Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Divorce, custody battles, and other
Win the most important battle of your life
Everything you need
Effective Expert Witness in Court
Evidence shows who is telling the truth
Subpoena power yields strong evidence
Digital evidence can build a strong defense
Go to court with compelling digital evidence
Our last article, “Extracting data from a damaged iPhone via chip-off technique”, have received mixed reviews from our readers.
Some wrote, that it’s impossible:
It doesn’t work.
ZombieKiller316 of reddit.com – we don’t know who is it, but we’re sure, he’s a computer forensics professional.
Others wrote, that the data in Apple devices is encrypted (Really? They thought, we didn’t know about it?):
I tried and they ALL ENCRYPTED, except iPhone 3G (very old one)
Sasha Sheremetov, Engineer, Rusolut
How was the decryption done? – Chip off is mostly done in the cases where data is otherwise inaccessible (phone locked, damaged) so the data in the chip would be encrypted and protected by secure enclave.
Harpreet Singh Dardi, Consultant – Computer Forensics & eDiscovery at PwC
Short Answer is it is impossible to Chip-Off anything above 4s due to Encryption being tied to UID and several other features.
There are some advanced NSA level attacks that can compromise a 4s/5/5c if you want to spend 500k + and hire a company to reverse engineer the silicon of the CPU decapping it with Acid/Ion Laser and probing it. A less risky attack would be using Infrared Laser Glitching. Another possible option would be discovering a side-channel attack that compromised the AES Crypto Engine or CPU in order to reveal the UID. In short it aint happening.
kyle_pc_terminator of reddit.com – man, thank you for this comment.
Okay. It’s time to tell you a bit more about what we can do.
Some readers wrote us, that it’s impossible to extract data from any damaged iOS-device. But some iOS-devices, including iPhone 2G, iPhone 3G, don’t use hardware encryption. So it’s possible to use the chip-off technique for data extraction – it’s confirmed by our tests. Also, ACELab KB (Anwer Alkandri, thanks for the link) contains info about data recovery from iPhone 3G chip.
Figure 1. Information from ACELab KB
Since the release of iPhone 3GS, Apple has built encryption into the hardware and firmware of its products to make user’s data even more secure. What is more, in top iOS devices some other encryption tricks are used. So, there is a number of encryption levels in iOS devices. For more information about software and hardware encryption, as well as Secure Enclave Compressor, you can read in open sources, for example, here.
So, if you image the partition with the user data, you’ll see the filesystem structure, but no file content – all files are encrypted.
Figure 2. A part of userdata partition structure
Figure 3. An encrypted JPG file
What should an examiner do?
There are two ways:
Both ways are impossible, aren’t they?
On the one hand, we can’t speak about the technique in details in order nobody can copy it, but, on the other hand, we can present it in general via this scheme:
Figure 4. The technique
The problem is that we can take a damaged iPhone and extract data from it. But how to show you that our technique works? We don’t know.
Now we want to answer our readers’ questions:
Q.: For which versions of iOS devices does your method work?
A.: For all up-to-date devices (we haven’t tested all of them, but the principle is the same).
Q.: What types of data can be extracted from a damaged iPhone?
A.: Calls, phone book, SMS, MMS, chats, images, videos, etc.
Q.: Can you recover deleted files?
A.: No (excluding deleted SQLite DB records).
Q.: Can you extract data from a locked iPhone?
A.: No, we’ll need the passcode (or lockdown files).
If the device is locked with Touch ID, we won’t be able to access it.
Igor Mikhaylov
Interests: Computer, Cell Phone & Chip-Off Forensics
Oleg Skulkin
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
I have no idea what I just read.
Do you have a damaged iPhone? Would you like to recover data from it?
I have a water damaged Iphone 5s, and I tried multiple places to try just recover the data but all went unsucessful. Can you help with that?
I know exactly how you are doing this. We do the same. All day, every day 🙂
Tell us about it.
Jessa is suggesting that you’re repairing the logic board just enough to recover data.
I have a shop like Jessa’s but I specialize in chip-off recovery. My method involves putting the flash, CPU and baseband into test sockets that I’ve directly tied into a working board. I boot up the system and make an iTunes backup.
I’m certain your “technique” is like Jessa’s or maybe like mine. 🙂
Hi All, I really need your help. I’ve got a severely damaged Iphone 6s that a data recovery agency has tried to repair the logic board just enough to recover data but all attempts failed (its got water damage, heat damage, been tampered with, and parts are missing). The company did suggest the “Chip Off” technique but they have never done it on a Iphone 6s before. Is it possible and should I go ahead with it?
Hi Gordie, please use CONTACTS (https://www.digitalforensicscorp.com/blog/contacts-us/) to contact us.
1. if you have password or pin code for apple or android cellphone then better use chip off + key recovery and Apple cellphone emulator for decrypt user area. 2. If you do not have pin code (phone owner died or it criminal forensic ) then required use some password mining services. But everything possible on any phone.
Sounds tempting, but I would never use any company that didn’t have their phone number posted at the top of their site and made potential customer fill out a request form. If I’m going to be paying hundreds of dollars for data recovery, there better be somebody there to answer the phone.
Save my name, email, and website in this browser for the next time I comment.
Δ
Speak to a Specialist Now
Get Help Now