Chip-Off Physical Extraction

Chip-Off involves the removal of the flash memory chip from a mobile phone and the use of specialist hardware and software to read the data from it. Using this method, we can extract data from handsets unsupported by forensic software or JTAG along with PIN, pattern or password-protected phones and damaged or otherwise non-working handsets.

Commercial software-based forensic acquisition tools automate logical data extraction and can yield sufficient data from the device. Unfortunately, a device received as part of an investigation may be physically damaged, or the device may not provide an interface for data acquisition, and as a result, its data may be inaccessible using the automated software-based approach. In these cases, digital forensic investigators must physically remove the NAND flash memory chip from the printed circuit board (PCB) inside the device. Once the chip has been removed, investigators can perform low-level analysis on the chip, at which point the data that was originally on the chip can potentially be recovered. This analysis method is commonly referred to as chip-off analysis.

Chip-Off is appropriate when all other forensic extraction options – including JTAG – have been exhausted; however, there are certain situations in which a chip-off may be the initial preferred method. These include situations in which it is important to preserve the state of memory exactly as it exists on the evidence device.