NIST Tests Forensic Methods for Mobile Phone Data Acquisition
Written by Rich Press   

This article appeared in the May-June 2020 issue of Evidence Technology Magazine.
You can view that issue here.

DIGITAL EXAMINERS faced with the challenge of acquiring data from damaged mobile devices have many hardware and software-based methods to choose from. Now, researchers at the National Institute of Standards and Technology (NIST) have tested how well several of these methods work.

“Our goal was to test the validity of these methods,” said Rick Ayers, the NIST digital forensics expert who led the study. “Do they reliably produce accurate results?”

This is important because these methods produce data that might be presented as evidence in court. In addition, the results of the NIST study can help labs choose the right tools for the job. Some methods work better than others, depending on the type of phone, the type of data, and the extent of the damage.

The NIST study only addresses data acquisition from Android phones. Also, the study only covered methods for accessing data, not decrypting it.

To conduct the study, NIST researchers loaded data onto ten popular models of phones. They then extracted the data, or had outside experts extract the data for them. The question was: Would the extracted data exactly match the original data, without any changes?

To add data to the phones, the researchers took photos, sent messages, and used Facebook, LinkedIn, and other social-media apps. They entered contacts with multiple middle names and oddly formatted addresses to see if any parts would be chopped off or lost when the data was retrieved. They added GPS data by driving around town with all the phones on the dashboard.

After loading data onto the phones, the researchers used two methods to extract it: JTAG and Chip-off. The JTAG method involves the small metal TAPS, or Test Access Ports, that manufacturers use to test their circuit boards. Examiners can solder wires to the TAPS to access chip-level data. JTAG stands for Joint Task Action Group, the manufacturing industry association that codified this testing feature.

The second method, “Chip-off,” involves accessing the chips directly via their pins. This used to be done by gently plucking the chips off the board and seating them into chip readers, but the pins are delicate. If you damage them, getting the data can be difficult or impossible. A few years ago, experts found that instead of pulling the chips off the circuit board, they could grind down the opposite side of the board on a lathe until the pins were exposed. This is like stripping insulation off a wire, and it allows access to the pins.

“It seems so obvious,” said Ayers. “But it’s one of those things where everyone just did it one way until someone came up with an easier way.”

Computer Scientist Rick Ayers working on a mobile phone data extraction at the National Institute of Standards and Technology (NIST). Photo: Rich Press/NIST

The chip-off extractions were conducted by the Fort Worth Police Department Digital Forensics Lab and a private forensics company in Colorado called VTO Labs, which sent the extracted data back to NIST. NIST computer scientist Jenise Reyes-Rodriguez did the JTAG extractions.

After the data extractions were complete, Ayers and Reyes-Rodriguez used eight different forensic software tools to interpret the raw data, generating contacts, locations, texts, photos, social-media data, and so on. They then compared those to the data originally loaded onto each phone.

The comparison showed that both JTAG and chip-off extracted the data without altering it, but that some of the software tools were better at interpreting the data than others, especially for social-media apps. Those apps are constantly changing, making it difficult for the toolmakers to keep up.

The results are published in a series of freely available online reports. This study, and the resulting reports, are part of NIST’s Computer Forensics Tool Testing project. Called CFTT, this project has subjected a wide array of digital forensics tools to rigorous and systematic evaluation. Forensic labs around the country use CFTT reports to ensure the quality of their work.

“Many labs have an overwhelming workload, and some of these tools are very expensive,” Ayers said. “To be able to look at a report and say, this tool will work better than that one for a particular case—that can be big advantage.”

This research was funded by NIST and the Department of Homeland Security’s Cyber Forensics Project. Background information is available on the CFTT website, and the JTAG and chip-off reports are available on the DHS website.

About The Author
Rich Press is science writer and public affairs specialist with the National Institute of Standards and Technology (NIST).

< Prev   Next >

Court Case Update

FINGERPRINT EVIDENCE went through a nearly three-year ordeal in the New Hampshire court system, but eventually emerged unscathed. On April 4, 2008, the New Hampshire Supreme Court unanimously reversed the decision of a lower court to exclude expert testimony regarding fingerprint evidence in the case of The State of New Hampshire v. Richard Langill. The case has been remanded back to the Rockingham County Superior Court.