Difference between pages "JTAG Samsung Galaxy Centura (SCH-S738C)" and "Incident Response"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (NAND Dump Procedure)
 
 
Line 1: Line 1:
== Samsung Galaxy Centura SCH-S738C ==
+
{{Expand}}
  
This phone is supported by the Tracfone network and uses a Qualcomm MSM7625A 800 MHz Snapdragon (S1) Processor. The phone has 4 GB of internal storage with a Samsung KMSJS000KM B308 MoviNAND flash memory chip. This phone is unsupported by RIFF Box for the JTAG process but can be imaged with the direct access plugin.  
+
Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.  
  
{| border="1" cellpadding="2"
+
== Tools ==
|-
+
| [[ File:S738C_front.JPG | 300px ]]
+
|-
+
|}
+
  
=== Getting Started ===
+
Incident response tools can be grouped into three categories. The first category is '''Individual Tools'''. These are programs designed to probe parts of the operating system and gather useful and/or volatile data. The tools are self-contained, useful, discrete, and do not create a large footprint on the victim system.
  
 +
Standalone tools have been combined to create '''Script Based Tools'''. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools allow the user to pick and choose which standalone tools will be used in a given examination.
  
What you need:
+
The final category of tools are '''Agent Based Tools'''. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.
  
 +
== See Also ==
 +
* [[List of Standalone Incident Response Tools]]
 +
* [[List of Script Based Incident Response Tools]]
 +
* [[:Category:Incident response tools|Incident response tools category]]
  
# Riff Box
+
== External Links ==
# USB to Micro USB cord
+
* [http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders], by [[Jesse Kornblum]], DFRWS 2002
 +
* [http://blog.handlerdiaries.com/?p=325 Keeping Focus During an Incident], by jackcr, January 17, 2014
  
 +
== Tools ==
 +
=== Individual Tools ===
 +
* [http://technet.microsoft.com/en-us/sysinternals/0e18b180-9b7a-4c49-8120-c47c5a693683.aspx Sysinternals Suite]
  
=== NAND Dump Procedure ===
+
=== Script Based Tools ===
 +
* [[First Responder's Evidence Disk|First Responder's Evidence Disk (FRED)]]
 +
* [[COFEE|Microsoft COFEE]]
 +
* [[Windows Forensic Toolchest|Windows Forensic Toolchest (WFT)]]
  
 +
=== Agent Based Tools ===
 +
* [[GRR]]
 +
* [[First Response|Mandiant First Response]]
  
# Remove the rear cover, exposing the 7 phillips head screws.
+
== Books ==
# Remove the screws and the rear plastic casing with a plastic pry tool.
+
There are several books available that discuss incident response. For [[Windows]], ''[http://www.windows-ir.com/ Windows Forensics and Incident Recovery]'' by [[Harlan Carvey]] is an excellent introduction to possible scenarios and how to respond to them.
# Remove the two molex connectors attached on the right and top of the printed circuit board.
+
# Remove the printed circuit board from the screen casing exposing the nine TAPS on the reverse side. Note the small copper carrot indicating the direction of the TAPS.
+
# Connect the RIFF box to the JTAG pins.
+
# Connect the PCB to a Micro USB cord and power via a power supply.
+
# Start the "RIFF box" software.
+
# Power the PCB.
+
# Dump the NAND.
+
  
{| border="1" cellpadding="2"
+
[[Category:Incident Response]]
|-
+
| [[ File:S738C_back.JPG | 300px ]]
+
|-
+
|}
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[ File:S738C_case.JPG | 300px ]]
+
|-
+
|}
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[ File:S738C_molex.JPG | 300px ]]
+
|-
+
|}
+
The TAPS order is as follows:
+
 
+
# 1=GND
+
# 2=NRST
+
# 3=TDO
+
# 4=TCK
+
# 5=TDI
+
# 6=TRST
+
# 7=RTCK
+
# 8=TMS
+
# 9=N/A
+
 
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[ File:S738C_TAPS.JPG | 400px ]]
+
|-
+
|}
+
 
+
***Test has shown for the best results and fewer read errors, use short wires directly to the RIFF box ribbon interface.***
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[ File:S738C_riff.JPG | 400px ]]
+
|-
+
|}
+
 
+
After the wires are connected to the board, the phone is powered by the USB connection. Plug the Micro USB into the USB connection on the device and then plug the phone into the USB port on the laptop.
+
 
+
 
+
Launch the Riff Box JTAG Manager and use the following settings:
+
 
+
 
+
* Navigate to the Useful Plugins tab
+
* Select the Direct JTAG Access to Flash Memory Plugin. Note the directions displayed in the window along with supported processors.
+
* Activate the plugin
+
* Choose the MSM7627A from the drop down menu on the right side ** Note this is not the processor but it will allow access the the memory.
+
* Select eMMC SDC3 (via chipset) from the Memory Type & Host drop down.
+
* Check Auto FullFlash size
+
* Select Connect & Flash ID. ** This will not flash the memory chip initially, but will only connect**
+
* Choose the read button from the bottom left corner. This will connect to the device and display the partitions and chip ID.
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[ File:active_plugin.JPG | 800px ]]
+
|-
+
|}
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[ File:SCH-S738C_Setting2.JPG | 800px ]]
+
|-
+
|}
+
 
+
{| border="1" cellpadding="2"
+
|-
+
| [[ File:SCH_S738C_Setting2.PNG | 800px ]]
+
|-
+
|}
+
 
+
=== Notes ===
+
 
+
 
+
The phone has a 4GB MoviNAND flash memory chip which should take approximately 24 hours to download. This takes much longer the normal because the direct access plugin functions at a much slower speed then normal JTAG methods. Test have found using shorter large wires and no intermediate PCB board increases performance.
+
 
+
 
+
=== References ===
+
*http://www.riffbox.org/
+

Revision as of 05:19, 18 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.

Tools

Incident response tools can be grouped into three categories. The first category is Individual Tools. These are programs designed to probe parts of the operating system and gather useful and/or volatile data. The tools are self-contained, useful, discrete, and do not create a large footprint on the victim system.

Standalone tools have been combined to create Script Based Tools. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools allow the user to pick and choose which standalone tools will be used in a given examination.

The final category of tools are Agent Based Tools. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.

See Also

External Links

Tools

Individual Tools

Script Based Tools

Agent Based Tools

Books

There are several books available that discuss incident response. For Windows, Windows Forensics and Incident Recovery by Harlan Carvey is an excellent introduction to possible scenarios and how to respond to them.