manual.

JTag2

*Manual decoding is still valuable as a validation method for forensic examinations.

Convert GPS coordinates to physical addresses

See where your subjects are visiting, and how often they’re visiting, without having to manually convert GPS coordinates to physical locations. UFED Logical/Physical Analyzer now enables you to convert single or multiple latitude/longitude coordinates, in bulk, to their corresponding nearest address. It also allows you to search based on that information, using an advanced search capability.

Additional device and decoding support

The new UFED release, 3.0.7, includes physical extraction with lock bypass from an additional 40 devices including: Samsung Galaxy S4 and Note III families, and HTC devices. Additional device extraction support using the Android backup method is included, along with file system and logical extractions from Nokia Asha devices.

The new UFED Physical Analyzer release includes additional decoding support for physical extractions from 26 new devices, file system extractions from 25 new devices, usernames and passwords from the browser on Android devices, locations in deleted photo metadata from iOS devices running iOS 7 and above, and deleted call log, contact and calendar content from Microsoft® EDB embedded database within Windows® Phone devices. In addition, decryption support is now available for the WhatsApp backup database, identifiable by the .crypt7 backup file extension, which contains chat messages.

The Telegram and Instagram apps are newly supported for both Android and iOS devices. Decoding support for the Waze app is new for Android and updated for iOS devices; Facebook Messenger, Line, QQ, Skype, Twitter, WeChat, and Vkontakte, along with other apps, have been updated for Android and iOS as well.

For a full rundown of device and app support, view our release notes. Cellebrite is also offering a webinar on JTAG decoding and analysis in July. Register for the webinar here!