The growing popularity of JTAG forensics is an indicator of its undeniable advantages. These include the ability to access physical memory even when a device is damaged, or when commercial tools don’t support user lock bypass, such as with prepaid devices. Furthermore, the method is non-destructive compared to the chip-off method.
Still, the JTAG process requires significant resources. It can take many hours for an examiner to transform the raw data into human interpretable evidence, and without training, making the wrong connections or pressing the wrong buttons can cause the destruction of evidence. Getting trained, therefore, is one of the top priorities any organization should have for a full investment in JTAG capabilities.
Part of the Advanced Training Pathway courses we announced two weeks ago, the new three-day instructor-led JTAG Extraction and Decoding (CJED) course introduces the techniques and best practices required to perform JTAG extractions and decoding, as well as addressing common challenges in these methods and offering hands-on practice.
Take 30 minutes to watch the video below to learn how to easily integrate and decode JTAG extractions using UFED Physical Analyzer, which newly supports JTAG chains both generic and brand-specific for automated decoding. Get a brief overview of the hardware you will receive in our CJED course, including a Molex adapter kit and a RIFF brand JTAG box, with which you’ll be able to practice fundamental soldering skills.
JTAG skills can help you expedite your investigation and maximize the evidence you can retrieve from damaged, prepaid, and unsupported devices. Once you’ve viewed the webinar, be sure to register at a location near you for the CJED class!
Last week we announced the introduction of a new Advanced Training Pathway designed to enhance professional forensic expertise. The first in this series, the hands-on Cellebrite Advanced Smartphone Analysis (CASA) course, addresses the sometimes complex challenges that come with forensic examination of iOS, Android and Windows Mobile devices.
Those challenges include where and how SQLite databases—whose schemas can vary from device to device—store Android and iOS mobile app data via structures, files and functions; how to defeat passcodes and unlock iOS devices; and how to recover system and user artifacts.
Within the context of smartphones, strategies to obtain the data can include physical or file system extraction with user lock bypass, extracting and decoding device backup files from a synchronized computer, or extraction using JTAG or chip-off methodologies. Over the course of three days (a total of 21 hours), CASA students can expect to learn which of those and other methods work for various device types and families.
The first step in advanced analysis is to get past a device’s user lock. Watch the video below for information on how to do this using UFED solutions—and then be sure to register for the Cellebrite Advanced Smartphone Analysis class at the Cellebrite Learning Center!
Earlier this week at the Washington Hilton in the US capital, we joined the SANSFIRE conference for a Lunch & Learn and Tuesday’s exhibit. Our visitors, most of whom were very familiar with UFED tools, asked many questions about deleted data, encryption, and other advanced topics during both opportunities.
On Monday, our Lunch & Learn covered our Smartphone Drill-Down: OS Extraction, Decoding & Analysis. Forensic engineering product manager Ronen Engler took his audience through locked devices, encrypted and deleted content, databases, and applications as just some of the complications investigators may encounter when examining a smartphone.
Participants asked a lot of questions during the hour, mainly regarding deleted data. What can be recovered? In what cases is deleted really deleted (including when a phone has been wiped)? What about encrypted data and deleted encrypted data?
Ronen has contributed answers and more about these issues in two recent articles: “6 Persistent Challenges with Smartphone Forensics” from DFI News, and “Smartphone Overload” from Law Enforcement Technology (note: this article starts on page 44 of LET’s digital edition).
We’ll be rejoining SANS at the SANS DFIR Summit in Austin, Texas in just a few weeks. There, we’ll be offering a second Lunch & Learn about our new UFED Link Analysis software and how it can help narrow and focus investigations. We hope we’ll see you in Austin!
In Anaheim (California) this week at the Disneyland Resort, IT and security architects, auditors, security analysts, inspectors general and other information security professionals are converging on the SANS Mobile Device Security Summit to discuss the policies, architectures and security controls that are becoming necessary to secure bring your own device (BYOD) environments.
Along with the case studies and other topics being presented, Cellebrite is presenting a Lunch & Learn. Director of Forensic Sales Sonny Farinas and Technical & Sales Engineer Lee Papathanasiou will speak about smartphone forensics including:
- Cellebrite’s current extraction support & the unique R&D challenges faced when developing physical extraction and password bypass around Android, iOS, & BlackBerry platforms.
- Overview of UFED Physical Analyzer’s decoding support including application data, location data, and malware detection
The Lunch & Learn will be held in the Magic Kingdom Ballroom 1. We are also exhibiting at the Sleeping Beauty Pavilion today and tomorrow from 9am to 5pm. If you’re in Anaheim, please stop by and say hello!
Unable to join the summit? All approved presentations will be available online following the Summit at https://files.sans.org/summits/mobile13.