Quite often we got damaged smartphones for forensic examination. And, of course, chip-off technique is our best friend here. Yes, we physically remove the chip from the mobile device and use a reader to acquire data from it. Usually we use this technique for extracting data from damaged Android smartphones and classic mobile phones, but recently we have tried it for an iPhone.
It’s NAND consists of four parts, so we got four DMP files after data extraction. Each NAND page has 8 sectors with data, the 12 bytes identificator and 90 bytes ECC. The size of a page is 4224 bytes, the sector size is 524 bytes.
Here is the structure:
0-512;4096-12;
512-512;4096-12;
1024-512;4096-12;
1536-512;4096-12;
2048-512;4096-12;
2560-512;4096-12;
3072-512;4096-12;
3584-512;4096-12;
What is more, blocks are mixed in different parts of NAND, like in a RAID. To rebuild these four DMP files in one BIN file we used PC-3000 Flash:
We extracted the file system from the image, added it to a ZIP-archive, and imported it to Oxygen Forensic Analyst. Here are some deleted SMS-messages from sms.db:
As you can see, extracted data is successfully parsed with the tool. Anything is possible, even an iPhone chip-off.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
Comments are closed.