What is Chip-Off Forensics?
Chip-off forensics is an advanced digital data extraction and analysis technique which involves physically removing flash memory chip(s) from a subject device and then acquiring the raw data using specialized equipment. Chip-off forensics is a powerful capability that allows Binary Intelligence to collect a complete physical image of nearly any device – even those which have suffered catastrophic damage.
When should a Chip-Off extraction be considered?
Typically, when all other forensic extraction options – including JTAG – have been exhausted; however, there are certain situations in which a chip-off may be the initial preferred method. These include situations in which it is important to preserve the state of memory exactly as it exists on the evidence device.
How is a Chip-Off done?
Step 1 – the memory chip is physically removed. This is accomplished using appropriate heat (de-soldering) and chemicals (adhesive removal).
Step 2 – the chip is cleaned and repaired (or re-balled) as necessary.
Step 3 – the raw data is acquired or “imaged” from the chip using specialized chip programmers and adapters.
Step 4 – the raw forensic image is then analyzed using industry standard forensic tools and custom utilities.
How long does it take to complete a Chip-Off project?
Our lab performs hundreds of chip-off forensic extractions and we maintain a substantial inventory of programming devices and adapters. For this reason, we are often able to turnaround chip-off projects in seven to ten days and, when necessary, we can often expedite cases for turnaround in one to three days. Turnaround may be longer for cases which require special adapters or equipment.
What type of devices can be extracted with a Chip-Off?
Most of our chip-off projects involve extracting data from cellular phones; however, the chip-off method can be used to extract data from nearly any device that utilizes flash memory (NAND, NOR, OneNAND or eMMC). In addition to cell phones we have extracted data from digital voice recorders, GPS units, tablets, USB drives, gaming systems, network devices and vehicle components.
What is the success rate of Chip-Off projects?
Binary Intelligence utilizes advanced equipment and has extensive experience in the area of chip-off forensics. Our laboratory maintains an exhibit device success rate that exceeds 99%. However, there is always some risk to the target memory chip during the removal and cleaning steps of the process. Our exports will advise clients throughout the process and will advise when it is recommended to proceed with test of a control device before operating on the actual evidence device.
Here are some examples of actual cases involving Chip-Off forensic examinations:
- Distracted Driving – in a wrongful death case involving a smashed cell phone, data acquired via chip-off demonstrated that the driver was interacting with a social media website at the time of impact.
- Questionable Death – a password locked Blackberry smartphone was found with the victim. A chip-off extraction was performed to directly access the memory and circumvent the device password. Recovered SMS text messages indicated that the death was a result of suicide.
- Sexual Exploitation – incriminating audio recordings were deleted from a voice recorder that did not possess a data port. The device memory chip was removed, read and found to contain utilize the common FAT file-system. Deleted recordings were recoverable using common forensic software.
- Domestic/Cheating Spouse – in one case a wife attempted do destroy her “secret” phone with a hammer and, in another, a husband threw his phone into a pond. In both cases relevant SMS text messages and pictures were recovered via a chip-off exam.
Read more about Chip-Off Forensics in this 2012 Digital Forensics Magazine article
by Jim Swauger